Security Policy

Enkisonics Pty Ltd (ABN 48 688 943 106)

Trading as GunGov - Australia's Premier Firearms Range Booking Platform

At Enkisonics Pty Ltd, we take the security of your personal information, payment data, and firearms compliance records with the utmost seriousness. This comprehensive Security Policy outlines the technical, administrative, and physical measures we implement to protect your data and ensure the integrity, confidentiality, and availability of the GunGov platform.

Effective Date: November 2025 | Last Updated: November 2025

1. Security Commitment and Philosophy

Security is not just a feature at GunGov - it is the foundation of our entire platform. We recognize that our users trust us with sensitive information including:

• Personal identification details
• Firearms licensing information
• Range attendance records and compliance history
• Payment card information
• Location and contact details

Given the sensitive nature of firearms-related data in Australia, we implement security measures that exceed industry standards. Our multi-layered security approach (often called "defense in depth") ensures that even if one security control fails, multiple additional layers of protection remain in place.

2. Payment Card Security and PCI DSS Compliance

2.1 PowerBoard by CommBank Integration

All payment transactions on the GunGov platform are processed through PowerBoard by CommBank, a PCI DSS Level 1 certified payment gateway. This is the highest level of certification available in the payment card industry and is awarded only to organizations that demonstrate the strictest adherence to payment security standards.

2.2 Payment Data Flow and Tokenization

When you make a payment on GunGov:

1. Your payment card details are entered directly into PowerBoard's secure widget (not on our servers)
2. Card data is encrypted using 256-bit SSL/TLS before transmission
3. PowerBoard processes the payment and returns only a secure token to GunGov
4. This token (not your card details) is stored in our database for future transactions
5. Your actual card number, CVV, and expiry date NEVER touch our servers

Critical Security Point: GunGov does not store, process, or transmit complete payment card data at any time. All sensitive payment information is handled exclusively by PowerBoard's PCI DSS Level 1 compliant infrastructure. This dramatically reduces our attack surface and ensures your payment data is protected by bank-grade security.

2.3 3D Secure Authentication

For eligible transactions, PowerBoard supports 3D Secure (3DS) authentication, which adds an additional layer of security by requiring cardholders to verify their identity with their issuing bank during the payment process. This significantly reduces the risk of fraudulent transactions.

3. Data Encryption (In Transit and At Rest)

3.1 Transport Layer Security (TLS)

All data transmitted between your device and GunGov servers is encrypted using:

• TLS 1.2 or higher (Transport Layer Security protocol)
• 256-bit encryption keys (military-grade strength)
• Perfect Forward Secrecy (PFS) to prevent past session decryption
• HSTS (HTTP Strict Transport Security) to enforce HTTPS connections

This encryption applies to all data exchanged with our platform, including login credentials, personal information, booking details, and API requests. You can verify our encryption by looking for the padlock icon in your browser's address bar.

3.2 Data-at-Rest Encryption

All sensitive data stored in our databases is encrypted at rest using:

• AES-256 encryption (Advanced Encryption Standard with 256-bit keys)
• Unique encryption keys per user for enhanced security
• Key rotation policies to minimize exposure from key compromise
• Secure key management using hardware security modules (HSMs)

Particularly sensitive fields (such as firearms licence numbers, personal addresses, and payment tokens) receive additional layers of application-level encryption beyond database encryption. This ensures that even in the unlikely event of unauthorized database access, the data remains unreadable.

4. Account Security and Authentication

4.1 Password Security

Your GunGov account password is protected using industry best practices:

• Bcrypt hashing algorithm with adaptive cost factor
• Unique salt per password to prevent rainbow table attacks
• Passwords are never stored in plain text - only the hash is retained
• Password strength requirements enforced during registration and changes
• Protection against common/breached passwords using known password databases

Important: Even GunGov staff cannot see your password. If you forget it, we can only help you reset it - we cannot retrieve or "remind" you of your existing password.

