Security Practices

Effective Date: 1 March 2026
Last Updated: 1 March 2026
Version: 1.1

At ISO Mate, we take the security of your data seriously. This page describes the technical and organisational measures we have in place to protect the information you entrust to our platform. If you have questions about our security practices, please contact us at security@isomate.io.

ISO Mate has completed a Cloud Application Security Assessment (CASA) Tier 2 evaluation conducted by TAC Security, a Google-authorized assessor. CASA Tier 2 involves an independent security assessment of cloud applications requesting access to sensitive Google user data. Following this assessment, our Google Cloud project was reviewed and approved by Google. ISO Mate is ESOF Shield Certified, reflecting our commitment to maintaining robust application security standards and protecting customer data.

ESOF Shield Certified

Infrastructure Security

ISO Mate’s infrastructure is hosted on Amazon Web Services (AWS) in the ap-southeast-2 (Sydney, Australia) region. Our architecture uses a Virtual Private Cloud (VPC) with security groups to control network access and isolate internal services from the public internet. Only the necessary endpoints are exposed through the Application Load Balancer, and all other resources reside in private subnets.

Cross-Origin Resource Sharing (CORS) restrictions are enforced on all API endpoints to ensure that only authorised origins can interact with the platform.

Encryption

At Rest

All data stored on the platform is encrypted at rest:

  • Databases: Aurora Serverless v2 and DocumentDB instances are encrypted using AWS-managed encryption keys.
  • Object storage: Amazon S3 buckets use S3-managed encryption (SSE-S3) to encrypt all stored objects.
  • File storage: Amazon Elastic File System (EFS) volumes are encrypted at rest using AWS-managed encryption.

In Transit

All data transmitted between users and the platform, and between internal services, is encrypted using SSL/TLS. SSL/TLS is enforced on all S3 buckets and service endpoints. Unencrypted connections are not accepted.

Authentication and Access Control

ISO Mate implements multiple layers of authentication and access control to protect user accounts and platform data:

  • Token-based authentication: The platform uses Laravel Sanctum for token-based API authentication. Tokens are issued upon login and are required for all authenticated API requests.
  • Role-based access control (RBAC): Each account has configurable roles with granular permissions. Administrators can define exactly which actions each role is allowed to perform across all platform modules.
  • Two-factor authentication (2FA): Users can enable TOTP-based two-factor authentication for their accounts. Recovery codes are provided during setup to ensure account access is not lost if the authenticator device is unavailable.
  • Google OAuth: Users can sign in using their Google account via OAuth 2.0 integration, providing a secure single sign-on option.
  • Account lockout: After repeated failed login attempts, accounts are temporarily locked to prevent brute-force attacks.
  • Password history: The platform enforces password history rules to prevent users from reusing recent passwords.

Data Isolation

ISO Mate is a multi-tenant platform. Each customer’s data is logically isolated at the account level. All database queries are scoped to the active account, ensuring that users can only access data belonging to their own organisation. This account-level isolation is enforced at the application layer across every API endpoint and data access operation.

Audit and Monitoring

The platform maintains comprehensive audit and monitoring capabilities:

  • Audit logging: User actions within the platform are recorded in audit logs, providing a detailed trail of who did what and when.
  • Login attempt tracking: All login attempts, both successful and failed, are recorded with timestamps and relevant metadata.
  • Consent records: Records of user consent (such as cookie consent and terms acceptance) are stored for compliance and accountability purposes.
  • CloudWatch monitoring: AWS CloudWatch is used to monitor infrastructure health, application performance, and operational metrics in real time.
  • SNS alerting: Amazon Simple Notification Service (SNS) is configured to send alerts when monitoring thresholds are breached, enabling rapid response to potential issues.

Secrets Management

All credentials, API keys, database passwords, and other sensitive configuration values are stored in AWS Secrets Manager. No secrets are stored in application code, configuration files, or environment variables committed to version control. Secrets are retrieved securely at runtime by the application infrastructure.

Data Storage and Retention

ISO Mate applies the following storage and retention practices:

  • S3 versioning: Object versioning is enabled on S3 buckets used for file uploads, protecting against accidental deletion or overwriting of files.
  • EFS lifecycle: Files stored on Amazon EFS that have not been accessed for 30 days are automatically transitioned to infrequent access storage to optimise costs while retaining availability.
  • ALB access logs: Application Load Balancer access logs are retained for 30 days, then automatically deleted.
  • CI/CD artifacts: Build and deployment artifacts are retained for 30 days, then automatically deleted.
  • Audit logs and consent records: Retained indefinitely for compliance and accountability purposes.

Vulnerability Management

We are committed to maintaining the security of our platform through proactive vulnerability management:

  • Dependency updates: Application dependencies are regularly reviewed and updated to incorporate security patches.
  • Infrastructure patching: AWS-managed services receive automatic security patches. Container images and runtime environments are updated as part of our deployment pipeline.
  • Responsible disclosure: If you discover a security vulnerability in ISO Mate, we encourage you to report it responsibly. Please contact us at security@isomate.io with details of the vulnerability. We will acknowledge receipt, investigate the report, and work to resolve confirmed issues promptly. We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.

Contact

For questions, concerns, or reports related to security, please contact us at: security@isomate.io