Security Policy

Last Updated: April 30, 2025

1. Overview

At LocalVendor, we are committed to ensuring the security and protection of your information. This Security Policy outlines the measures we take to secure our platform and protect your data.

We implement industry-standard security practices and continuously work to improve our security controls to protect against unauthorized access, disclosure, alteration, or destruction of your information.

2. Data Security Measures

We implement various security measures to protect your data, including:

  • Encryption: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security). Sensitive data at rest is encrypted using AES-256 encryption.
  • Access Controls: We employ strict access controls to limit access to your information to authorized personnel only, based on the principle of least privilege.
  • Secure Infrastructure: Our infrastructure is hosted in secure data centers with physical access controls, and we implement network security measures including firewalls and intrusion detection systems.
  • Regular Security Testing: We conduct regular security assessments, including vulnerability scanning and penetration testing, to identify and address potential security vulnerabilities.
  • Monitoring: We employ monitoring systems to detect and alert us to unusual or suspicious activities.

Technical Measures:

  • Multi-factor Authentication: Required for all administrative access and available for user accounts
  • Advanced Encryption: AES-256 for data at rest and TLS 1.2+ for data in transit
  • Network Security: Firewalls, intrusion detection systems, and regular network scanning
  • Endpoint Protection: Malware detection and prevention on all systems
  • Security Monitoring: 24/7 monitoring for security events and anomalies
  • Regular Patching: Timely application of security updates to all systems
  • Data Loss Prevention: Systems to prevent unauthorized exfiltration of data

Organizational Measures:

  • Security Policies: Comprehensive information security policies and procedures
  • Security Training: Regular security awareness training for all staff
  • Access Control Process: Formal access control processes based on least privilege principles
  • Risk Assessments: Regular security risk assessments for all systems and features
  • Security Personnel: Dedicated security team with clear responsibilities
  • Supply Chain Security: Security assessment of all third-party vendors
  • Incident Response: Documented procedures for responding to security incidents

3. Account Security

To help protect your account:

  • Password Requirements: We enforce strong password requirements to ensure your account is protected by a secure password.
  • Two-Factor Authentication (2FA): We offer two-factor authentication for additional account security.
  • Session Management: We implement secure session management practices, including secure cookie handling and automatic session timeout.
  • Login Monitoring: We monitor login attempts and may notify you of suspicious activities related to your account.

We recommend that you also take measures to protect your account, including:

  • Using a strong, unique password for your LocalVendor account.
  • Enabling two-factor authentication.
  • Not sharing your account credentials with others.
  • Signing out of your account when using shared or public computers.
  • Keeping your devices and software updated with the latest security patches.

4. Document and Data Security

LocalVendor enables the exchange of tender documents, bids, and other business information. We implement the following measures to protect this data:

  • Access Controls: Documents are only accessible to authorized users as determined by your sharing settings.
  • Secure Storage: Documents are stored in secure cloud storage with encryption.
  • Virus Scanning: Uploaded files are scanned for malware and viruses.
  • Audit Logging: Document access and activities are logged for audit purposes.
  • Retention Controls: Ability to set retention periods for sensitive documents.
  • Version Control: Document versioning to prevent accidental overwrites.
  • Secure Deletion: Proper deletion processes for documents that are no longer needed.

5. Incident Response and Data Breach Notification

In the event of a security incident, we have established procedures to:

  • Identify and contain the incident
  • Investigate the cause and impact
  • Remediate the issue
  • Notify affected users as required by law or as appropriate
  • Implement measures to prevent similar incidents in the future

Data Breach Response

We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Australian Privacy Act 1988. Under this scheme, if we experience a data breach that is likely to result in serious harm to individuals whose personal information is involved in the breach, we will:

  • Assess: We will assess the breach promptly (within 30 days) to determine if it is likely to result in serious harm to affected individuals.
  • Notify Individuals: If we determine that a breach is notifiable, we will provide a notification to affected individuals that includes:
    • Our contact details
    • A description of the breach
    • The kinds of information concerned
    • Recommended steps for individuals to take
  • Notify Regulator: We will notify the Office of the Australian Information Commissioner (OAIC) about the breach.
  • Prevent Future Breaches: We will take steps to prevent or mitigate the effects of further breaches.

We will notify affected individuals directly (by email, phone, or mail) when possible. If direct notification is not practicable, we will publish a notification on our website and take reasonable steps to publicize the notification.

Doxxing Incident Response

We have enhanced our incident response procedures to address specific incidents related to doxxing (malicious publication of personal information). If your personal information has been doxxed through our platform:

  • We will take immediate action to remove the content
  • We will preserve evidence for potential legal proceedings
  • We will support you in making reports to relevant authorities
  • We will cooperate with law enforcement investigations

We recognize that doxxing is now a criminal offense in Australia under the Privacy and Other Legislation Amendment Act 2024, with penalties of up to seven years imprisonment for serious cases. We treat any potential doxxing incident with the utmost seriousness.

6. Third-Party Security

We may use third-party service providers to help us deliver our Service. We select providers that maintain high security standards and require them to protect your information in a manner consistent with our security commitments.

We regularly review our third-party service providers' security practices to ensure they continue to meet our requirements.

7. Compliance and Australian Standards

We comply with applicable security requirements, including:

  • Australian Privacy Principles under the Privacy Act 1988
  • Privacy and Other Legislation Amendment Act 2024
  • Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988
  • Australian Government Information Security Manual (ISM) guidelines where applicable
  • ISO 27001 Information Security Management principles
  • Australian Cyber Security Centre (ACSC) Essential Eight strategies
  • Industry security standards and best practices relevant to the construction sector

Specific Security Measures

Our security program incorporates the following specific measures to meet Australian standards:

  • Multi-factor Authentication: For administrative access and user account protection
  • Regular Security Assessments: Including penetration testing conducted by Australian-based security specialists
  • Data Residency: Primary data storage within Australian data centers
  • Security Patching: Regular application of security updates to all systems
  • Access Control: Strict role-based access controls with regular privilege reviews
  • Encryption: Implementation of AES-256 for data at rest and TLS 1.2+ for data in transit
  • Security Awareness: Regular training for all staff on security best practices
  • Business Continuity: Disaster recovery plan with regular testing
  • Documentation: Comprehensive documentation of security measures as required for accountability and governance
  • Staff Training: Ongoing training on new security requirements and emerging threats

We regularly review our security practices to ensure ongoing compliance with Australian legal and industry requirements, including staying current with guidance from the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC).

8. Security Updates

We continually update our security measures to address new threats and vulnerabilities. This Security Policy may be updated from time to time to reflect changes in our security practices.

We encourage you to check this page periodically for the latest information on our security policies.

9. Reporting Security Issues

If you discover a security vulnerability or have concerns about the security of your data, please contact us immediately at [email protected].

We appreciate your help in keeping LocalVendor secure and will investigate all reported security issues.

10. Contact Information

For questions about this Security Policy or our security practices, please contact us at:

LocalVendor Pty Ltd
Email: [email protected]
Address: Brisbane, QLD, Australia