Data Protection

2026.1

Changineers takes the confidentiality and integrity of its customer data very seriously. As stewards and partners of Changineers Customers, we strive to assure data is protected from unauthorized access and that it is available when needed. The following policies drive many of our procedures and technical controls in support of the Changineers mission of data protection.

Production systems that create, receive, store, or transmit Customer data (hereafter “Production Systems”) must follow the requirements and guidelines described in this section.

Policy Statements

Changineers policy requires that:

(a) Data must be handled and protected according to its classification requirements and following approved encryption standards, if applicable.

(b) Whenever possible, store data of the same classification in a given data repository and avoid mixing sensitive and non-sensitive data in the same repository. Security controls, including authentication, authorization, data encryption, and auditing, should be applied according to the highest classification of data in a given repository.

(c) Workforce members shall not have direct administrative access to production data during normal business operations. Exceptions include emergency operations such as forensic analysis and manual disaster recovery.

(d) All Production Systems must disable services that are not required to achieve the business purpose or function of the system.

(e) All access to Production Systems must be logged, following the Changineers Auditing Policy.

(f) All Production Systems must have security monitoring enabled, including activity and file integrity monitoring, vulnerability scanning, and/or malware detection, as applicable.

Controls and Procedures

Data Protection Implementation and Processes

Data is classified and handled according to the Changineers Data Handling Specifications and Data Classification document.

Critical, confidential and internal data will be tagged upon creation, if tagging is supported. Each tag maps to a data type defined in the data classification scheme, which then maps to a protection level for encryption, access control, backup, and retention. Data classification may alternatively be identified by its location/repository. For example, source code in Changineers’s GitHub repository are considered “Internal” by default, even though a tag is not directly applied to each source file.

Critical and confidential data is always stored and transmitted securely, using approved encryption standards. More details are specified in Changineers’s Data Classification and Handling document.

All IT systems that process and store sensitive data follow the provisioning process, configuration, change management, patching and anti-malware standards as defined in Configuration and Change Management document.

Customer/Production Data Protection

Changineers hosts on Amazon Web Services. The primary region is ap-southeast-2 (Sydney), with replication to ap-southeast-4 (Melbourne) for disaster recovery. See the Subprocessors list for the full set of third parties that process or transit customer data.

All Changineers employees, systems, and resources adhere to the following standards and processes to reduce the risk of compromise of Production Data:

Implement and/or review controls designed to protect Production Data from improper alteration or destruction.
Ensure that confidential data is stored in a manner that supports user access logs and automated monitoring for potential security incidents.
Ensure Changineers Customer Production Data is segmented and only accessible to Customer authorized to access data.
All Production Data at rest is stored on encrypted volumes using encryption keys managed by Changineers. Encryption at rest is ensured through the use of automated deployment scripts referenced in Configuration and Change Management.
Volume encryption keys and machines that generate volume encryption keys are protected from unauthorized access. Volume encryption key material is protected with access controls such that the key material is only accessible by privileged accounts.
Encrypted volumes use approved cipher algorithms, key strength, and key management process as defined in §12.3.1 above.

Access

Changineers employee access to production is guarded by an approval process and by default is disabled. When access is approved, temporary access is granted that allows access to production. Production access is reviewed by the security team on a case by case basis.

Separation

Customer data is logically separated at the database/datastore level using a unique identifier for the institution. The separation is enforced at the API layer where the client must authenticate with a chosen institution and then the customer unique identifier is included in the access token and used by the API to restrict access to data to the institution. All database/datastore queries then include the institution identifier.

Implementation of multi-tenanted storage follows Amazon’s SaaS Storage Strategies for Multi-tenant Storage principles.

Backup and Recovery

For details on the backup and recovery process, see controls and procedures defined in Data Management.

Monitoring

Changineers uses AWS CloudWatch/CloudTrail to monitor the entire cloud service operation. If a system failure and alarm is triggered, key personnel are notified by text, chat, and/or email message in order to take appropriate corrective action. Escalation may be required and there is an on-call rotation for major services when further support is necessary.

For details on the monitoring and alerting process, see controls and procedures defined in Application Observability.

Data Sovereignty

Customer data is stored in AWS Australia. By default, the primary region is ap-southeast-2 (Sydney), with replication to ap-southeast-4 (Melbourne) for disaster recovery. Data does not leave Australia.

Once data reaches the public internet, Changineers does not currently limit access based on geographic location.

