Security and Privacy

Security by design,
not by default

Every system I build treats security and data privacy as first-order requirements, not afterthoughts. This applies regardless of industry, scale, or budget.

AES-256 EncryptionIn transit and at rest
Australian Data ResidencyAzure australiaeast by default
RBAC + JWT AuthLeast-privilege enforced
Privacy Act CompliantAPPs designed in from day one
DATA SOVEREIGNTY

All data processed and stored in Australian Azure regions (australiaeast / australiasoutheast) by default. No data transits offshore without explicit written agreement. Client retains full data ownership — no rights retained by Augmentra post-engagement.

ENCRYPTION
  • In transit: TLS 1.3 enforced. HSTS headers on all endpoints.
  • At rest: AES-256 via Azure Storage Service Encryption.
  • Field-level: Sensitive PII encrypted at application layer using Azure Key Vault-managed keys (RSA-2048 or AES-256).
  • Key rotation: Automated via Azure Key Vault rotation policy.
ACCESS CONTROL
  • RBAC enforced at both application and infrastructure layer.
  • JWT tokens with short expiry (15 min access / 7 day refresh).
  • Azure AD integration available for enterprise SSO.
  • Principle of least privilege applied to all service accounts.
  • No shared credentials. Per-service managed identities.
AUDIT LOGGING
  • All data access, modification, and deletion events logged.
  • Logs are append-only and tamper-evident (SHA-256 hash chaining).
  • Log retention: 90 days hot, 2 years cold (Azure Blob tiering).
  • Real-time anomaly alerting via Azure Monitor.
VULNERABILITY MANAGEMENT
  • Dependencies scanned via GitHub Dependabot + Snyk on every push.
  • Docker images scanned with Trivy pre-deployment.
  • OWASP Top 10 addressed in all application code reviews.
  • Secrets managed via Azure Key Vault — never in code or env files.
PRIVACY COMPLIANCE
  • Designed to support obligations under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs).
  • Data minimisation: only data required for the stated purpose collected.
  • Retention and deletion schedules defined per engagement.
  • Breach notification procedures documented and agreed pre-engagement.
NETWORK SECURITY
  • Azure Virtual Network isolation with private endpoints where applicable.
  • Web Application Firewall (WAF) on public-facing endpoints.
  • DDoS protection Standard tier for production workloads.
  • All inter-service communication via private network, not public internet.
SECURE DEVELOPMENT
  • Git-based version control with branch protection rules.
  • Code review required before merge to main.
  • Infrastructure as Code (IaC) — all environments reproducible.
  • Secrets rotation automated. No hardcoded credentials, ever.
Commitments

What you can expect, by default.

Full code ownership

All source code is yours. No proprietary framework, no licence dependency, no lock-in. You can deploy it, modify it, or hand it to another engineer at any time.

Infrastructure in your accounts

Systems are deployed to your cloud accounts, not shared infrastructure. You control access. You pay the cloud provider directly.

NDAs as standard

A mutual NDA is offered on all engagements as a baseline. No questions asked.

No data retention after engagement

Post-engagement, I do not retain copies of your data, schemas, or production credentials unless you explicitly request ongoing support.

Transparent dependencies

Every third-party service, library, or API used in your system is documented. You know exactly what your system depends on.

Penetration testing support

For regulated environments, I support the provision of documentation and test access required for third-party security assessment.

Procurement

A note for procurement and legal teams

If you are evaluating this engagement as part of a formal procurement process, I am accustomed to completing vendor security questionnaires and providing technical architecture documentation for legal and IT review. If there are specific compliance frameworks your organisation must satisfy — ISO 27001, SOC 2, government security classifications — please include these requirements in your enquiry and I will assess applicability during scoping.

Request Security Pack → Submit a security enquiry

Security documentation, architecture diagrams, and compliance questionnaires available on request for procurement teams.