Security Policy
Security Policy
TransferToAI Pty Ltd
Last Updated: November 3, 2025
Effective Date: November 3, 2025
Jurisdiction: Australia, Queensland
All data transmitted over the internet is protected with industry-leading encryption standards.
Table of Contents
Data Encryption (Transit & Rest)
Access Controls & Authentication
Infrastructure Security
Vulnerability Management & Penetration Testing
Incident Response & Monitoring
Employee Security Procedures
Reporting Security Vulnerabilities
Compliance Certifications
1. Data Encryption
1.1 Encryption in Transit (Network Communication)
HTTPS & TLS Standards:
TLS 1.3 minimum – All communication encrypted (upgraded from TLS 1.2)
HTTPS-only – Zero HTTP fallback allowed (enforced via HSTS header)
Encrypted API connections – Certificate pinning for critical endpoints
Secure WebSocket (WSS) – TLS 1.3 minimum for real-time communication
Perfect forward secrecy enabled – Session keys deleted post-communication (no historical key compromise)
OCSP stapling – Certificate validation without third-party lookup
Cipher Suites:
RFC-Approved:
TLS_AES256_GCM_SHA384(primary),TLS_CHACHA20_POLY1305_SHA256(fallback)Deprecated/weak ciphers blocked: RC4, MD5, SHA-1, DES
Certificate Management:
Certificate Authority: DigiCert or equivalent (CA/X Root 4)
Domain validation: Annual renewal (auto-renewed 90 days prior)
Certificate pinning: API clients cache public key (immune to MITM attacks)
OCSP Must-Staple: Prevents certificate revocation bypasses
1.2 Encryption at Rest (Storage)
Database Encryption:
Algorithm: AES-256-GCM (Galois Counter Mode) – authenticated encryption
Database: PostgreSQL with pgcrypto extension
Application-level encryption: PII encrypted before storage (name, phone, audio paths)
Column-level encryption: Sensitive fields encrypted individually
Cloud Storage Encryption:
AWS S3 encryption: Server-side encryption (AES-256)
Backup systems: Encrypted offsite copies (separate from operational backups)
Glacier archives: Long-term retention (encrypted, 90-day backups)
Key Management:
Master keys: Stored in AWS Secrets Manager (HSM-backed)
Key rotation: Annual rotation with versioning (no keys discarded)
Key access: Restricted to minimum necessary staff (DBA only)
Compromised keys: Immediate revocation & re-encryption procedure (48 hours)
1.3 Encryption Standards Compliance
StandardImplementationAlgorithm strengthAES-256 (256-bit keys = 2^256 possible combinations)FIPS 140-2 Level 2 equivalentMilitary-grade encryptionNo deprecated encryptionMD5, SHA-1, DES, 3DES all prohibitedAnnual auditExternal security firm verifies encryption implementation
2. Access Controls & Authentication
2.1 Multi-Factor Authentication (MFA)
MFA is Supported via Multiple Methods:
MethodDetailsTOTPTime-based One-Time Password (Google Authenticator, Authy, Microsoft Authenticator)SMS 2FASMS code delivery (backup only)Hardware keysYubiKey, Google Titan (recommended for admin)Backup codesIssued during setup (single-use, encrypted)
MFA Enforcement:
Required for ALL clinics, all staff, all admin users
Cannot disable
Accounts locked if MFA disabled (even by admin)
Recovery codes stored securely & printed during setup only
2.2 Role-Based Access Control (RBAC)
Predefined Roles:
RolePermissionsUse CaseSuper AdminAll CRUD (Create, Read, Update, Delete)TransferToAI internal staff onlyAdminClinic data, user management, reports, billingClinic owner/managerManagerCall logs, staff management, limited reportsClinic managerSupportView-only, limited interactions (audit-logged)Clinic support staffViewerView-only, no modificationsExternal consultants, auditors
RBAC Implementation:
Principle of Least Privilege: Default zero permissions; explicit grant required
Permission matrix: Every resource has CRUD permissions (Create, Read, Update, Delete)
Audit log: Every permission grant/revoke tracked with timestamp & granter