4.2 Two-Factor Authentication (2FA)

We strongly recommend enabling two-factor authentication (2FA) for your account. When enabled:

• You'll need your password AND a time-based one-time code to log in
• The code is generated by an authenticator app on your phone
• Even if your password is compromised, your account remains protected
• Backup codes are provided for account recovery

4.3 Session Management

Once you log in, your session is managed securely using:

• HTTP-only cookies that cannot be accessed by JavaScript (XSS protection)
• Secure cookie flag to ensure cookies only transmit over HTTPS
• SameSite cookie attribute to prevent cross-site request forgery (CSRF)
• Automatic session timeout after 30 minutes of inactivity
• Session invalidation on logout to prevent session hijacking

4.4 Brute Force Protection

Failed login attempts are monitored and restricted:

• After 5 failed login attempts, the account is temporarily locked
• Rate limiting prevents automated password guessing attacks
• CAPTCHA challenges are presented for suspicious login patterns
• Notification emails are sent for failed login attempts

5. Infrastructure Security

5.1 Cloud Hosting and Physical Security

GunGov is hosted on enterprise-grade cloud infrastructure with:

• ISO 27001 certified data centers in Australia
• 24/7 physical security with biometric access controls
• Redundant power supplies and network connectivity
• Environmental monitoring and fire suppression systems
• Geographic redundancy across multiple Australian availability zones

5.2 Network Security

Our network infrastructure includes:

• Web Application Firewall (WAF) to filter malicious traffic
• DDoS protection to prevent denial-of-service attacks
• Intrusion Detection Systems (IDS) to identify threats
• Virtual Private Cloud (VPC) network isolation
• Private subnets for databases and sensitive services

5.3 Server Hardening

All GunGov servers are hardened using security best practices:

• Minimal software installation (reduce attack surface)
• Automatic security updates and patch management
• Firewall rules restricting unnecessary network access
• Disabled unnecessary services and ports
• Regular vulnerability scans and remediation

6. Application Security

6.1 Secure Development Lifecycle (SDL)

Security is integrated into every stage of our development process:

• Security requirements gathering during feature planning
• Threat modeling to identify potential vulnerabilities
• Secure coding standards following OWASP guidelines
• Peer code reviews with security focus
• Automated security testing integrated into CI/CD pipelines
• Manual penetration testing before major releases

6.2 Protection Against Common Vulnerabilities

GunGov implements comprehensive protections against OWASP Top 10 threats:

• SQL Injection: Parameterized queries and ORM usage
• Cross-Site Scripting (XSS): Input sanitization and Content Security Policy (CSP)
• Cross-Site Request Forgery (CSRF): Anti-CSRF tokens on all state-changing operations
• Broken Authentication: Secure session management and authentication libraries
• Security Misconfiguration: Regular configuration audits and automated compliance checks
• Sensitive Data Exposure: Encryption, access controls, and data minimization

6.3 API Security

All API endpoints are protected with:

• Token-based authentication (JWT or session tokens)
• Role-based access control (RBAC) enforcement
• Rate limiting to prevent abuse
• Input validation and sanitization
• Comprehensive logging of all API requests

7. Access Control and Authorization

7.1 Principle of Least Privilege

Access to systems and data is granted on a strict "need-to-know" basis:

• Users can only access their own data and authorized club information
• Club administrators can only access data for their own club members
• System administrators have limited, audited access to production systems
• Development team access to production data is prohibited

7.2 Data Isolation

Your personal firearms compliance records are private and isolated:

• Not even our internal team can access your encrypted data
• Records are only accessible to you and your authorized club
• Database queries are scoped to prevent unauthorized data access
• Multi-tenant data isolation ensures club data never mixes

8. Customer Due Diligence (CDD) and Fraud Prevention

8.1 Invitation-Only Club Onboarding

GunGov operates a highly secure, invitation-only onboarding process for shooting clubs to prevent fraud and ensure regulatory compliance:

• No public self-registration: Clubs cannot register themselves - all onboarding is initiated by GunGov staff
• Pre-screening verification: Initial identity and legitimacy checks before any onboarding link is issued
• Single-use invitation links: Unique, time-limited links with access pattern monitoring
• Mandatory document upload: Range Approval and Club Approval certificates must be provided before onboarding can proceed

8.2 AI-Powered Document Verification

All uploaded weapons licensing documents undergo automated verification using Jarvis AI:

• Data extraction: Automatically parses approval numbers, expiry dates, authorized disciplines, and issuing authority details
• Authenticity validation: Compares documents against known government templates, verifies signatures, seals, and watermarks
• Tamper detection: Identifies signs of editing, manipulation, or inconsistent metadata
• Cross-referencing: Validates document structure against state-specific requirements (QLD, NSW, VIC, etc.)

