Enterprise-Grade Security

Enterprise Security for Your KiwiSaver Advice

We protect your clients' financial data with multiple layers of security, comprehensive encryption, and continuous monitoring.

256-bit Encryption
Privacy Act Aligned
HTTPS Everywhere

Data Encryption

Data encrypted in transit (TLS) and at rest (AES-256) using industry-standard protocols

Multi-Factor Authentication

Secure token-based authentication with role-based access control for all users

Comprehensive Audit Logging

Detailed logging of all user actions and system events for security analysis

How We Protect Your Data

Infrastructure & Data Storage

  • Hosted on enterprise-grade cloud infrastructure with network protection
  • Enterprise database with automated backups and health monitoring
  • Cloudflare R2 storage with pre-signed URLs (1-hour expiry) for documents
  • Automatic HTTPS enforcement with HSTS headers

Authentication & Access Control

  • Multi-tenant architecture with complete data isolation between practices
  • Role-based access control (Admin, Adviser, Client Manager)
  • HMAC-signed secure tokens with configurable expiry (1-365 days)
  • Session timeout after 30 minutes of inactivity
  • UUID-based primary keys for unpredictable identifiers

Data Protection & Privacy

  • Comprehensive input sanitization preventing XSS and SQL injection
  • CSRF protection on all forms and API endpoints
  • Industry-standard password hashing with salted encryption
  • API keys and secrets stored securely in environment variables

Monitoring & Audit

  • Comprehensive audit logging of all user actions and system events
  • Structured JSON logging for security analysis
  • Daily log rotation with 30-day retention
  • Performance monitoring and slow query detection

Advanced Security Headers

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
Content-Security-Policy: [Configured per environment]
Permissions-Policy: geolocation=(), microphone=(), camera=()

All security headers are automatically enforced in production to protect against common web vulnerabilities.

Compliance & Standards

Privacy Act 2020

Designed to meet New Zealand privacy regulations

FMA Requirements

Designed to support Financial Markets Authority requirements

Global Infrastructure

Enterprise-grade cloud hosting with industry-leading providers

ISO Standards

Following ISO 27001 security practices

Your Trust is Our Priority

We understand that you're trusting us with your clients' sensitive financial information. That's why we've built security into every layer of our platform, from infrastructure to application code.

256-bit
AES Encryption
Detailed
Activity Logs
30-day
Audit Logs

Have Security Questions?

Our team is happy to discuss our security measures in detail

Contact Us for More Information