2.3 Session Management
Session Configuration:
ControlSettingInactivity timeout30 minutes (auto-logout)Concurrent session limitMax 3 active sessions per userSession tokenEncrypted, 12-hour maximum lifetimeDevice fingerprintingBrowser/OS changes trigger re-authentication
Session Termination:
Voluntary logout: Clears token immediately
Forced logout: Inactivity timeout (no warning)
Concurrent session limit: Oldest session auto-terminated if new login detected
2.4 Password Security
Password Policy:
PolicyRequirementMinimum length12 characters (longer = stronger)Character requirementsMixed case (A-Z, a-z), numbers (0-9), symbols (!)HashingPBKDF2 with 100,000 iterations + saltPassword historyLast 5 passwords cannot be reusedExpirationEvery 90 days (optional for high-security)
Failed Login Protection:
Failed attempt limit: 5 failed attempts = account lockout
Lockout duration: 15 minutes (automatic unlock)
Notification: Email sent on failed login attempts (security alert)
IP-based: Multiple failed attempts from different IPs trigger additional scrutiny
2.5 Account Monitoring & Anomaly Detection
Suspicious Activity Triggers:
Multiple failed login attempts (5 in 1 hour)
Unusual geolocation (if clinic outside Australia, login from unexpected country)
Access to sensitive records outside business hours (e.g., 3 AM access)
Bulk data exports (1,000 records in single download)
IP address changes mid-session (potential account hijacking)
Concurrent sessions from different IPs (simultaneous logins)
Automated Response:
Immediate alert email to clinic admin & security team
Session termination if risk confirmed
Temporary account freeze if compromise suspected
Password reset required (re-authentication mandatory)
2.6 Sensitive Data Access Logging
Audit Trail – Every access to patient recordings and transcriptions is logged:
Data PointDetailsRetentionAccess - WhoUser ID, name12 monthsAccess - WhatPatient name, call date, recording path12 monthsAccess - WhenTimestamp (UTC+10 AEST, datetime)12 monthsAccess - WhyReason if manual export12 monthsIP addressSource IP, geolocation12 monthsResultAllowed/Denied12 months
Audit Log Properties:
Searchable: Full-text search by user, patient, date range
Immutable: Append-only (cannot modify/delete logs)
Tamper-proof: Cryptographic signatures prevent unauthorized changes
Exportable: Download as PDF or CSV for compliance audits
3. Infrastructure Security
3.1 Cloud Infrastructure Architecture
Data Residency – 100% Australian:
ComponentLocationPatient recordings, clinic data, call metadataNEVER leave AustraliaVPSContabo Sydney datacenterDatabase (PostgreSQL)SydneyBackupsAWS S3 (ap-southeast-2)CDNAWS CloudFront with Sydney PoP (Point of Presence)DNSRoute 53 (geo-routing to AU only, never offshore)
Zero Offshore Data Transfer:
Encryption keys stored in Australia (AWS KMS AU-region)
Backups replicated within Sydney (no cross-region replication)
Disaster recovery datacenter: Secondary Sydney site (future)
3.2 Network Security
Firewall Configuration:
PortStatusDetails443OpenHTTPS (public)80RedirectHTTP → 443 HTTPS22SSHRestricted to admin VPN onlyAll othersBlockedNo exceptions
Network Segmentation:
Production environment: Isolated VPC (no internet access from database)
Development environment: Separate, air-gapped from production
Admin access: VPN-only (WireGuard protocol, 256-bit encryption)
Database access: Private subnet (unreachable from public internet)
3.3 Cloud Service Configuration
IAM (Identity & Access Management):
Least privilege: Roles have minimum permissions required
Lambda functions: Assume IAM role (not root credentials)
RDS database: Authentication via IAM tokens (temporary, rotated)
S3 buckets: Bucket policies restrict to specific services only
Key Management (AWS KMS):
Managed keys: AWS-managed keys for standard encryption
Customer-managed keys: For sensitive data (annual rotation)
