Your data stays in Australia.
Your audit trail stays intact.
SpringFire was built for service-based businesses where compliance isn't optional — from NDIS and aged care to allied health and beyond. Every layer of the platform reflects that: Australian hosting, encryption throughout, 2FA, role-based access, and audit logging you don't have to configure.
Sydney region. Your database never leaves AU.
Sydney, private buckets, pre-signed URLs only.
HTTPS-only. HSTS with preload.
Azure SQL + S3 server-side encryption.
Your data lives in Australia
SpringFire's primary database runs on Microsoft Azure SQL in the Australia East region (Sydney). Documents, photos, and uploaded evidence are stored in AWS S3 ap-southeast-2 (Sydney). Neither the database nor the object store leave Australian soil under normal operation.
A handful of sub-processors operate from the United States — SendGrid for email, Twilio for SMS, Stripe for payments, OpenAI for assistive AI template drafting. These are disclosed in full in our Privacy Policy, including exactly what data is sent to each. The design principle is simple: the smallest amount of personal information necessary, and only for the specific feature the user has triggered.
We maintain an in-platform Third-Party Processor Register listing every processor, its purpose, the data categories involved, the jurisdiction, and the privacy policy URL — so your compliance team has a single source of truth.
The right people, with the right access, on devices you trust
Password hashing
BCrypt with work factor 12. Legacy SHA-256 hashes are upgraded on next login — no flag day, no downtime.
Multi-factor authentication
Provider-configurable 2FA via a 6-character alphanumeric code delivered by email. Trusted-device support with expiring device tokens so your team isn't re-verifying every session.
Account lockout
Five consecutive failed logins lock the account for 15 minutes. A sliding 30-minute failure window makes brute force impractical without punishing legitimate users.
Session management
HttpOnly, Secure authentication cookies with a 7-day sliding expiration and SameSite policy enforcement. Auto-login tokens are single-use with a 5-minute expiry.
Role-based access control
Granular access levels with area-key permissions control what every user can see and do. Providers configure their own hierarchy — Admin, Internal User, Staff, Member, plus custom levels.
Multi-tenancy isolation
Every database query is filtered by Provider ID at the data layer. Staff and members exist within a single tenant — no cross-tenant lookups, no "accidental" exposure.
Evidence built in, not bolted on
The compliance features aren't a separate module you have to enable. They run automatically across every significant action in the platform, so when an auditor asks, the answer is already in the system.
Audit logging
Every significant data access and mutation is logged with the user identity, IP address, user agent, timestamp, entity type, action, severity, and before/after values. Audit logs are retained indefinitely to meet regulatory and NDB scheme evidence requirements.
Consent management
A purpose-built consent system tracks acceptance and withdrawal across nine categories — privacy policy, terms, marketing email, marketing SMS, sensitive data, cross-border transfer, data processing, cookies, and notice presented. Every record includes the version, timestamp, IP, and user agent.
Data breach register
A built-in register captures detected-at timestamps, affected data types, severity, notifiable status, OAIC notification date, individuals-notified date, root cause, and resolution actions — everything the Notifiable Data Breaches scheme requires, in one place.
Privacy Act alignment
Designed against the Australian Privacy Principles (APPs). The platform supports access, correction, deletion, and data portability rights. Access requests are handled via support@springfire.com.au and answered within 30 days.
Hardening on every layer
Security headers
Content-Security-Policy, Strict-Transport-Security (with preload), X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy, and Permissions-Policy on every response.
Encryption
TLS 1.2+ for all connections. Azure SQL encryption at rest. S3 server-side encryption with AES-256. Third-party API tokens (Xero, Stripe, etc.) stored with AES-256.
Rate limiting & abuse control
Login throttling, brute-force protection, and public form rate limiting. Honeypot fields on public forms to catch automated submissions without disrupting real users.
Webhook signature verification
Every inbound webhook (Stripe, Twilio, Retell AI) is verified with HMAC-SHA256 signatures before processing. Replay-resistant. Forgery-resistant.
Secret management
Production secrets live in secure configuration stores — not in the repo, not in CI logs, not on developer machines. Rotated on a defined schedule.
Backups & recovery
Azure SQL automated backups with point-in-time restore. S3 versioning and lifecycle rules for document retention. Tested restore procedures.
Honesty about where we are
We don't currently hold SOC 2 or ISO 27001 certification. Every claim on this page reflects how the platform is actually built and operated today — not a roadmap. Formal certifications are on our medium-term plan and we're happy to walk your compliance team through our controls in the meantime.
We also don't run an automated DSAR (Data Subject Access Request) pipeline. Access, correction, and deletion requests under APP 12 and 13 are handled manually by our team within the 30-day statutory window. Email support@springfire.com.au and we'll respond.
Found a security issue?
Please report it privately to support@springfire.com.au. We acknowledge responsible disclosures within one business day and coordinate fixes with the reporter.
Ready to replace your tool stack?
Talk to our team and we'll onboard you personally. Your 14-day trial is activated within one business day — no payment required, no self-serve setup to get wrong.
14-day free trial · Personally onboarded · Cancel anytime