Privacy Policy

Ecodia takes security seriously. This overview summarises our approach to safeguarding systems, data, and users. It complements our Data Processing Addendum and Responsible Disclosure program.

Our security framework aligns with industry best practices (ISO 27001, NIST CSF) and includes continuous monitoring, regular assessments, and layered controls across people, processes, and technology.

We maintain a formal Information Security Management System (ISMS) led by our Security & Compliance team. The ISMS covers policy, risk assessment, control design, and continuous improvement.

• Security and privacy policies reviewed annually or after material change.
• Executive accountability for security posture.
• Role-based responsibilities and least privilege enforcement.
• Employee background checks, onboarding training, and annual refreshers.

• Identity and Access Management (IAM) with MFA for all privileged roles.
• Principle of least privilege and separation of duties enforced through role-based permissions.
• Access reviews quarterly, with immediate revocation on role change or separation.
• System-to-system authentication using short-lived tokens or managed service identities.

• TLS 1.2+ enforced for all in-transit communications, including APIs and database connections.
• Data at rest encrypted using AES-256 or equivalent within our primary cloud storage systems.
• Key management handled via cloud-native KMS with strict access control and rotation.
• Secrets stored in a secure vault service and rotated periodically.

• Hosted on reputable cloud platforms with independently audited data centres.
• Network segmentation between environments (production, staging, development).
• Automated infrastructure provisioning with hardened configurations and patch management.
• 24/7 monitoring of uptime and performance metrics; autoscaling for resilience.
• DDoS protection, rate limiting, and WAF for public-facing endpoints.

• Centralised log aggregation with tamper-resistant storage and retention policy.
• Continuous monitoring for security events, anomalies, and indicators of compromise.
• Automated alerting integrated with incident response workflows.
• Regular review of audit trails and privileged actions.

We maintain a formal incident response plan aligned with the NIST 800-61 framework. Security incidents are triaged, investigated, contained, and remediated promptly, with communication to stakeholders as appropriate.

• 24/7 alerting and on-call escalation for critical events.
• Defined severity levels and response SLAs.
• Post-incident reviews (“lessons learned”) to prevent recurrence.
• Notification to affected Controllers in line with contractual and legal obligations.

Security and privacy are intertwined. We implement access controls, anonymisation, and data minimisation across our systems. Data retention aligns with legal and operational needs, and deletion is enforced through automated lifecycle policies.

• Encryption at rest and in transit for all personal data.
• Strict logical separation of customer data in multi-tenant environments.
• Regular privacy impact reviews for new features.

• Secure coding standards aligned with OWASP Top 10 and ASVS Level 2.
• Peer review for all code merges; automated CI/CD pipelines with linting and static analysis.
• Dependency scanning, SCA, and patching for third-party components.
• Secrets excluded from source control; environment-based configuration only.

• Disaster Recovery (DR) plans maintained and tested annually.
• Data backups taken daily, encrypted, and stored in geographically redundant regions.
• Defined RPO (≤24h) and RTO (≤4h) objectives for critical services.
• BCP procedures include succession planning, remote-work readiness, and critical vendor contingency.

• Regular internal security assessments and vulnerability scans.
• Annual third-party penetration testing of applications and APIs.
• Tracking and timely remediation of all high/critical findings.
• Periodic audit of security controls with documented evidence and management review.

For security-related inquiries or vulnerability reports, contact connect@ecodia.au. Researchers can also refer to our Responsible Disclosure guidelines.