Key policies: Restrict access to authorized roles only
Audit trail: CloudTrail logs all key usage (who accessed, when)
S3 Bucket Security:
Public access blocked: No public read/write permissions
Versioning enabled: Recover from accidental deletion
Server-side encryption: AES-256 by default
MFA delete: Require MFA token to permanently delete objects
VPC Endpoints:
Private connection: Services accessed without internet gateway
Example: S3 bucket accessed via VPC endpoint (not via public internet)
Benefits: Prevents data leakage to public internet; reduces attack surface
3.4 DDoS Protection & WAF
AWS Shield & WAF:
AWS Shield Standard: Automatically included (Layer 3-4 protection)
AWS WAF: Web application firewall (Layer 7 protection)
SQL injection signatures blocked
Cross-site scripting (XSS) patterns blocked
Bot detection (CAPTCHA challenges)
Rate limiting: 1,000 requests/minute per IP (adaptive; gets stricter if attack detected)
3.5 Intrusion Detection & Prevention
Host-Based Detection:
CloudWatch Alarms: CPU, memory, disk, network anomalies
Application logs: Errors, exceptions, failed authentication attempts
Threshold alerts: Automatically escalate if metrics exceed baseline
Action: Auto-scale or alert security team (evaluated per incident)
Network-Based Detection:
AWS WAF: Web Application Firewall (protecting HTTP/HTTPS)
OWASP Top 10 rules enforced
Application-Level Detection:
Fail2ban: Brute force detection at system level
Custom rules: Specific to TransferToAI (login anomalies, bulk exports)
Response: IP rate-limited, account locked, email alert sent
24/7 Monitoring:
Alert escalation: Critical alerts SMS/call on-call security
Response SLA: Critical alerts responded to within 15 minutes
Escalation path: On-call Security Lead → CTO → CEO
3.6 Security Assessment
Penetration Testing:
TypeFrequencyDetailsVulnerability ScanningMonthlyAutomated OWASP Top 10 vulnerability scanning (tools: NESSUS, OpenVAS, GitHub Dependabot)Penetration TestingAnnualThird-party ethical hacking (authorized); full infrastructure social engineering, physical, technicalFindingsTriaged, prioritized, tracked to remediationVerificationRe-test after fixes implemented
4. Vulnerability Management & Penetration Testing
4.1 Vulnerability Management Program
Detection Methods:
Automated scanning: NESSUS, OpenVAS (monthly)
Dependency scanning: GitHub Dependabot, Snyk (continuous)
Code review: Manual security review before deployment
Threat intelligence: Participate in AU cybersecurity forums
Triage Process:
Assessment
Remediation
Verification
Testing: Vulnerability rescanned after fix deployed
Confirmation: CVSS score 0.0 (vulnerability eliminated)
Documentation: Fix logged with before/after evidence
4.2 Security Patch Management
Patch Evaluation:
CVE database: Monitor daily for new vulnerabilities
Applicability: Filter for relevant libraries/frameworks only
Testing: Patch applied to staging; tested for regression
Deployment: Approved patches deployed to production
Severity & Response Timeline:
SeverityCVSS ScoreResponse TimeActionCritical9.0-10.024 hoursStop deployment; emergency patchHigh7.0-8.972 hoursFast-track fix; notification to clinicsMedium4.0-6.930 daysStandard remediation processLow0.1-3.990 daysInclude in next release cycle
5. Incident Response & Monitoring
5.1 24/7 Monitoring
Monitoring Systems:
MetricAlert ThresholdActionCloudWatchCPU, memory, disk, API latency (80% usage)Escalate to ops teamApplication logsErrors, exceptions, auth failures (50 in 5 min)Investigate, isolateSecurity logsFailed logins, access denials (10 in 5 min)Lock account, notifyNetwork trafficDDoS patterns, unusual volume (10x baseline)Activate WAF, rate limit
Incident Response Team:
RoleResponsibilityPrimarySecurity Lead (responds within 15 min)SecondaryCTO (escalates complex incidents)TertiaryCEO (final approval for major actions)
Communication: Encrypted Slack channel + secure call bridge
