Security FAQ's

Here is a list of commonly asked security questions about our software.

Please specify the Hosting Provider (e.g. AWS, Azure, other) and in which country or jurisdiction the data will reside (e.g. AWS-Syd, Azure-USA, other)

Tapt data is stored within AWS in the Sydney region.

Is our data encrypted during transmission, at rest (database and storage), and at backup or off-line storage?
Yes, the database is encrypted via AWS’s PostgreSQL encryption and backup systems at rest.
All transmission occurs over https (http is forcibly redirected to https)

Please specify how personal data is protected in the Cloud Provider or Data Centre? (e.g. data at rest is encrypted, firewalls, IDP, Security-groups, etc).

  • Data is stored in an encrypted PostgreSQL instance managed by AWS. This includes all backups, which are managed by AWS.

  • Any services are only publically accessible via an AWS Application Load Balancer. Direct access is only available via a specific AWS VPC security group.


What are the digital infrastructure secure configuration, vulnerability management and patch management policies, procedures and processes?
We leverage containerisation for the API server, and static serving behind AWS user facing services such as ALB and CloudFront. We leverage static analysis of third party libraries to ensure known vulnerability fixes are applied. Our development partner does peer code review and security checks are part of unit tests to ensure authentication logic bugs are not present.
What types of controls are in place to mitigate the risk of malware infection and external hacking?
Tapt leverages AWS user facing services such as ALB and CloudFront, with only the necessary network interfaces exposed. Internal services are not publicly accessible.


Do you undertake regular website security testing?

Security testing is done as part of the development process by our development partner.


Do you have a web application security firewall?

All access is via AWS CloudFront / Application Load Balancers, with no direct access to the containerised server processes, database, or S3 buckets. S3 buckets are not publically

How is data protected at rest on servers and backup media?

Data is encrypted utilising AWS’s RDS encryption support, utilising AWS managed keys.


Does your organisation implement the principle of 'least privilege' to ensure that systems are only accessed by authorised individuals with limited privileges necessary to perform their job?

Tapt is not large enough to implement such a system. The Tapt development partners do however, with only the Tapt development team having direct access to the AWS systems.


How long will our data be retained for?

Data is currently retained until an account is deleted by request.
What arrangements are in place for return of data to corporate upon contract conclusion or termination?

Bespoke arrangements can be made as required.