Security Policy
Enterprise-grade security practices and policies
Last updated: 7/30/2025
Security Overview
SavePoint Authentication Portal is built with security as a foundational principle. We implement industry-leading security practices to protect user data, prevent unauthorized access, and ensure the integrity of authentication services across the SavePoint ecosystem.
Data Protection
End-to-end encryption, secure storage, and minimal data collection
Compliance
GDPR, Australian Privacy Act, and industry security standards
Monitoring
24/7 security monitoring and incident response
Authentication Security
Passwordless Authentication
SavePoint prioritizes passwordless authentication methods to eliminate password-related vulnerabilities:
- WebAuthn/FIDO2 Passkeys: Cryptographic authentication using device-bound credentials
- Magic Links: Time-limited, single-use authentication tokens delivered via email
- TOTP Authenticators: Time-based one-time passwords for two-factor authentication
- Social Authentication: OAuth 2.0 integration with trusted providers (GitHub, Google)
Password Security (When Used)
For users who choose traditional password authentication:
- Passwords are hashed using Argon2id with strong parameters
- Integration with HaveIBeenPwned to detect compromised passwords
- Minimum complexity requirements enforced
- Account lockout protection against brute force attacks
- Mandatory password changes for compromised credentials
No SMS Authentication
SavePoint does not use SMS-based authentication due to known security vulnerabilities in the SS7 protocol. We recommend and support more secure alternatives like TOTP apps and passkeys.
Data Protection & Privacy
Data Minimization
We collect only the minimum data necessary for authentication and user management:
- Email address (for account identification and communication)
- Name (for personalization and identification)
- Authentication credentials (securely hashed)
- Session data (temporarily stored for active sessions)
- Security logs (for monitoring and incident response)
Encryption
Data in Transit
- • TLS 1.3 for all connections
- • HTTPS enforced with HSTS
- • Certificate pinning for API clients
- • Perfect forward secrecy
Data at Rest
- • AES-256 encryption for database
- • Encrypted backups and logs
- • Secure key management (HSM)
- • Regular key rotation
Data Retention
User Account Data
Retained while the account is active and for 90 days after account deletion (for recovery purposes and compliance requirements).
Security Logs
Authentication logs retained for 2 years for security monitoring and compliance. Security incident logs retained for 7 years.
Session Data
Session tokens and temporary data purged immediately upon logout or expiration.
Infrastructure Security
Hosting & Network Security
- Hosted on enterprise-grade cloud infrastructure (Vercel/AWS)
- Geographic data replication for availability and disaster recovery
- Web Application Firewall (WAF) for DDoS and attack protection
- Network segmentation and micro-segmentation
- Regular penetration testing and vulnerability assessments
Application Security
Security Measures
- • OWASP Top 10 protection
- • SQL injection prevention
- • XSS protection and CSP headers
- • CSRF protection with state tokens
- • Rate limiting and DDoS protection
Development Security
- • Secure development lifecycle (SDLC)
- • Static and dynamic code analysis
- • Dependency vulnerability scanning
- • Security code reviews
- • Automated security testing
Security Monitoring & Incident Response
Continuous Monitoring
- 24/7 security operations center (SOC) monitoring
- Real-time threat detection and alerting
- Automated anomaly detection for authentication patterns
- Integration with threat intelligence feeds
- Comprehensive audit logging for all system activities
Incident Response
Response Timeline
- • Critical: 1 hour detection, 4 hours containment
- • High: 4 hours detection, 24 hours containment
- • Medium: 24 hours detection, 72 hours resolution
Communication
Users affected by security incidents are notified within 72 hours via email and system notifications. Status updates are posted to our status page.
Security Alerts
Users receive automatic security alerts for:
- New device or location logins
- Password changes or account modifications
- Suspicious authentication attempts
- API key creation or deletion
- Account security setting changes
Compliance & Standards
Privacy Regulations
- • General Data Protection Regulation (GDPR)
- • Australian Privacy Act 1988
- • California Consumer Privacy Act (CCPA)
- • Privacy by Design principles
Security Standards
- • OWASP Security Guidelines
- • NIST Cybersecurity Framework
- • OAuth 2.1 and OpenID Connect specifications
- • WebAuthn/FIDO2 standards
Regular Assessments
- Annual third-party security audits and penetration testing
- Quarterly vulnerability assessments
- Continuous compliance monitoring
- Regular security training for all personnel
- Business continuity and disaster recovery testing
User Security Guidelines
Recommended Security Practices
- Enable passkey authentication on all your devices
- Set up TOTP two-factor authentication as a backup
- Use strong, unique passwords if using password authentication
- Regularly review your account activity and connected applications
- Keep your devices and browsers updated
- Never share your authentication credentials or backup codes
What to Do If Compromised
Immediate Actions
- Change your password immediately
- Review and revoke suspicious sessions
- Check for unauthorized account changes
- Update security questions and backup codes
- Contact IT support if needed
Security Contact
Report Security Issues
If you discover a security vulnerability or have security concerns, please contact us immediately:
Security Team: security@savepoint.com.au
General Support: support@savepoint.com.au
Response Time: Critical issues acknowledged within 4 hours
Responsible Disclosure
We appreciate responsible disclosure of security vulnerabilities. Please provide detailed information about the issue and allow us reasonable time to address it before public disclosure.