5.2 Incident Severity Classification
SeverityRecords AffectedData TypeResponse SLACRITICAL1,000+Highly sensitive (voice, health data)Immediate (0 hours)HIGH100-1,000Sensitive patient data1 hourMEDIUM10-100Limited sensitivity4 hoursLOW<10Non-sensitive data24 hours
5.3 Breach Response Procedures
PhaseTimeframeActionPhase 1: DetectionT+0-4 hoursAutomated alerts reviewed by security teamPhase 2: InvestigationT+4-12 hoursForensic analysis determines breach scopePhase 3: AssessmentT+12-24 hoursSerious harm risk determinedPhase 4: ContainmentT+24 hoursCompromised accounts/keys; patch deployedPhase 5: NotificationT+24 hoursClinic email/phone; OAIC notification (72h max)Phase 6: RecoveryT+7-30 daysRemediation verified; system hardening deployedPhase 7: Post-IncidentT+30 daysPost-mortem analysis; lessons learned shared
6. Employee Security Procedures
6.1 Security Training & Awareness
Onboarding:
Duration: 30-minute module (mandatory)
Content: Privacy Act 1988, data handling, incident reporting
Certification: Employee signs acknowledgment
Annual Refresh:
Duration: 1-hour recertification course
Role-Specific Training: Development (secure coding, OWASP Top 10, threat modeling—quarterly)
Operations: Infrastructure security, patch management, monitoring (semi-annual)
Support: Confidentiality, data handling, privacy policy (annual)
Leadership: Privacy governance, compliance obligations, board reporting (annual)
Training Records: Maintained (2-year retention); non-completion = employment action (suspension of access)
6.2 Access Management & Vetting
Background Screening:
Police clearance: National criminal history check
Reference checks: 2 previous employers contacted
Employment history verification: Verification of past roles
Professional credentials: Confirmation of qualifications
Access Provisioning:
Approval: Manager + security team (dual sign-off required)
Documentation: Access request form filed & dated
Least privilege: Minimum permissions needed for role
Offboarding:
Immediate: Email account disabled, badge deactivated
Day 1: System access revoked, passwords reset
Day 2: Equipment returned, backup access keys collected
Day 7: Final verification (no residual access)
6.3 Data Handling & Confidentiality
Non-Disclosure Agreement (NDA):
Covers: Patient data, clinic data, competitive information
Duration: Perpetual (survives employment termination)
Scope: Cannot disclose to anyone without authorization
Penalties: Breach = legal action + termination
Data Handling Guidelines:
Patient confidentiality: Treat data as sensitive
Secure communication: Encrypted email for PII
Physical security: Lock computers, shred documents
Incident reporting: Mandatory reporting of breaches
Compliance: Follow Privacy Policy & Security Policy
Acknowledgment:
Signature: Employee signs acknowledgment form
Filing: Stored in HR records (7-year retention)
6.4 Work-from-Home Security
VPN Requirement:
Mandatory: VPN tunnel for all remote connections
Protocol: WireGuard (modern, faster, stronger than OpenVPN)
Encryption: 256-bit Curve25519 elliptic-curve
Verification: Cannot access systems without VPN
Enforcement: Cannot disable (group policy)
Device Encryption:
Full-disk encryption: Windows BitLocker, Mac FileVault
Status: Verified during onboarding & annually
Password Managers: Approved tools (1Password, Bitwarden—never unencrypted files)
Master password: Strong (16 characters)
Sharing: Via secure app only (never email/chat)
Screen Privacy:
Physical Monitor: Not visible to others; desk positioned away from windows
Privacy screen: Optional filter to reduce viewing angles
Webcam Security: Camera covers; physical cover required for video calls; automatic disable after call ends
6.5 Breach Consequences
SeverityConsequenceMinor breachReprimand (documented warning)Serious breachSuspension (temporary employment suspension)Criminal activityTermination (immediate dismissal)
