Cyber Security Statement

Security governance and oversight

Security governance is overseen by the company's senior leadership, with explicit accountability for information security, privacy and risk management. Positive Prime maintains documented policies and procedures addressing information security, acceptable use, access control, change management, incident response and business continuity. These policies inform day-to-day operations of:

• Backend services: our TypeScript/Node.js (Express) API layer and PostgreSQL data access.
• Client applications: our React Native (Expo) mobile and web applications.
• Public website: our public-facing Next.js marketing website and subscription flows.
• Cloud infrastructure: our Terraform-managed cloud infrastructure on Amazon Web Services (AWS) and associated providers.

While Positive Prime is not currently ISO 27001 certified, we are progressively aligning our practices with recognised security standards and Australian Government guidance. We use the ACSC Essential Eight as a guiding framework for prioritising uplift, noting that maturity levels may vary across strategies, to support the expectations of enterprise and government customers.

Regulatory compliance (Privacy Act, APPs, NDB scheme)

Positive Prime is committed to meeting its obligations under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). We:

• Limit collection of personal information to what is required to provide and improve our services, including user registration details, session-based content usage and optional profile images.
• Use and disclose information only for purposes described in our Privacy Policy or as otherwise permitted or required by law.
• Provide transparency and access so individuals can request access to, or correction of, their personal information.
• Implement safeguards appropriate to the sensitivity of data we handle, including technical, organisational and physical controls.

Positive Prime is subject to the Notifiable Data Breaches (NDB) scheme. We maintain processes to:

• Promptly identify, triage and assess suspected data breaches, including timely assessment against NDB criteria (likelihood of serious harm and remedial action taken).
• Determine whether an eligible data breach (likely to result in serious harm) has occurred.
• Notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required.

We periodically review our practices against the Privacy Act, APPs and NDB scheme expectations, and update our controls and policies as our services evolve.

Data protection and encryption

Positive Prime handles several classes of information, including:

• Account data: registration details, authentication identifiers and subscription information.
• Uploaded content: user-uploaded images used in Positive Prime sessions and profile customisation.
• Session and usage data: information about how sessions are configured, delivered and consumed, including non-content analytics.

We apply strong cryptographic controls to protect this data:

• In transit: all external access to web, mobile and API endpoints is enforced over HTTPS/TLS using industry-standard protocols and cipher suites. Administrative and inter-service traffic is likewise protected using TLS where supported.
• At rest:
  • Primary relational data is stored in an AWS Aurora PostgreSQL cluster with storage encryption enabled.
  • Files such as user-uploaded images are stored in encrypted cloud object storage (for example AWS S3) with server-side encryption enabled.
  • Application secrets (such as database credentials) are generated and stored via managed secret and parameter stores, reducing direct exposure in code or configuration.

On supported client platforms, sensitive tokens and keys are stored using secure device storage mechanisms (for example, the Expo SecureStore module) rather than general-purpose storage.

Infrastructure and cloud security

Positive Prime operates its production workloads on Amazon Web Services (AWS) with infrastructure defined and managed using Terraform. This approach enables consistent, auditable and repeatable deployment of:

• Network segmentation: separate public and private subnets, security groups and load balancers for API, application and database tiers.
• Managed databases: Aurora PostgreSQL clusters configured with encryption, automated backups and deletion protection.
• Application hosting: containerised API workloads (for example ECS/Fargate) and cloud-native hosting for web and mobile assets, fronted by TLS-terminating load balancers and content delivery networks.
• Perimeter protections: integration with services such as CloudFront, Cloudflare and Bunny.net to provide highly available, TLS-enabled front ends and caching of static assets.

Access to cloud environments is restricted to authorised personnel and is governed by role-based AWS Identity and Access Management (IAM) policies following the principle of least privilege. Infrastructure state is stored in versioned, access-controlled backends, and changes are applied via controlled workflows using Terraform, ensuring that modifications are reviewed and auditable.

Access control and identity management

Access control is designed to follow the principle of least privilege across the platform:

• Customer access:
  • Users authenticate to Positive Prime applications using established identity mechanisms, including email/password and federated sign-in options (such as Apple and Google).
  • Session tokens are issued and validated by our backend services, leveraging hardened authentication libraries (such as JSON Web Tokens and supporting key material) and configurable session lifetimes.
  • Passwords are processed using industry-standard one-way hashing functions with salts (for example bcrypt) and are never stored in clear text.
• Administrative access:
  • Access to production systems and databases is restricted to authorised staff with a demonstrable business need.
  • Administrative accounts and privileged operations are protected with strong authentication controls, and multi-factor authentication (MFA) is used for key administrative platforms where supported.
• Service-to-service access:
  • API-to-database and service-to-service authentication uses securely generated credentials stored in managed secret stores (for example AWS Systems Manager Parameter Store), with access controlled via IAM.

