Security Information

Last updated: February 2026

At AdviseWell, we understand that trust is foundational to the advice industry. Our platform handles sensitive client and organisational data, and we take our responsibility to protect it seriously. This page outlines the security practices, architecture, and compliance measures we have in place.

SOC 2 Compliance

AdviseWell is pursuing SOC 2 Type II certification, demonstrating our commitment to the Trust Services Criteria — security, availability, processing integrity, confidentiality, and privacy. We use an industry-leading compliance platform to continuously monitor our controls, track evidence, and ensure alignment with SOC 2 requirements across our organisation and infrastructure.

Infrastructure Security

Cloud-Hosted, Multi-Region Architecture

AdviseWell is hosted on enterprise-grade cloud platforms (Google Cloud Platform and Microsoft Azure) within Australian data centres, ensuring data residency requirements are met. Our infrastructure is defined and managed entirely through Infrastructure as Code (IaC), which ensures consistency, auditability, and repeatability across all environments.

Network Security

• Private networking: Application workloads run within private networks with no direct public internet exposure. All inter-service communication occurs over private, encrypted channels.
• Zero Trust access: Internal systems are protected by a Zero Trust network architecture. Developer and administrative access requires identity verification and device posture checks before granting connectivity.
• VPN connectivity: Cross-cloud communication is secured via encrypted VPN tunnels with redundancy and dynamic routing.
• Web Application Firewall (WAF): All public-facing endpoints are fronted by a global CDN and WAF provider that delivers DDoS protection, bot mitigation, and TLS termination.
• No publicly accessible VMs: Organisation-wide policies prevent virtual machines from being assigned external IP addresses. All management access is funnelled through secure tunnels.

Hardened Compute

• Managed Kubernetes: Container workloads run on fully managed, auto-scaling Kubernetes clusters operating in private mode — control planes and nodes are not exposed to the public internet.
• Shielded VMs: Where virtual machines are used, they are provisioned with Secure Boot, virtual Trusted Platform Modules (vTPM), and integrity monitoring enabled.
• Automatic patching: Operating system-level security updates are applied automatically, and infrastructure VMs are routinely recreated to ensure a clean baseline.

Authentication & Access Control

User Authentication

• Identity management is handled by a managed identity platform with support for email/password authentication, multi-factor authentication (MFA), and configurable session management.
• Multi-Factor Authentication (MFA) is available and enforced where appropriate, providing an additional layer of protection beyond passwords.
• Bot and abuse prevention: All authentication and sensitive API endpoints are protected by an enterprise-grade bot detection and challenge platform, mitigating credential stuffing, scraping, and automated abuse.
• Anonymous access is disabled — all interactions with the platform require a verified identity.

Authorisation Model

• Organisation-level data isolation: Every data access request is validated against the user's organisation membership. Users can only access data belonging to their own organisation.
• Role-based access control: Administrative functions are restricted to authorised roles. Sensitive operations (e.g., billing, impersonation) have additional access restrictions and audit trails.
• Principle of least privilege: Service accounts and automated processes are granted the minimum permissions required to perform their function. Custom IAM roles with scoped permissions are used throughout.
• Service account key creation is disabled at the organisation level — all automated authentication uses short-lived, federated credentials via Workload Identity.

Data Protection

Encryption

• Encryption in transit: All data in transit is encrypted using TLS. Inter-cloud communication uses IKEv2 VPN encryption, and developer access uses WireGuard-based encrypted tunnels.
• Encryption at rest: All data at rest — including databases, file storage, and backups — is encrypted using cloud-managed encryption keys by default.

Backup & Recovery

• Point-in-time recovery is enabled on our primary database, allowing restoration to any point within the recovery window.
• Daily automated backups are performed with a defined retention period, ensuring data can be recovered in the event of accidental deletion or corruption.
• Object versioning is enabled on file storage, providing an additional layer of protection against data loss.