8.3 Know Your Business (KYB) Verification

Every club undergoes comprehensive business verification:

• ABN verification: Automatic cross-checking with ABR (Australian Business Register) and ASIC
• Business entity validation: Legal name, trading name, and registration status confirmation
• Governance structure: Verification of club officials (President, Secretary, Treasurer, Safety Officers)
• Official identity checks: KYC performed on officials with financial or administrative access

8.4 Representative-Assisted Onboarding

Every club is onboarded with direct human oversight:

• Dedicated GunGov compliance officer guides the club through each step
• Verification that documents match entered information
• Review of disciplines, range details, and operating conditions against approvals
• Explanation of ongoing compliance obligations
• Manual compliance review and approval before club activation

8.5 Transaction Monitoring and Fraud Detection

Ongoing transaction monitoring protects against fraud and suspicious activity:

• Pattern analysis: Payment behaviour monitored for inconsistencies with club profile
• Document expiry tracking: Automatic monitoring of Range and Club Approval expiry dates
• Anomaly detection: Flagging of unusual transaction volumes or patterns
• Compliance audit trails: All onboarding actions, document uploads, and changes logged with timestamps and user IDs

For comprehensive details on our Customer Due Diligence procedures, please refer to our Customer Due Diligence Procedure document at gungov.com.au/cdd-procedure.

9. Privacy and Data Protection Compliance

9.1 No Government Reporting

Important Privacy Commitment: Enkisonics Pty Ltd does NOT report your firearms range attendance, booking history, or compliance records to any government agency. Your data is private and under your control.

The only circumstances where we may disclose information to authorities are:

• When legally compelled by a valid court order or subpoena
• To prevent imminent harm to life or safety
• To investigate suspected criminal activity on our platform

9.2 No Third-Party Data Sharing

We do NOT sell, rent, or share your personal information with third parties for marketing purposes. Your data is used solely to provide the GunGov service and is shared only with essential service providers (payment processing, cloud infrastructure) who are bound by strict confidentiality agreements.

9.3 Compliance with Australian Privacy Laws

GunGov complies with:

• Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs)
• Notifiable Data Breaches (NDB) scheme - we will notify you within 72 hours of discovering a breach affecting your personal information
• Australian Consumer Law regarding data security obligations

10. Monitoring, Logging, and Incident Detection

10.1 Security Monitoring

Our systems are monitored 24/7 for suspicious activity:

• Real-time intrusion detection and prevention
• Automated alerts for anomalous behavior
• Continuous network traffic analysis
• Server health and performance monitoring
• Failed login attempt tracking

10.2 Comprehensive Audit Trails

All security-relevant events are logged:

• User authentication and authorization events
• Data access and modification
• Administrative actions
• API requests and responses
• System errors and exceptions

Logs are retained for a minimum of 12 months, encrypted at rest, and stored in tamper-proof, append-only storage. Access to logs is strictly controlled and audited.

11. Backup, Disaster Recovery, and Business Continuity

11.1 Data Backup Strategy

To protect against data loss, we implement comprehensive backup procedures:

• Automated daily backups of all databases
• Real-time replication to secondary database instances
• Geographic redundancy - backups stored in multiple Australian data centers
• Encrypted backups using AES-256
• Regular restore testing to verify backup integrity

11.2 Disaster Recovery

In the event of a catastrophic failure:

• Recovery Time Objective (RTO): 4 hours
• Recovery Point Objective (RPO): 1 hour (maximum data loss)
• Documented disaster recovery procedures tested quarterly
• Automatic failover to redundant systems

12. Third-Party Security and Vendor Management

All third-party services and vendors are carefully vetted for security:

• PowerBoard by CommBank: PCI DSS Level 1 certified payment gateway
• Cloud hosting providers: ISO 27001, SOC 2 Type II certified
• Email service providers: TLS encryption and anti-spam protection
• SSL certificate providers: Trusted certificate authorities

All vendors sign data processing agreements (DPAs) and are prohibited from using your data for any purpose other than providing services to GunGov.

