G’day! It looks like you’re in Australia     

You're currently on BuildPass’ USA site.

See content specific to your location by switching to the Australian site.

Switch to the Australian site

It looks like you’re in Canada 🇨🇦

For content, pricing and features tailored to your region please click below.

Switch to your local site

Looks like you’re in the United States!     

You're currently on BuildPass’ Australian site.

For content, pricing, and features tailored to the US, switch to the US site.

Switch to the US site

BuildPass Information Security

For any security concerns, please email security@buildpass.com.au

Overview

At BuildPass, given the significance of the data we transact on, we employ strict access control and robust data storage measures to ensure security and compliance.

All our data is stored in Australia, located on the Amazon Web Services (AWS) platform, utilising best practice security measures, including encryption at rest (storage) and in transit (transmission). Our services are tightly secured with access controls. We use industry-proven authentication services such as Auth0 and Clerk, ensuring only authorised individuals have access to sensitive data.

Additionally, all images are securely stored, with most requiring access keys for retrieval to prevent unauthorised access. In cases where public accessibility is necessary, images are made available via unique, GUID-based URLs that are cryptographically generated and difficult to guess, ensuring security while allowing controlled access.

We conduct frequent internal security audits, drawing from best practices established at REA Group and SEEK, to ensure compliance with security, privacy, and data protection standards, safeguarding all customer data.

FAQ

Do you comply with the Australian Government Code of Practice and Privacy Act?

Yes, we comply with the Privacy Act 1988 and applicable legislation such as the Health Records Act 2001 (HR). Our commitment to privacy and data security is outlined in our official policies:

What steps does BuildPass follow in the event of a data breach?

In the unlikely event of a data breach, BuildPass follows a structured incident response plan:

  1. Assess the Impact – Identify the scope and severity of the breach.
  2. Contain the Breach – Prevent further data exposure or exfiltration.
  3. Notify Authorities – Report the breach to the Office of the Australian Information Commissioner (OAIC), if required under the Notifiable Data Breach (NDB) scheme.
  4. Inform Affected UsersProvide a transparent summary, including:
    • A description of the breach.
    • The type of information compromised.
    • Recommended steps users should take to minimise any impact.
  5. Post-Incident ReviewConduct a thorough security review to prevent future breaches.

How long does BuildPass retain customer data?

The retention period for user data depends on its purpose:

  • Inductions and HR Records – Retained for the duration of the customer’s active account to ensure continuous access.
  • Operational Logs and Analytics – Retained and purged periodically based on business needs.
  • Audit Logs – Maintained for security and compliance purposes in accordance with best practices.

Where is my data stored? Can it leave Australia or the US?

BuildPass stores customer data in either Australia or the United States, depending on the client’s location and preference. We use AWS’s ap-southeast-2 (Sydney) region for Australian customers and us-east-1 (North Virginia) region for US customers, ensuring compliance with respective data sovereignty laws. Each region has multiple redundant backups to enhance reliability.

AWS operates as a global platform, and while data remains within the designated region, it may be transmitted globally when accessed securely by authorised parties. We enforce strict geo-restrictions and encryption protocols to comply with data sovereignty and privacy regulations in both Australia and the US.

Is BuildPass SOC2 or ISO 27001 Certified?

BuildPass is currently undergoing SOC2 certification, with Assurance Labs (Sydney) engaged to conduct the assessment. Once SOC2 certification is complete, we plan to pursue ISO 27001 certification to further strengthen our security posture.

Does BuildPass encrypt my data?

Yes, all data stored within BuildPass is encrypted:

  • At Rest: AES-256 encryption is used to secure stored data.
  • In Transit: TLS 1.2 and 1.3 protocols ensure secure data transmission.
  • Database & Backups: Encrypted and regularly monitored for security compliance.

What security measures does BuildPass use to prevent unauthorised access?

We employ a multi-layered security approach, including:

  • Role-Based Access Control (RBAC) – Ensuring only authorised users can access specific resources.
  • Multi-Factor Authentication (MFA) – Enforced across administrative and privileged accounts.
  • Strict API Security Controls – Rate limiting, token authentication, and least privilege principles.
  • Regular Security Audits – Conducted internally and by third-party assessors.
  • Network Firewalls & Intrusion Detection Systems (IDS) – Preventing unauthorised access attempts.

Does BuildPass conduct regular security audits and penetration testing?

Yes, BuildPass performs:

  • Regular Security Audits – Internal audits to review security configurations and compliance.
  • Penetration Testing – Conducted by third-party security specialists to identify vulnerabilities.
  • Continuous Monitoring – Automated alerts and threat detection to safeguard data integrity.

How does BuildPass handle customer authentication and access control?

We use industry-leading authentication providers (Auth0 and Clerk) to manage access securely. Key security features include:

  • Multi-Factor Authentication (MFA) – Enforced for critical actions.
  • OAuth 2.0 & OpenID Connect (OIDC) Support – Secure authentication protocols.
  • Session Management & Timeout Policies – Automatic logout for inactive sessions.
  • Audit Logs & Monitoring – Tracking login attempts and access patterns.

Does BuildPass allow customers to delete their data?

Yes. Customers can request data deletion in accordance with our Privacy Policy. Upon request:

  • Personal data is securely erased from our production environment.
  • Certain data may be retained for compliance/legal obligations.
  • Backups containing the data are automatically purged after a defined retention period.

How does BuildPass prevent insider threats?

To mitigate insider threats, BuildPass follows a zero-trust security model:

  • Least Privilege Access (LPA) – Employees only have access to necessary data.
  • Regular Security Training – Employees undergo security awareness programs.
  • Activity Logging & Monitoring – All access and modifications are logged.
  • Background Checks – Conducted for employees handling sensitive data.

Does BuildPass offer security support for customers?

Yes. Customers can report security concerns or request support through our dedicated security contact:

What steps should I take if I suspect a security issue with my BuildPass account?

If you suspect an issue:

  1. Reset your password immediately via BuildPass authentication services.
  2. Enable Multi-Factor Authentication (MFA) if not already active.
  3. Contact BuildPass Security Support at security@buildpass.com.au.
  4. Review recent account activity in your BuildPass settings.

Final Note

BuildPass is committed to maintaining the highest security standards and transparency in our security practices. We continuously evolve our security measures to protect customer data and ensure compliance with industry regulations.

For any further security-related inquiries, feel free to reach out to our team.