Our Commitment
Smartta AI is committed to building a robust security and compliance program. This page provides a transparent overview of our current security measures and our roadmap towards formal certifications. Our security program applies to Smartta Native Services. Resold Services are governed by the security programs of their respective providers. For security questions, contact security@smartplace.ai.
Compliance Status
Privacy and Data Processing
Roles & DPA: We act as a Data Processor for our customers. Our relationship is governed by our Data Processing Agreement (DPA).
Data Usage: Our Data Usage Framework explains how we use data: for required service operations, for opt-out aggregated statistics, and for opt-in AI model training.
Sub-processors: We partner with a limited number of sub-processors. A list is maintained at our Sub-processor Page.
Applicable Law: We process data in accordance with the Australian Privacy Act 1988 and Australian Privacy Principles (APPs).
Security Measures
Encryption
- TLS 1.2+ for all data in transit
- AES-256 encryption at rest (AWS)
- Encrypted database backups
Authentication
- Multi-factor authentication (MFA)
- OAuth 2.0 support
- SAML 2.0 SSO available
Authorization
- Role-based access control (RBAC)
- Principle of least privilege
- Tenant-level data isolation
API Security
- JWT-based authentication
- TLS 1.2+ encryption
- Input validation and sanitisation
Infrastructure
Cloud Hosting: Our platform is hosted on Amazon Web Services (AWS) in the ap-southeast-2 (Sydney) region.
Network: Nginx reverse proxy with TLS termination. AWS VPC with security groups for network isolation.
Database: CouchDB with daily automated backups stored in AWS S3.
Application Security
Our development practices include code reviews and automated dependency scanning (GitHub Dependabot) to identify known vulnerabilities in third-party libraries.
Data Backup
Frequency: Daily automated backups of all customer databases.
Retention: 30 days of backup history.
Recovery: Best-effort recovery targets of 4–24 hours depending on the failure scenario, with a recovery point objective of up to 24 hours (last daily backup). See our Service Level Agreement for details.
Incident Response
In the event of a confirmed data breach affecting Customer Data, Smartta AI will notify affected customers without undue delay and within 72 hours of confirmation, in accordance with our DPA and the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth).
Resold Services
Resold Services (including NoahFace) operate under their own security and compliance programs. Smartta AI performs due diligence before reselling third-party services. Service-specific terms are detailed in the applicable Resold Service Addendum, incorporated by reference into Order Forms.
AI/ML Transparency
Our AI features provide customers with controls over how their data is used. Service operations data processing is required for platform operation. Aggregated statistics are opt-out. AI/ML model training is strictly opt-in. Details are in our Data Usage Framework.
Shared Responsibility
Smartta AI Manages
- Cloud infrastructure security
- Platform application security
- Data encryption (transit + rest)
- Database backups
- Patch management
Customer Manages
- User credentials and access
- SSO/MFA configuration
- Data accuracy and classification
- Endpoint device security
- Employee consents (e.g. biometric data)