Security Policy

Zero-Trust Network

All network traffic is encrypted and mutually authenticated via mTLS with certificate pinning. No implicit trust is granted to any user or system, regardless of network location. The on-premises agent is outbound-only - the control plane cannot initiate connections into your infrastructure.

End-to-End Encryption

Data is encrypted in transit using TLS 1.3 and at rest using military-grade encryption. Encryption keys are managed via a hardened secrets store - no credentials are stored in configuration files or environment variables.

Supply Chain Integrity

All SECUVA releases are cryptographically signed offline using an asymmetric key. A software bill of materials (SBOM) is published with each release. Dependency scanning runs on every build.

Access Controls

All user accounts require MFA. Role-based access controls (RBAC) ensure users can only access data necessary for their role. All access is logged to an immutable audit trail.

Regular Security Assessments

Independent security assessments, penetration testing, and vulnerability scanning are conducted on a regular schedule. Findings are triaged against the CVSS framework and remediated according to severity SLAs.

Patient Data Never Leaves Your Infrastructure

SECUVA's on-premises agent processes all raw clinical data - DICOM images, patient records, waveforms - inside your network. Raw PHI is never transmitted to SECUVA's systems. Only de-identified, anonymised outputs are routed to downstream services, and only to recipients you explicitly authorise.

Australian Data Residency

SECUVA's control-plane infrastructure is hosted exclusively in Australian cloud regions, with primary and disaster recovery sites both within Australia. Customer data does not leave Australian borders.

Data Minimisation

We collect and process only the data necessary to provide our services. Data retention policies ensure information is not held longer than required under applicable Australian law.

In Scope

• secuva.com.au and all subdomains
• SECUVA agent - on-prem binary, update mechanism, signature verification
• Control plane API - authentication, authorisation, input validation
• Web console - session management, RBAC enforcement
• Agent ↔ control plane mTLS - pinning bypass, downgrade attacks
• Audit log - integrity, tamper detection, chain validation
• Any component or flow that could expose patient data

Out of Scope

• Social engineering or phishing attacks against SECUVA staff
• Physical access to infrastructure or hardware
• Denial of service or volumetric resource exhaustion
• Third-party services not operated by SECUVA
• Findings in customer-operated on-prem environments
• Vulnerabilities already reported and under active remediation

Guidelines

• Make good faith efforts to avoid privacy violations and service disruption
• Do not access or modify other users' data
• Report vulnerabilities as soon as possible after discovery
• Allow us reasonable time to remediate before public disclosure
• Do not perform testing that could harm our users or services

How to Report

Send detailed reports to our security team:

For sensitive reports, request our PGP public key at the address above before submitting.

What to Include

• Description of the vulnerability and its potential impact
• Steps to reproduce the issue
• Screenshots or proof-of-concept code if applicable
• Your contact information for follow-up questions

Our Response

• Acknowledgment within 24 hours
• Initial triage and severity assessment within 72 hours
• Regular progress updates until resolution
• Public credit for responsible disclosure (if desired)