Security & Compliance

1. Platform Security

2. Compliance Certifications

Activitee is pursuing the following certifications and attestations:

• SOC 2 Type II — In progress (2026 target). Covers security, availability, and confidentiality trust service criteria.
• ISO 27001:2022 — Planned. Information security management system certification.
• IRAP Ready — Platform designed to support PROTECTED-level assessments under the Australian ISM/PSPF framework.
• Essential Eight Maturity Level 2 — Self-assessed. Application whitelisting, patching, MFA, backup, macro controls.

3. Data Residency & Sovereignty

Customer Data is stored exclusively in the region selected during onboarding:

• Australia (Sydney, ap-southeast-2) — Default for AU/NZ customers
• United States (US-East, us-east-1)
• Europe (EU-West, eu-west-1)
• Asia-Pacific (Singapore, ap-southeast-1)

We do not transfer Customer Data across regions without explicit written consent. Enterprise customers receive contractual data residency guarantees.

4. Copyright Policy

All content, software, documentation, user interfaces, compliance framework descriptions, and intellectual property on the Activitee platform and website are the exclusive property of ThoughtWorx Pty Ltd (ABN 68 610 430 192), unless otherwise stated.

Compliance frameworks referenced within the platform (such as NIST CSF, ISO 27001, Essential Eight) are the property of their respective standards bodies. Activitee provides interpretive guidance and assessment tooling — not the official standard text. Users are responsible for obtaining official standard documents from the relevant issuing authority.

Reproduction, redistribution, or reverse engineering of Activitee’s software, reports, or content without written permission is prohibited. Assessment reports generated by the platform may be shared with authorised third parties (auditors, assessors) under the customer’s licence terms.

5. Cookie Policy

5.1 Essential Cookies

We use strictly necessary cookies for:

• Session management and authentication (JSESSIONID)
• CSRF protection tokens
• User preference storage (theme, language)

These cookies are required for the Platform to function and cannot be disabled.

5.2 Analytics Cookies

With your consent (where required by applicable law), we use analytics cookies to understand usage patterns, improve the platform, and measure feature adoption. We do not use advertising or tracking cookies. We do not share cookie data with third-party advertisers.

5.3 Managing Cookies

You can control cookies through your browser settings. Disabling essential cookies may prevent you from using the Platform. For analytics cookies, we respect Do-Not-Track (DNT) browser signals where applicable.

6. Responsible Disclosure

If you discover a security vulnerability in the Activitee platform, please report it responsibly:

• Email: security@activitee.io
• Include a detailed description and steps to reproduce
• We will acknowledge receipt within 24 hours
• We commit to resolving critical vulnerabilities within 72 hours
• We do not pursue legal action against good-faith security researchers

7. Subprocessors

We use the following third-party subprocessors, all bound by Data Processing Agreements:

• Cloud infrastructure — Hosting, compute, storage, and networking
• Stripe — Payment processing (we do not store credit card details)
• Email provider — Transactional email delivery

We will notify customers of any material changes to subprocessors with at least 30 days’ notice.

8. Contact

For security enquiries, compliance documentation requests, or to report a vulnerability:

Security Team
ThoughtWorx Pty Ltd
ABN 68 610 430 192
Email: security@activitee.io