Changineers respects the laws and legislation of the region that a Customer’s data resides. For example, in Australia Changineers honours the Australian Privacy Principles and the Information Privacy Principles by performing (but not limited) to the following:

Maintaining full and accurate records of data access and modification
By not collecting personal information unless it is neccessary for the functions of the application
By receiving concent from users about the collection and storage of data
Maintaining proper and correct security practices outlined in this policy

Protecting Data At Rest

Encryption of Data at Rest

All Changineers production data stores are encrypted at rest using AES-256 with keys managed by AWS Key Management Service (KMS). This includes:

The platform’s primary relational database (Amazon Aurora PostgreSQL).
DynamoDB tables used by the platform.
Content and media objects in Amazon S3.
Secrets held in AWS Secrets Manager.

Encryption uses AWS-managed KMS keys, which AWS rotates on its standard schedule as described in the Encryption Key Management procedure.

Local Disk/Volume Encryption

Full-disk encryption is enabled on all Changineers end-user laptops and workstations using the operating system’s native facility (FileVault on macOS, BitLocker on Windows, LUKS on Linux). Recovery keys are held by the device owner and backed up to the Security Officer.

Protecting Data In Transit

All external data transmission is encrypted in transit. This includes cloud infrastructure, third-party vendors, and customer-facing endpoints.
Transmission encryption keys are managed by the relevant service provider (for example, AWS Certificate Manager for platform TLS certificates) and are not accessible to Changineers workforce members.
Authentication, authorisation, and auditing are enforced for all remote systems sending, receiving, or storing Changineers data.
Transmission logs for all access to Production Data are retained and available for audit.

Encryption of Data in Transit

Public platform endpoints are served over TLS through Amazon CloudFront with a minimum protocol version of TLSv1.2_2021. Server certificates are issued by AWS Certificate Manager (2048-bit RSA by default, ECDSA P-256 where configured) and rotated automatically by ACM.

Internal traffic between Changineers services within AWS uses AWS-managed encryption in transit. AWS data-protection guidance for the services we use:

Data protection via end-user messaging channels

Restricted and sensitive data must not be sent over end-user messaging channels such as email or chat.

Protecting Data In Use

Data in Use, sometimes known as Data in Process, refers to active data being processed by systems and applications which is typically stored in a non-persistent digital state such as in computer random-access memory (RAM), CPU caches, or CPU registers.

Protection of data in use relies on application layer controls and system access controls. See the Production Security / SDLC.

Changineers applications implement logical account-level data segregation to protect data in a multi-tenancy deployment. In addition, Changineers applications may incorporate advanced security features such as Runtime Application Self Protection (RASP) modules and Attribute Based Access Control (ABAC) for protection of data in use.

Encryption Key Management

Changineers uses AWS Key Management Service (KMS) for encryption key management.

Encryption at rest uses AWS-managed KMS keys provided by each AWS service (Aurora, DynamoDB, S3, Secrets Manager, EBS).
AWS-managed keys are rotated by AWS on its standard schedule.
KMS keys are inaccessible to all Changineers workers, and are only usable by the application systems themselves limited by IAM policies.

Certificate Management

Changineers uses AWS Certificate Manager for certificate management.

Certificates are renewed automatically.
Security team monitors the certificates for expiration, potential compromise and use/validity. Certificate revocation process is invoked if the certificate is no longer needed or upon discovery of potential compromise.

Data Integrity Protection

When appropriate, Changineers engineering should implement “Versioning” and “Lifecycle”, or equivalent data management mechanism, such that direct edit and delete actions are not allowed on the data to prevent accidental or malicious overwrite. This protects against human errors and cyberattacks such as ransomware.

In AWS, the IAM and S3 bucket policy in production will be implemented accordingly when the environments are configured. When changes must be made, a new version is created instead of editing and overwriting existing data.

All edits create a new version and old versions are preserved for a period of time defined in the lifecycle policy.
Data objects are “marked for deletion” when deleted so that they are recoverable if needed within a period of time defined according to the data retention policy.
Data is archived offsite — i.e. to separate AWS account and/or region.

Additionally, all access to sensitive data is authenticated, and audited via logging of the infrastructure, systems and/or application.

Observability Data Integrity

All log, metric, or trace data, that is captured throughout the system lifecycle is stored in Amazon CloudWatch and access controled through IAM policies. Changineers workers have read-only access to all observability data, with no mechanisms to alter data. Data is retained for 90 days by default unless a Customer specifies otherwise.

Revision History

Date	Summary	Approved by
2020-01	Initial revision.	James Gregory
2026-04-24	Updated backup, encryption-at-rest, in-transit, and data-sovereignty procedures to match current stack.	James Gregory
2026-04-25	Aligned KMS procedures with use of AWS-managed keys and AWS-managed rotation schedule.	James Gregory