Skip to main content (M for menu)

Security & Privacy Policy

Our Commitment to Security

DSX is committed to protecting the privacy and security of all personal information in accordance with Australian privacy laws, the Information Security Manual (ISM), and NDIS Quality and Safeguards requirements.

Data Encryption

AES-256 encryption for data at rest using Google Cloud KMS. TLS 1.3 for all data in transit. Encrypted backups with geographic redundancy.

Access Control

Multi-factor authentication (MFA), role-based access control (RBAC), session management, and IP-based restrictions for sensitive operations.

Compliance & Auditing

Full compliance with APP, ISM controls, WCAG AAA accessibility, and comprehensive audit logging of all system activities.

Infrastructure Security

Australian-hosted servers (Google Cloud sydney/melbourne regions), 24/7 monitoring, automated threat detection, and DDoS protection.

Comprehensive Security Framework

Infrastructure & Cloud Security

  • Data Sovereignty: All data stored exclusively in Australian data centers (Sydney/Melbourne regions)
  • Google Cloud Platform: Enterprise-grade security with ISO 27001, SOC 2/3 certifications
  • Network Security: Web Application Firewall (WAF), DDoS protection, rate limiting
  • Backup Strategy: Daily encrypted backups with 30-day retention, point-in-time recovery
  • Disaster Recovery: RPO of 24 hours, RTO of 4 hours, tested quarterly
  • Monitoring: 24/7 automated monitoring with Sentry, Cloud Monitoring, and custom alerts

Application Security Controls

  • Authentication: NextAuth.js with secure session management, password complexity requirements
  • Authorization: Role-based access control (Admin, Coordinator, Provider, Member tiers)
  • CSRF Protection: Token-based protection on all state-changing operations
  • Input Validation: Server-side validation, SQL injection prevention via Prisma ORM
  • XSS Prevention: Content Security Policy (CSP), output encoding, React's built-in protections
  • API Security: Rate limiting, authentication required, audit logging
  • Dependency Management: Automated vulnerability scanning, regular updates
  • Code Security: Static analysis, peer review process, no hardcoded secrets

Privacy & Data Protection (APP Compliance)

  • Collection: Only collect necessary information with explicit consent
  • Use & Disclosure: Data used only for stated purposes, no third-party sharing without consent
  • Data Quality: Regular data accuracy reviews, user-accessible correction mechanisms
  • Data Security: Encryption at rest (AES-256) and in transit (TLS 1.3)
  • Access & Correction: Users can view, download, and request corrections to their data
  • Cross-border: No data transfers outside Australia
  • Retention: Data retained per legal requirements, secure deletion after retention period
  • Anonymization: PII removed from analytics and reporting data

Organizational Security Measures

  • Staff Vetting: Background checks, confidentiality agreements, NDIS Worker Screening where required
  • Training: Annual security awareness training, phishing simulations
  • Access Management: Principle of least privilege, regular access reviews
  • Physical Security: Secure facilities, clean desk policy, device encryption
  • Vendor Management: Security assessments for third-party services
  • Change Management: Formal approval process for system changes

Incident Response & Breach Management

Data Breach Response Plan (Notifiable Data Breaches Scheme)

1. Immediate Response (0-4 hours)

  • Contain the breach and secure affected systems
  • Activate incident response team
  • Preserve evidence for investigation
  • Initial assessment of scope and impact

2. Assessment (4-24 hours)

  • Determine if breach is likely to result in serious harm
  • Identify affected individuals and data types
  • Document timeline and breach circumstances
  • Assess risk of serious harm using OAIC guidelines

3. Notification (Within 72 hours if eligible)

  • Notify OAIC if breach meets notification threshold
  • Notify affected individuals promptly
  • Provide breach details and recommended actions
  • Update website with breach statement if required

4. Remediation & Review

  • Implement measures to prevent recurrence
  • Conduct post-incident review
  • Update security controls and procedures
  • Provide support to affected individuals

Compliance & Certifications

  • Privacy Act 1988: Full compliance with Australian Privacy Principles (APP)
  • Notifiable Data Breaches (NDB) Scheme: Established procedures for breach assessment and notification
  • Information Security Manual (ISM): Implementation of Essential Eight and additional controls
  • NDIS Practice Standards: Compliance with Quality and Safeguards Commission requirements
  • WCAG 2.1 AAA: Highest level of web accessibility compliance
  • PCI DSS: Payment card data handled per industry standards (where applicable)

Security Governance

  • Security Committee: Monthly security review meetings
  • Risk Management: Quarterly risk assessments and mitigation planning
  • Penetration Testing: Annual third-party security assessments
  • Vulnerability Management: Monthly scanning and patching cycles
  • Incident Metrics: Track and report on security incidents and response times
  • Compliance Audits: Annual compliance reviews against APP, ISM, and NDIS standards

Your Rights & Our Obligations

Under Australian Privacy Law, you have the right to:

  • Access personal information we hold about you
  • Request correction of inaccurate information
  • Request deletion (subject to legal requirements)
  • Lodge a complaint with us or the OAIC
  • Opt-out of marketing communications
  • Request information about how your data is used

Privacy Officer Contact: privacy@dsx.org.au | 1800 XXX XXX

Security Contact Information

Report Security Vulnerabilities

Email: security@dsx.org.au

We follow responsible disclosure practices and appreciate security researchers who report issues privately.

Privacy Inquiries

Email: privacy@dsx.org.au

For access requests, corrections, or privacy complaints.

Last Updated: September 2024 | Review Cycle: Quarterly | Next Review: December 2024

This security policy is reviewed quarterly and updated to reflect current threats, compliance requirements, and best practices. For the most current version, please visit this page or contact our security team.