Data Retention & Compliance Logging

• Audit logs are retained for 7 years in a locked, immutable storage bucket. The retention policy cannot be shortened or removed, ensuring compliance with long-term record-keeping requirements.
• Public access to storage is prevented at the organisation level via enforced policy — no storage bucket can be made publicly accessible.

Application Security

Secure Development Practices

• Static Application Security Testing (SAST): Automated SAST tools scan application code for vulnerabilities on every deployment. This includes language-specific analysers for both frontend and backend codebases.
• Dependency vulnerability scanning: All third-party dependencies are continuously monitored for known vulnerabilities using multiple scanning tools. High-severity findings block deployment.
• Automated dependency updates: A managed dependency update service continuously proposes updates to third-party libraries, ensuring the application stays current with security patches.
• Pre-commit hooks enforce code quality and security checks before code reaches the repository.

Security Scanning Pipeline

Every deployment passes through a mandatory security gate that includes:

1. Open-source vulnerability scanning — checks all dependencies against known CVE databases
2. Container image scanning — analyses built container images for OS and library-level vulnerabilities with a high-severity cutoff
3. SAST analysis — multi-language static analysis to detect insecure code patterns
4. Backend-specific security linting — targeted analysis of server-side code for common security anti-patterns

Deployments are blocked if any scan identifies high or critical severity issues.

Input Validation & API Security

• Database security rules enforce data structure, ownership, and access constraints at the platform level — independent of application code.
• CORS policies restrict which origins can interact with backend APIs, with explicit per-environment allowlists.
• Rate limiting is implemented on sensitive operations to prevent abuse.

CI/CD Security

• No long-lived credentials: CI/CD pipelines authenticate to cloud providers using Workload Identity Federation — no service account keys or static credentials are stored in CI/CD systems.
• Environment separation: Development, staging, and production environments are isolated with independent credentials, secrets, and access controls.
• Immutable deployments: Container images are built in CI, pushed to a private artifact registry, and deployed as immutable units.
• Branch protection: Production deployments are triggered only from protected branches with required reviews.
• Concurrency controls prevent conflicting or duplicate deployments.
• Production deletion protection is enabled at the infrastructure level to prevent accidental resource destruction.

Monitoring, Logging & Incident Response

Comprehensive Audit Logging

• Organisation-wide audit logging is enabled for all cloud services, capturing administrative actions, data access events, and system events.
• Dedicated audit logging is configured for over 25 critical services including identity management, compute, storage, networking, and secrets management.
• Centralised log aggregation feeds into both long-term archival storage and a structured analytics platform for investigation and reporting.

Security Monitoring & Alerting

• Infrastructure change monitoring: Automated alerts trigger on changes to network configurations, firewall rules, IAM roles, and project ownership — ensuring no security-relevant change goes unnoticed.
• DNS query logging is enabled organisation-wide for forensic and compliance purposes.
• Multi-tier alerting: Security events are classified by severity and routed to the appropriate response channel, including real-time notifications for critical events.
• Billing anomaly detection identifies unexpected spend patterns that may indicate compromised resources.

Application Monitoring

• Error tracking is integrated into both frontend and backend applications, providing real-time visibility into application-level issues.
• Container metrics are collected via managed monitoring services across all Kubernetes clusters.
• Structured logging is used throughout the application stack to support effective debugging and audit.

Vulnerability Disclosure

We welcome responsible security research. If you discover a potential security vulnerability in our platform, please contact us at security@advisewell.co. We commit to:

• Acknowledging receipt within 48 hours
• Providing regular updates on remediation progress
• Not pursuing legal action against good-faith security researchers

Organisational Security

• Identity-verified access: All employee access to internal systems requires identity verification through our Zero Trust provider.
• Device posture checks: Endpoint health is verified before granting access to production systems.
• Enforced organisation policies: Cloud-level organisation policies prevent insecure configurations such as public storage buckets, external VM IPs, unrestricted SQL access, and legacy network defaults.

Questions?

For security-related enquiries, please contact security@advisewell.co.

‍