IT & Security Guide
Security Questionnaire
Security Questionnaire
Pre-filled responses to common enterprise security, privacy, and compliance questions. This document is intended for IT security teams, CISOs, and procurement departments evaluating AssetArc.
|
| # | Question | Response |
|---|---|---|
| 1.1 | Legal entity name | AssetArc (Sole Trader — Craig Muldoon, ABN pending) |
| 1.2 | Business address | Adelaide, South Australia, Australia |
| 1.3 | Year established | 2025 |
| 1.4 | Number of employees | 1 (sole operator) |
| 1.5 | Website | https://assetarc.io |
| 1.6 | Primary contact for security enquiries | craig@assetarc.io |
| 1.7 | Product / service description | Cloud-based FM analytics SaaS platform with 120+ tools for work order classification, asset lifecycle modelling, benchmarking, predictive analytics, and strategic planning. |
| 1.8 | Target market | Facilities management teams, asset managers, maintenance teams, property managers. |
| # | Question | Response |
|---|---|---|
| 2.1 | What data do you collect from customers? | Work order descriptions, asset registers, contractor data, energy data, and other FM operational data that users voluntarily import via CSV. Account data: email, name, company. |
| 2.2 | Where is customer data stored? | DigitalOcean Managed Infrastructure, Sydney (SYD1) data centre, Australia. |
| 2.3 | Is data encrypted at rest? | ✓ Database hosted on DigitalOcean managed infrastructure with encryption at rest via AES-256. |
| 2.4 | Is data encrypted in transit? | ✓ TLS 1.2+ enforced via HTTPS. HSTS enabled with max-age 31536000. Certificates managed by Let's Encrypt via Caddy. |
| 2.5 | Do you share data with third parties? | No customer data is shared with third parties. Third-party services used: Stripe (payment processing), Resend (transactional email). Neither has access to customer operational data. |
| 2.6 | Data retention policy | Customer data retained while account is active. Deleted within 30 days of account deletion request. Users can delete individual datasets at any time. |
| 2.7 | Can customers request data deletion? | ✓ Users can delete their own datasets at any time. Full account deletion available via account settings or by contacting craig@assetarc.io. |
| 2.8 | Data residency options | Default: Australia (Sydney). Enterprise plans can configure data region. |
| 2.9 | Privacy policy | Available at https://assetarc.io/about (Disclaimer section). |
| 2.10 | GDPR compliance | ✓ AssetArc processes minimal personal data (email, name). Users can export and delete their data at any time. Data Processing Agreements available for enterprise customers. |
| 2.11 | Do you process any PII? | Minimal — email address and display name for account management. No health, financial, or sensitive personal data collected. Operational data imported by users may contain building/asset names but typically does not include PII. |
| # | Question | Response |
|---|---|---|
| 3.1 | Authentication method | Email/password with bcrypt hashing (Werkzeug generate_password_hash). |
| 3.2 | Multi-factor authentication | ✓ Optional TOTP-based 2FA (compatible with Google Authenticator, Authy, etc.). |
| 3.3 | Password requirements | Minimum 8 characters. Passwords hashed with bcrypt (never stored in plaintext). |
| 3.4 | Session management | Server-side Flask sessions. Cookies: Secure, HttpOnly, SameSite=Lax. |
| 3.5 | Account lockout | Rate limiting: 10 login attempts per minute, 5 registration attempts per minute. |
| 3.6 | Role-based access control | Three roles: Admin (manage company settings and members), Member (import/export data), Viewer (read-only access). |
| 3.7 | SSO support | Available on Enterprise plans (contact for configuration). |
| 3.8 | API authentication | Bearer token (API key). Keys are SHA-256 hashed in the database. Only the prefix is stored in plaintext for identification. |
