mulgamoney

Security

How we protect your information

You hand us identity documents and financial details; taking care of them is table stakes. In plain terms, here is what we do.

Storage and hosting

All customer data is stored and processed in Australia. Uploaded documents live in private, encrypted storage that is never publicly addressable — every download goes through an access-checked, logged endpoint. Database backups are encrypted.

Access

Staff access is role-based and minimal: retailer staff can never see financial details, and every staff view of an identity document is written to an append-only audit log. Staff and retailer accounts require two-factor authentication. Sessions are short-lived and revocable.

Application security

Passwords are hashed with Argon2id. All traffic is TLS-only with HSTS. We validate every input on the server, apply strict Content-Security-Policy headers, rate-limit sensitive endpoints, and verify request origins on every state-changing call.

Found a vulnerability?

Email security@mulgamoney.com. We read every report, we won't take legal action against good-faith research, and we'll credit you if you'd like.