Security & Trust

Addresser is built on AWS infrastructure in Australia with enterprise-grade security controls. Your data stays in Australia, remains encrypted at every layer, and is never sold or shared.

📅 Reviewed: May 2026Security & Trust

Security is a foundational design principle at Addresser. Every system we build is designed with the assumption that data in our custody must be treated with the same rigour we would apply to our own most sensitive information.

Infrastructure & Data Residency

🏠

Data Residency — Australia

All customer data processed and stored exclusively within AWS ap-southeast-2 (Sydney). No customer data is transferred outside Australia in the ordinary course of operations.

🔒

Encryption at Rest

All database data protected with AES-256 encryption. OAuth tokens and credentials individually encrypted using AES-256 Fernet with keys stored separately in AWS Secrets Manager.

🔗

Encryption in Transit

All data in transit encrypted using TLS 1.2 or higher (TLS 1.3 preferred). Plain HTTP connections automatically redirected to HTTPS.

🌏

Private Network Architecture

Our services layer is not publicly accessible from the internet. It operates on Lightsail's private network, only reachable from our application layer — reducing the attack surface to one hardened endpoint.

👥

Multi-Tenant Data Isolation

Standard merchants isolated using PostgreSQL Row-Level Security enforced at database level. Enterprise clients isolated via schema-per-tenant for hard boundary separation.

🔑

Secrets Management

Carrier credentials and third-party API keys stored in AWS Secrets Manager — not in the database or code repositories. Fetched at runtime with short-lived in-process caches.

Compliance & Standards

Australian Privacy Act 1988Notifiable Data Breaches SchemeAWS Well-Architected FrameworkTLS 1.2 / 1.3 in transitAES-256 at restPostgreSQL RLS tenant isolationAWS Secrets ManagerOWASP API Security Top 10

Incident Response

In the event of a suspected security incident, our response includes immediate containment, root cause analysis, notification to affected customers, and where applicable, notification to the OAIC within 30 days as required under the Notifiable Data Breaches scheme.

Responsible Disclosure

If you discover a security vulnerability, please report it to security@addresser.com.au before public disclosure. Allow us a reasonable period (typically 90 days) to investigate and remediate. Do not access, modify, or exfiltrate customer data beyond what is necessary to demonstrate the vulnerability.

Security Contact

Security vulnerabilities: security@addresser.com.au

Privacy concerns: info@addresser.com.au

General: +61 2 7251 9425

Contents

Infrastructure & Residency Encryption at Rest Encryption in Transit Private Network Multi-Tenant Isolation Secrets Management Compliance Incident Response Responsible Disclosure Security Contact