| 3.9 | Password reset | JWT-based token sent via email, expires in 24 hours. |
| # | Question | Response |
|---|---|---|
| 4.1 | OWASP Top 10 mitigation |
✓ XSS: Jinja2 auto-escaping on all templates
✓ CSRF: Per-session tokens on all POST forms
✓ SQL Injection: SQLAlchemy ORM (parameterised queries)
✓ Clickjacking: X-Frame-Options: DENY
|
| 4.2 | Input validation | All user inputs validated server-side. CSV imports parsed with Python csv module. File upload limited to .csv / .txt. |
| 4.3 | Security headers |
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Strict-Transport-Security: max-age=31536000
|
| 4.4 | Rate limiting | Flask-Limiter: login 10/min, registration 5/min, forgot-password 3/min, API 200/day default (configurable per plan). |
| 4.5 | Vulnerability scanning | Manual code review. Dependency updates tracked via pip. |
| 4.6 | Penetration testing | Not yet conducted. Available for enterprise customers upon request. |
| 4.7 | Bug bounty program | Not currently. Security issues can be reported to craig@assetarc.io. |
| 4.8 | Logging and monitoring | Audit logging of login, registration, impersonation, data imports, and configuration changes. Server logs via systemd/journalctl. |
| # | Question | Response |
|---|---|---|
| 5.1 | Hosting provider | DigitalOcean (Sydney SYD1 data centre). |
| 5.2 | Server operating system | Ubuntu 22.04 LTS. |
| 5.3 | Application stack | Python 3.12, Flask 3.1, Gunicorn (WSGI), Caddy (reverse proxy + HTTPS). |
| 5.4 | Database | PostgreSQL (DigitalOcean managed). |
| 5.5 | Backup strategy | ✓ DigitalOcean automated backups. Database snapshots. |
| 5.6 | Disaster recovery | RTO: 4 hours. RPO: 24 hours. Single-region deployment. |
| 5.7 | Uptime SLA | 99.5% target (non-contractual). Enterprise SLAs available. |
| 5.8 | Change management | Git version control (GitHub). All changes reviewed before deployment. |
| 5.9 | Incident response | Security incidents addressed within 24 hours. Customers notified via email if their data is affected. |
| # | Question | Response |
|---|---|---|
| 6.1 | SOC 2 certification | Not currently certified. Roadmap item for enterprise customers. |
| 6.2 | ISO 27001 certification | Not currently certified. |
| 6.3 | PCI DSS compliance | ✓ AssetArc does not store, process, or transmit credit card data. All payment processing handled by Stripe (PCI DSS Level 1 certified). |
| 6.4 | Australian Privacy Act compliance | ✓ Minimal personal data collected, users can access/delete their data, no data sold to third parties. |
| 6.5 | GDPR compliance | ✓ Data minimisation practiced. Right to access, right to erasure, and right to data portability supported. DPA available on request. |
| 6.6 | Data breach notification | ✓ Affected customers notified within 72 hours of a confirmed breach, in compliance with the Notifiable Data Breaches scheme. |
| # | Service | Details |
|---|---|---|
| 7.1 | Payment processing | Stripe (PCI DSS Level 1). No card data touches AssetArc servers. |
| 7.2 | Email delivery | Resend (transactional email only — password resets, notifications). No customer operational data in emails. |
| 7.3 | DNS / Domain | Squarespace Domains (DNS hosting). |
| 7.4 | CDN / Static assets | Tailwind CSS, Chart.js, HTMX, Alpine.js loaded from CDN (cdn.tailwindcss.com, cdn.jsdelivr.net, unpkg.com). No customer data sent to CDNs. |
| 7.5 | Analytics | Google Analytics (optional, configurable by admin). No customer operational data sent to GA. |
| 7.6 | AI / LLM services | Claude CLI used for Content Studio (newsletter drafting). No customer data sent to AI services — only admin-initiated content generation. |
| 7.7 | Subprocessors | Stripe, Resend, DigitalOcean. Full subprocessor list available on request. |
Last updated: March 2026
Questions or need a signed copy? Contact craig@assetarc.io