Last update: April 2026
Infrastructure & Hosting
SocialPro is a modern cloud-based platform built entirely on Amazon Web Services (AWS), leveraging the provider's robust infrastructure and best-in-class security offerings. The application is deployed in a serverless architecture using AWS Lambda for backend services, supported by AWS RDS for database management, and AWS S3 for secure file storage. This design provides excellent scalability, resilience, and cost-efficiency, while minimising the operational attack surface.
The infrastructure is geographically anchored in Australia, with data residency maintained in the AWS Sydney region (ap-southeast-2). This ensures compliance with Australian data sovereignty regulations, including the Privacy Act 1988. Frontend delivery is managed through AWS CloudFront, and user authentication is handled via AWS Cognito using passwordless login workflows and secure token-based access.
Each environment - production, development, and testing - is isolated in its own AWS account through AWS Organisations. Security policies prohibit the deletion of logs in production to preserve audit integrity. All service communication is conducted over HTTPS and internally encrypted using AWS KMS with AES-256 encryption.
Compliance & Certifications
SocialPro's application infrastructure is fully hosted on AWS, which maintains compliance with multiple international standards, including ISO 27001, ISO 27017/27018, SOC 1/2/3, PCI DSS, and others. This provides a strong foundation of trust, reliability, and compliance.
SocialPro is also in the process of undertaking its own internal certification process for ISO 27001 and SOC 2 compliance, currently within a 90-day monitoring period, with anticipated certification earmarked for Q2 2026. Third-party assurance has been performed by Aikido in Q3 2025, as a precursor to undertaking the certification process, for confidence internally around the compliance environment.
In May 2025 SocialPro completed its most recent independent third-party penetration test to validate the robustness of its external interfaces, application APIs, and backend components. This test has strengthened confidence in the platform's secure design, and summary reports are available on request to partners or regulators. A follow-up third-party penetration test is scheduled to take place again in May 2026, in accordance with internal governance controls.
Security Policies & Governance
SocialPro maintains a comprehensive suite of information security policies that guide its operational and technical controls. These include the Information Security Policy, Data Retention Policy, Business Continuity and Disaster Recovery Plans, Access Control Policy, Secure Development Policy, and Incident Response Policy. These documents are reviewed annually to ensure they remain current with evolving standards and emerging threats.
All employees and contractors undergo background checks prior to employment and receive mandatory annual security awareness training. Contractors are subject to the same access controls and policy requirements as internal staff, ensuring a consistent level of protection across the team.
Security governance is led by a dedicated team with defined roles and responsibilities for policy enforcement, access management, vulnerability response, and incident handling.
Data Protection
Data protection is a cornerstone of SocialPro's platform security model. All data is encrypted both in transit and at rest. Data in transit is secured using modern TLS protocols, while data at rest in AWS RDS and S3 is encrypted using AWS KMS (AES-256). These controls ensure the confidentiality and integrity of all information exchanged between users, systems, and storage.
Clients retain full ownership of their data. SocialPro provides options for data export in widely accepted formats such as CSV, JSON, XML, and PDF, ensuring easy portability and reusability. Clients may request data deletion at any time, and a secure, standards-compliant erasure process is followed, including destruction of backups where feasible.
Following the termination of service, a Certificate of Data Destruction is issued, confirming the methods used and timeline of secure removal from all production and backup systems. This process aligns with NIST SP 800-88 and ISO 27040 guidelines for secure data disposal.
Identity & Access Management
SocialPro's identity and access controls are built around the principle of least privilege and employ modern authentication and authorisation practices. User access is managed through AWS Cognito, with support for passwordless authentication, federated login via SAML, and Multi-Factor Authentication (MFA) using authenticator apps or email OTPs.
Access rights are granted based on well-defined roles, such as Administrator, Contractor Admin, or Subcontractor. Each role has access only to the data and functionality required for their responsibilities. Administrators are able to invite and manage users, while non-admins have access only to relevant project data and cannot access financial or system configuration settings. All access rights are regularly reviewed and immediately revoked upon employee departure or role change.
Monitoring, Logging & Incident Response
Monitoring and alerting are fully integrated into the SocialPro infrastructure via AWS CloudWatch, AWS WAF, and AWS CloudTrail. These tools log all user actions, API requests, system changes, and authentication events. Logs are securely encrypted, immutable, and stored in a dedicated environment separate from operational data.
Anomaly detection is supported by Sentry, which provides real-time alerts for suspicious events such as failed logins or unauthorised access attempts. Alerts trigger predefined incident response workflows that include detection, containment, mitigation, recovery, and post-incident analysis.
The incident response plan is regularly reviewed and tested. No security breaches or unauthorised data access incidents have been reported in the past 12 months.
Single Sign-On (SSO) Integration
SocialPro supports enterprise-grade Single Sign-On (SSO) via SAML 2.0, integrated through AWS Cognito to enable seamless federation with client identity providers such as Microsoft Entra ID and Okta. This allows organisations to centralise authentication, enforce existing Multi-Factor Authentication (MFA) policies, and eliminate the need for platform-specific credentials. User provisioning and deprovisioning are aligned with the client's identity provider, ensuring immediate access revocation upon offboarding and preventing orphaned accounts. This approach provides a consistent authentication experience, strengthens security posture, and enables a centralised audit trail of user access and activity in line with enterprise compliance and governance requirements.
Vulnerability & Patch Management
SocialPro maintains an active vulnerability management program that includes regular internal scans and prompt application of security patches. Vulnerability scans are conducted at least monthly, and critical patches are applied within 24 hours of release.
All code is developed following secure coding practices aligned with OWASP principles. Dependency scanning tools like npm audit and Dependabot are employed in the CI/CD pipeline to detect outdated or vulnerable packages. The development, testing, and production environments are fully isolated to prevent data leakage or code conflicts. Internal and external penetration tests are now part of the annual assurance process, and vulnerability disclosures are welcomed from customers and security researchers.
Third-Party Risk & Customer Control
SocialPro's approach to third-party risk management emphasises transparency and customer control. No data is shared with third parties without explicit client authorisation. Subcontractors within a project only access data relevant to their package and reporting responsibilities.
Clients are empowered to:
Audit logs, access logs, and reporting dashboards are available to demonstrate user activity and maintain full traceability.
Disaster Recovery & Business Continuity
SocialPro has implemented a robust disaster recovery and business continuity strategy. Key components include:
Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) are aligned with AWS's enterprise-grade guarantees. DR testing is conducted on an ad hoc basis and is expected to be formalised into a regular cadence in FY26.
.svg){kind=small}
.svg)
