Encryption & Data Protection

Envelope Encryption

Standardise uses AES-256-GCM envelope encryption to protect sensitive data at rest. This is the same encryption standard used by financial institutions and government agencies.

Envelope encryption works by layering keys in a hierarchy so that no single key compromise exposes all data:

• Master Key — A root key held outside the database, used only to encrypt and decrypt Key Encryption Keys.
• Key Encryption Key (KEK) — One per tenant (organisation). Encrypted by the master key and stored in the database. Used to wrap Data Encryption Keys.
• Data Encryption Key (DEK) — Generated per encryption operation. Encrypted by the tenant KEK and stored alongside the ciphertext.

What Gets Encrypted

Sensitive fields throughout the platform are encrypted before being stored in the database, including:

• Risk descriptions and treatment plans
• Document content and version text
• Incident details and response notes
• Audit findings
• Evidence metadata

Each encrypted field is stored with its own initialisation vector (IV), ensuring that identical plaintext produces different ciphertext every time.

Data in Transit

All communication between your browser and Standardise is encrypted with TLS 1.3. This applies to every page load, API call, and file upload. HSTS headers ensure browsers always connect over HTTPS.

Evidence File Encryption

Uploaded evidence files are stored in Amazon S3 with SSE-KMS encryption using a customer-managed key. Files are encrypted before they reach the disk and decrypted only when an authorised user requests a download via a time-limited presigned URL.

Australian Data Residency

All infrastructure runs in the AWS ap-southeast-2 (Sydney) region. Your data never leaves Australia, satisfying APP 8 (Australian Privacy Principle 8 — cross-border disclosure) and common regulatory requirements for Australian organisations. The database, file storage, encryption keys, and application servers are all co-located in Sydney.