7. Reporting Security Vulnerabilities
7.1 Responsible Disclosure Policy
Do's:
Report immediately: email security@transfertoai.com.au
Be specific: Include reproduction steps & technical details
Be patient: We work hard to fix vulnerabilities
Be reasonable: Expect response within 24 hours
Don'ts:
Publicly disclose: No GitHub issues, Reddit, blogs
Unauthorized access: Test only the reported vulnerability
Data modification: Proof-of-concept only (no data changes)
System disruption: No denial-of-service attacks
7.2 Contact & Response Timeline
TimeframeActionT+24 hoursAcknowledgment of report (reference number)T+48 hoursTriage (Confirmed/Not-vulnerable/Duplicate)T+7 daysStatus update in development/testing/deployedT+30 daysResolution (fix deployed OR confirmed not vulnerable)T+60 daysPost-mortem analysis & security improvements documented
7.3 Recognition & Incentives
Acknowledgment:
Name in security advisory (if desired)
Public credit featured in blog post (optional)
Private gratitude (thank-you email from CTO)
Bug Bounty Program:
Eligibility: Confirmed security vulnerabilities (critical/high severity)
Amount: AU$500 - AU$5,000 (severity-based)
Claim: Fill out form & provide wire transfer details
Payment: Processed within 30 days of fix deployment
8. Compliance Certifications
8.1 Regulatory Compliance
Australian Privacy Act 1988:
All Australian Privacy Principles (APPs 1-13) implemented
Annual internal compliance review
NDB Scheme compliance (notification within 30 days)
OAIC compliance: Privacy Impact Assessment completed & documented
Privacy Management Plan: Annual review schedule maintained
Complaints handled per APP 13 (response within 10 days)
Health-Related Standards:
AHPRA alignment: Dental Board of Australia standards
Record keeping: 12-month minimum retention per clinical standards
Confidentiality: Healthcare-specific confidentiality obligations
Telecommunications Act 1979:
Call recording consent via IVR consent script (patient confirmation)
Consent logs: Cryptographic proof of patient consent maintained
Interception prohibition: Only records consented-to calls
8.2 Security Certifications Roadmap
CertificationStatusTargetScopeAuditorValidityISO 27001In progressQ2 2026Information Security Management System (ISMS)External firm (Big 4 or equivalent)3-year certificate; annual surveillance auditsAWS Well-Architected FrameworkAnnual assessment4.8/5.0 targetSecurity, Reliability, Performance, Cost, OperationsInternal & externalAnnual review
Benefit: Demonstrates commitment to security; enterprise procurement requirement
8.3 Regular Audits & Assessments
Internal Audits:
Frequency: Quarterly
Scope: All systems, policies
Owner: Security Lead
Action: Issues tracked to remediation
External Audits:
Frequency: Annual (quarterly reviews)
Scope: Infrastructure, policies, controls
Auditor: Independent firm
Report: Published to board & relevant stakeholders
Penetration Testing:
Frequency: Annual
Scope: Application, API, infrastructure (authorized ethical hacking)
Report: Detailed findings & remediation plan
Follow-up: Re-test after fixes implemented
Summary of Key Security Commitments
✅ Your data is protected end-to-end – Encryption in transit (TLS 1.3); at rest (AES-256)
✅ Access is tightly controlled – MFA required; RBAC enforced; audit logs maintained
✅ Incidents are detected 24/7 – Monitoring; alerting; rapid response team
✅ Our team is trained – Annual security training; confidentiality agreements; background checks
✅ We comply with regulations – Australian Privacy Act; OAIC; AHPRA; NDB Scheme
✅ We invest in security – Annual penetration testing; vulnerability scanning; certifications
✅ We respond to vulnerabilities – 24-hour acknowledgment; 30-day maximum remediation
Last Updated: November 3, 2025
Jurisdiction: Australia, Queensland
Next Review Date: November 3, 2026
Security Contact: security@transfertoai.com.au