Aquifa Pty Ltd (ABN: 63 676 974 235)

1. Overview

Aquifa is committed to protecting the privacy and security of our customers' data. This document outlines our current data protection practices and security infrastructure to provide transparency about how your data is handled within our platform.

2. Current Security Infrastructure

2.1. Database & Backend Security

Supabase Infrastructure: Our platform is built on Supabase, which provides:

• PostgreSQL database with built-in security features
• Row-level security (RLS) policies that restrict data access at the database level
• Encrypted data at rest
• TLS encryption for all data in transit
• Regular automated backups

Access Controls:

• Role-based access control (RBAC) system
• Default principle of least privilege
• Account separation ensuring each organization's data is logically isolated

2.2 Authentication Security

User Authentication:

• Secure password policies
• Email verification for new accounts
• Session management with token-based authentication
• Capability to implement multi-factor authentication

Account Permissions:

• Granular permission structures using Supabase auth
• Different access levels for owners vs. members
• Invitation-based account access

2.3. Application-Level Security

React/TypeScript Frontend:

• Type safety to prevent common programming errors
• Content Security Policy implementation
• Protection against common web vulnerabilities

API Security:

• Token-based authentication for all API requests
• Rate limiting capabilities
• Input validation and sanitization

2.4. Document & Sensitive Data Handling

Document Security:

• Secure document storage using Supabase Storage
• Access control for document retrieval
• Encrypted document transmission

Electronic Signatures:

• Secure e-signature implementation
• Tamper-evident document handling
• Complete audit trail of signature events

3. Data Privacy Practices

3.1. Data Collection & Usage

We collect and process only the data necessary to provide our water trading platform services:

• User account information (name, email, organization details)
• Client and entity information
• Water account details
• Trade and offer information
• Document content
• System usage metadata

3.2. Data Retention & Deletion

• Customer data is retained for the duration of your service agreement
• Backups are maintained according to Supabase's retention policies
• Upon service termination, data can be exported and/or deleted upon request

3.3. Data Portability

• Customers have the right to export all of their data at any time
• Data export requests can be submitted through your account representative
• Exports are provided in standard, machine-readable formats (CSV, JSON, etc.)
• We will process all data export requests within a reasonable timeframe, typically within 5 business days
• There is no additional charge for standard data export requests

3.4. Data Ownership

• Customer Data Ownership: Customers retain full ownership of all data entered into or generated by the Aquifa platform
• Aquifa does not claim any ownership rights to customer data
• We do not sell, rent, or otherwise commercialize customer data under any circumstances
• Customer data is used solely for providing and improving the Aquifa service

3.5. Data Access & Control

• Access to customer data by Aquifa staff is limited to support and maintenance purposes
• All data access is governed by our internal access control policies
• Customers control user access within their organization through role-based permissions

4. Security Roadmap

Aquifa is committed to continually enhancing our security posture. The following security initiatives are on our roadmap:

4.1. Planned Security Enhancements

• Implementation of formal security testing and vulnerability assessment program
• Development of a comprehensive security monitoring system
• Creation of an employee security awareness training program
• Formalization of incident response procedures
• Regular security reviews and assessments

4.2. Compliance

While Aquifa currently does not hold specific security certifications, we are designed with compliance considerations in mind:

• Comprehensive audit logging of system activities
• Data structures aligned with relevant privacy regulations
• Security controls that support compliance obligations

4.3. Incident Response

In the event of a suspected security incident:

1. Contact your account representative immediately
2. Provide all relevant details of the suspected incident
3. We will investigate and take appropriate measures to address the issue
4. You will receive communication regarding the incident, its impact, and remediation steps

5. Contact Information

For any questions or concerns about data privacy and security at Aquifa, please contact:

Email: security@aquifa.com.au

‍

This document represents Aquifa's current security posture as of 2 March, 2025. Security practices and capabilities will evolve as our platform matures, and this document will be updated accordingly.

‍