Authorisation decisions within the platform are implemented in the application layer, with API endpoints enforcing appropriate role and permission checks before performing sensitive operations.

Secure software development practices

Positive Prime follows secure software development practices across its codebases:

• Modern languages and frameworks: core services are built in TypeScript/Node.js (Express) and React Native (Expo), with the marketing and subscription site in Next.js. These stacks are actively maintained and benefit from strong community security support.
• Static analysis and linting: codebases use tools like Biome and TypeScript type-checking to detect common coding errors and potential issues before deployment.
• Automated testing: unit and integration tests (for example using modern JavaScript/TypeScript testing frameworks) support regression detection and safer change deployment.
• API contracts: OpenAPI specifications and validators are used on the server and consumed by generated API clients, reducing the likelihood of insecure or inconsistent API usage.
• Dependency management: third-party packages are managed via standard package managers, with periodic updates to address security advisories.
• Code review and change control: changes to production codebases are reviewed by peers, tested in non-production environments and deployed through controlled processes.

Our development practices are informed by the ACSC Essential Eight strategies, particularly in relation to application control, patching of applications and operating systems, and restricting administrative privileges, though we do not claim formal certification or full maturity across all eight strategies.

Monitoring, logging and incident response

Positive Prime maintains application and infrastructure monitoring across its environment:

• Application monitoring: core applications integrate with observability tools such as Sentry for error tracking, performance monitoring and release visibility.
• Logging: API traffic and key application events are logged (for example via established HTTP logging middleware and cloud-native logging services). Logs include sufficient context to support troubleshooting and security investigations while avoiding unnecessary storage of sensitive information.
• Infrastructure monitoring: cloud infrastructure is monitored using native services (such as CloudWatch and related alerting mechanisms) for availability, utilisation and anomaly detection.

Positive Prime maintains an incident response process that includes:

• Defined roles and responsibilities for incident handling.
• Triage, containment, eradication and recovery steps.
• Communication procedures for affected customers and relevant regulators (including obligations under the NDB scheme).
• Post-incident review to identify root causes and implement corrective actions.

Incident response playbooks are periodically reviewed and updated to reflect lessons learned and evolving threat landscapes.

Backup, business continuity and disaster recovery

Positive Prime's cloud-native architecture is designed with resilience and recoverability in mind:

• Database backups: Aurora PostgreSQL clusters are configured with automated backups and snapshot retention periods appropriate to the environment (with longer retention in production). Final snapshots are taken before deletion operations to guard against data loss.
• Configuration as code: our infrastructure-as-code definitions in Terraform enable rapid and consistent recreation of core services in the event of a disaster.
• File storage durability: user-uploaded content is stored in highly durable object storage with versioned, replicated storage classes provided by the cloud provider.

We periodically test recovery procedures, including restoration from backups in non-production environments, to validate that data and services can be recovered within acceptable timeframes. Business continuity planning considers scenarios such as cloud service disruptions, data corruption and regional outages.

Third-party risk management

Positive Prime relies on several reputable third-party providers for infrastructure, payment processing, analytics, email delivery, content delivery and authentication. Examples include:

• Cloud infrastructure and database: Amazon Web Services (AWS) for compute, storage, networking and managed databases.
• Content delivery and edge security: services such as CloudFront, Cloudflare and Bunny.net to improve performance and provide resilient, TLS-enabled edges.
• Payments and communications: providers such as Stripe and reputable email and notification services integrated via our backend services.

Before onboarding critical service providers, Positive Prime assesses:

• The provider's security posture, certifications and reputation.
• Data handling, residency and subprocessor arrangements.
• Contractual terms covering confidentiality, data protection and incident notification.

We recognise that some data may be stored or processed outside Australia by these providers. In such cases, Positive Prime takes reasonable steps to ensure that overseas recipients protect personal information in a manner consistent with the Australian Privacy Principles.

Commitment to continuous improvement

Cyber security and privacy risks evolve rapidly, and Positive Prime is committed to continuous improvement in our controls, processes and culture. Our ongoing initiatives include:

• Regularly reviewing infrastructure-as-code, application dependencies and configuration against current best practices and the ACSC Essential Eight guidance.
• Enhancing logging, monitoring and alerting to detect and respond to anomalous activity more quickly.
• Continuing to mature our secure development lifecycle, including threat modelling for new features, improved test coverage and automated security checks.
• Providing training and guidance to staff on secure coding, privacy responsibilities and incident reporting.

Positive Prime welcomes dialogue with customers, partners and government agencies regarding our security posture and is committed to demonstrating progress through transparent practices and, over time, appropriate independent assurance.