1. Infrastructure Security
AuditDSS runs on a fully serverless architecture with no persistent servers to compromise. Every component is designed for isolation, immutability, and automated recovery.
Serverless Compute
AWS Lambda — no SSH, no persistent OS, no patch management. Functions execute in ephemeral, isolated containers that are destroyed after each invocation.
Immutable Deployments
All infrastructure deployed via versioned scripts with no manual access to production. Every deployment is a fresh, versioned artifact — never patched in place.
Tenant Isolation
Each customer's assessment data is stored in logically isolated environments. No cross-account data access is possible at the infrastructure level.
Infrastructure as Code
All cloud resources defined declaratively in version-controlled Terraform templates. No manual configuration, no configuration drift, full auditability.
Zero Standing Access: No engineer has persistent access to production systems. All access is just-in-time, audited, and automatically revoked after the session ends.
2. Data Protection
All data is protected with industry-standard encryption at every stage of its lifecycle.
Encryption Layers
In Transit
All communications between clients and our APIs use TLS 1.3 with forward secrecy.
At Rest
All stored data — assessment results, uploaded documents, user data, and backups — encrypted with AES-256 via AWS KMS.
In Processing
Document processing operates in ephemeral Lambda containers. Data is processed in memory and containers are destroyed after each invocation.
Data Classification
| Classification | Examples | Protection |
|---|---|---|
| Critical | API keys, passwords, JWT secrets | Encrypted, vault-stored, never logged |
| Confidential | Uploaded documents, assessment results, compliance reports | Encrypted at rest, tenant-isolated, access-controlled |
| Internal | Usage analytics, system metrics, audit logs | Encrypted at rest, access-controlled |
| Public | Regulatory text, marketing content, pricing | Integrity-verified, CDN-cached |
3. Authentication & Access Control
Password Security
Passwords hashed with bcrypt (work factor 12). We never store plaintext passwords. Password strength requirements enforced at registration.
Session Management
JWT-based authentication with secure tokens. Sessions automatically expire after inactivity. Tokens are cryptographically signed and validated on every request.
API Security
All API endpoints require authentication. Rate limiting enforced per user. CORS policies restrict cross-origin requests to authorized domains only.
Role-Based Access
Internal systems use RBAC with the principle of least privilege. Production database access requires explicit authorization and is fully audited.
4. Network Security
Multiple layers of network protection shield the platform from external threats.
DDoS Protection
Cloudflare DDoS mitigation with automatic traffic scrubbing. 330+ edge locations absorb volumetric attacks before they reach our infrastructure.
Web Application Firewall
Cloudflare WAF blocks SQL injection, XSS, and other OWASP Top 10 attacks. Rules updated continuously against emerging threats.
Rate Limiting
Intelligent rate limiting at the edge and application level prevents abuse and brute-force attacks. Per-IP and per-user limits with automatic throttling.
5. Document Security
Your compliance documents receive special handling throughout the assessment lifecycle:
Upload Security
Documents are uploaded over TLS 1.3 directly to encrypted storage. File type and size validation prevents malicious uploads.
Processing Isolation
Each document is processed in an isolated Lambda invocation. No document data persists in the processing environment after completion.
AI & LLM Data Privacy
Assessment analysis is powered by enterprise-grade large language models via API. Your document data is never used for model training. Our LLM provider (xAI) automatically deletes all API inputs and outputs within 30 days — retained only for safety monitoring during that period. Only document text is sent — never your account information or other assessment data. See our DPA for full details.
Retention & Deletion
Uploaded documents are retained only for the duration needed for assessment. You can delete documents at any time via your account. All copies (including backups) are purged within 30 days of deletion.
6. Application Security
Input Validation
All user inputs are validated and sanitized at the API boundary. Parameterized queries prevent SQL injection. Output encoding prevents XSS.
Dependency Management
Automated dependency scanning identifies vulnerable packages. Critical vulnerabilities are patched within 24 hours of disclosure.
Code Review
All code changes go through review before deployment. Automated security linting catches common vulnerability patterns.
Error Handling
Errors are logged internally with full context for debugging. User-facing error messages never expose internal system details, stack traces, or database structure.
7. Incident Response
We maintain a documented incident response plan with clear escalation procedures:
Detection
< 1 hour
Automated monitoring and alerting detects anomalies across all platform components.
Containment
< 4 hours
Immediate isolation of affected systems. Revocation of compromised credentials. Preservation of forensic evidence.
Notification
< 72 hours
Affected users notified within 72 hours per GDPR and Australian Notifiable Data Breaches scheme requirements.
Recovery
As needed
Root cause analysis, system restoration, and implementation of preventive measures.
8. Business Continuity
Automated Backups
Database backups run daily with 35-day retention. Point-in-time recovery available to the second for the last 7 days.
Multi-AZ Deployment
Database deployed across multiple availability zones. Automatic failover in case of AZ-level outage.
Edge Caching
Static assets and the landing page served from Cloudflare's global edge network (330+ locations). Available even during origin outages.
Disaster Recovery
Documented recovery procedures with defined RTO (Recovery Time Objective) and RPO (Recovery Point Objective) targets.
9. Compliance & Standards
Our platform and practices align with the following frameworks and regulations:
Privacy Act 1988
Australian Privacy Principles (APPs)
GDPR
EU General Data Protection Regulation
CCPA
California Consumer Privacy Act
NDB Scheme
Australian Notifiable Data Breaches
OWASP Top 10
Web application security standards
PCI-DSS (via Stripe)
Payment security (Level 1 certified processor)
10. Responsible Disclosure
We welcome responsible security research. If you discover a vulnerability in our platform:
Report To
hello@auditdss.comWhat to Include
- — Description of the vulnerability and its potential impact
- — Steps to reproduce (proof of concept if possible)
- — Any tools, scripts, or screenshots used
Our Commitments
- — Acknowledge receipt within 2 business days
- — Provide an initial assessment within 5 business days
- — No legal action against good-faith security researchers
- — Credit in our security acknowledgements (if desired)
Please do NOT: Access or modify other users' data, perform denial-of-service testing, use automated vulnerability scanners without prior authorization, or publicly disclose vulnerabilities before we have had a reasonable opportunity to address them.
Security Contact
For security concerns, vulnerability reports, or questions about our security practices:
QuestFeed Pty Ltd
Email: hello@auditdss.com
Document Version: 1.0 | Effective: March 2026