Privacy Policy

1. Introduction

This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use our authentication and authorization services.

2. Information We Collect

• User-Provided Information: Name, email address, organization, and credentials when signing up.
• Authentication Data: Timestamps, IP addresses, device IDs, authentication methods (e.g., MFA), login attempts, and session tokens.
• Usage Data: Logs of API usage, integrations, and configuration changes.

3. How We Use Your Information

We use the collected data to:

• Authenticate users and control access.
• Monitor and improve security.
• Provide analytics and service enhancements.
• Comply with legal obligations.

4. Sharing of Information

We do not sell or rent your data. Information may be shared:

• With your explicit consent.
• With service providers under strict data protection agreements.
• To comply with legal obligations or protect rights and safety.

5. Data Retention

Data is retained only as long as necessary for the purposes described or as required by law. You may request deletion of your account and associated data, subject to legal and operational constraints.

6. Security Measures

We implement encryption (in-transit and at-rest), secure APIs, access control policies, and regular security audits to protect your data.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access, correct, or delete your data.
• Object to processing or request data portability.
• File a complaint with a data protection authority.

8. Third-Party Services

Our Platform may integrate with third-party services (e.g., Google, Microsoft) for identity federation. These services are governed by their own privacy policies.

9. International Data Transfers

If you are located outside of Australia, your personal information may be transferred to and processed in countries that may not have the same level of data protection laws as Australia. In such cases, we take reasonable steps to ensure that overseas recipients handle your personal information in a manner consistent with the Australian Privacy Principles.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Any material changes will be notified via email or through the Platform. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

These Terms are governed by the laws of Australia. Any disputes shall be resolved in the courts of Australia.

If you are outside Australia, your data may be transferred to and processed in countries that may not have equivalent data protection laws. We take reasonable steps to ensure that international recipients of your personal data provide commitments relating to privacy and confidentiality.

11. Acceptable Use

You must not use the Platform in any unlawful or abusive manner. Prohibited uses include, but are not limited to:

• Attempting to gain unauthorized access to systems or data
• Engaging in denial-of-service attacks
• Introducing malicious code or reverse engineering the software
• Using the Platform in violation of applicable laws and regulations

12. Force Majeure

We will not be liable for any failure or delay in performance due to events beyond our reasonable control, including but not limited to natural disasters, pandemics, strikes, telecommunications failure, or governmental acts.

Additional Privacy and Compliance Information (Australia)

Compliance with Australian Privacy Law

This Platform complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). You have the right to access and correct your personal information, and to make a complaint if you believe we have breached your privacy.

Cookies and Tracking Technologies

We may use cookies and similar technologies to enhance your experience, provide analytics, and protect against fraud. You can control cookie settings via your browser preferences.

Children’s Privacy

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.

Data Breach Notification

In the event of an eligible data breach, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches (NDB) scheme.

Exercising Your Rights

To request access, correction, or deletion of your data, please contact us at [email protected]. We will respond to your request within 30 days and may require you to verify your identity.

13. Service Level Agreement (SLA)

We aim to maintain a monthly uptime of 99.95% for the Platform. Scheduled maintenance and emergency downtime may occur but will be minimized whenever possible. If uptime drops below this threshold, affected users may be eligible for service credits upon request. Service credits are capped at one month of subscription fees and are non-transferable.

14. Security and Certifications

We follow best practices in information security including encryption at rest and in transit, access controls, and regular security audits. We strive for compliance with standards such as ISO 27001, SOC 2 Type II, and support implementation of MFA, role-based access, and secure token handling practices. While we may not yet be certified under all industry frameworks, our internal controls align with widely recognized benchmarks.

15. Data Residency

We offer regional hosting options, including data residency in Australia, to help meet compliance or operational requirements. Customers may select a preferred region for data storage at the time of onboarding. Data may be transferred to other jurisdictions for redundancy or processing, subject to safeguards consistent with the Australian Privacy Principles.

16. Consent Management

Where applicable, we implement mechanisms for obtaining and recording user consent, such as consent checkboxes during signup or login. This consent is stored securely and timestamped, and can be reviewed or revoked upon request. These mechanisms assist our customers with their own compliance obligations under data privacy laws.

17. Operational Constraints

We reserve the right to limit or restrict automated testing, such as load or penetration tests, unless pre-approved in writing. Customers must contact support to coordinate such activities. We provide tools and documentation to facilitate data export, import, and migration between environments upon request.