13. Vulnerability Management and Security Testing

13.1 Regular Security Assessments

We proactively identify and address security vulnerabilities:

• Quarterly penetration testing by independent security experts
• Automated vulnerability scanning of all infrastructure
• Dependency scanning to identify vulnerable libraries
• Security code reviews for all major features

13.2 Responsible Disclosure Program

If you discover a security vulnerability in GunGov, we encourage responsible disclosure:

• Email security@gungov.com.au with details of the vulnerability
• We will acknowledge receipt within 24 hours
• We will work to verify and resolve the issue promptly
• We will credit researchers who report valid vulnerabilities (if desired)

14. Security Awareness and Training

All Enkisonics staff receive comprehensive security training:

• Annual security awareness training covering phishing, social engineering, and password security
• Role-specific training for developers on secure coding practices
• Incident response training and simulations
• Data privacy and handling procedures

Background checks are conducted for all employees and contractors with access to sensitive systems or data.

15. Your Role in Security

While we implement comprehensive security measures, you also play a critical role in protecting your account:

• Use a strong, unique password: At least 12 characters with a mix of letters, numbers, and symbols
• Enable two-factor authentication (2FA): Adds an extra layer of protection
• Never share your credentials: GunGov will never ask for your password
• Keep your email secure: Your email is used for password resets
• Log out on shared devices: Always log out when using public computers
• Be wary of phishing: Verify email sender addresses before clicking links
• Keep devices updated: Install security updates on your phone/computer
• Report suspicious activity: Contact us immediately if you notice anything unusual

16. Security Incident Response

16.1 Incident Detection and Response

In the unlikely event of a security incident, we follow a comprehensive incident response plan:

1. Detection: Automated systems and monitoring detect anomalies
2. Containment: Affected systems are immediately isolated
3. Investigation: Security team analyzes the incident and scope
4. Eradication: Threat is removed and vulnerabilities patched
5. Recovery: Systems are restored and verified
6. Notification: Affected users are notified in accordance with law
7. Post-Incident Review: Lessons learned and preventive measures implemented

16.2 Data Breach Notification

If a data breach occurs that is likely to result in serious harm:

• We will notify the Office of the Australian Information Commissioner (OAIC) within 72 hours
• Affected users will be notified via email as soon as practicable
• Notification will include details of the breach and steps you should take
• We will provide support to affected users (e.g., credit monitoring if payment data was compromised)

17. Data Retention and Secure Deletion

We retain your data only as long as necessary:

• Active accounts: Data retained while account is active
• Inactive accounts: Data retained for 12 months after last login
• Closed accounts: Data deleted within 30 days of account closure (except where legal retention is required)
• Audit logs: Retained for 12 months for security purposes

When data is deleted, it is securely wiped from all systems including backups (within the backup retention period). We use cryptographic erasure techniques to ensure deleted data cannot be recovered.

18. International Data Transfers

Data Sovereignty: All GunGov user data is stored exclusively on servers located within Australia. We do not transfer personal information to overseas countries. This ensures your data remains subject to Australian privacy laws and is not subject to foreign government surveillance or access laws.

19. Continuous Improvement and Policy Updates

Security is not static - we continuously improve our security posture to address emerging threats. This Security Policy may be updated from time to time to reflect changes in:

• Technology and security best practices
• Regulatory and compliance requirements
• Our operational processes and infrastructure
• Identified security risks and vulnerabilities

Any material changes to this policy will be communicated to users via email and displayed prominently on the platform. The "Last Updated" date at the bottom of this policy indicates when the most recent changes were made.

20. Contact Our Security Team

If you have security concerns, questions about this policy, or wish to report a vulnerability or suspicious activity, please contact our security team immediately:

Effective Date: November 2025 | Last Updated: November 2025