Security Policy

1. Data in Transit

All traffic between your browser and Decide Your Money is encrypted using TLS 1.2 or higher with HTTPS strictly enforced. We use HSTS to prevent protocol downgrade attacks. Our domain certificates are managed by our hosting provider and rotated automatically.

2. Data at Rest

Persistent data such as email addresses and order records is stored in managed databases that encrypt data at rest using industry-standard algorithms (AES-256 or equivalent). Access to production databases is restricted to authorised personnel and is mediated by server-side credentials only.

Lead magnet PDFs and method guide PDFs are stored on object storage with row-level security policies and signed URLs. Public lead magnet URLs are time-limited where appropriate.

3. Payment Security

Payments are processed by third-party PCI-DSS certified payment providers. Decide Your Money does not see, store, or process full credit card numbers, CVCs, or other sensitive payment credentials at any time. We receive only a transaction confirmation token from the payment provider sufficient to fulfil your order.

4. Access Controls

• Access to production systems is limited to authorised personnel.
• Strong, unique passwords with multi-factor authentication are enforced on all administrative accounts.
• Server-side service credentials are stored in a secrets manager and never committed to source control.
• Database access uses row-level security where applicable.
• Audit logs are retained for security-relevant operations.

5. Bot, Spam, and Abuse Protection

Public-facing forms (contact, lead capture, privacy requests) are protected by rate-limiting and monitoring for unusual traffic patterns and abuse signals.

6. Third-Party Service Providers

We engage reputable third-party service providers for hosting, payment processing, email delivery, analytics (loaded only with your consent), and bot protection. Each provider is bound by a data processing agreement and is responsible for the security of data they handle on our behalf. The full list of subprocessors is available in our Privacy Policy.

7. Vulnerability Management

We monitor security advisories for our application dependencies and apply security patches in a timely manner. We periodically review configuration of hosting and database providers against current best practice.

8. Data Breach Response

In the event of an eligible data breach under the Australian Privacy Amendment (Notifiable Data Breaches) Act 2017, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) without undue delay. We will also notify affected EU residents under GDPR Article 33 and UK residents under UK GDPR Article 33 where applicable, and in any case within 72 hours of becoming aware of a qualifying breach where feasible.

Notifications will include, where applicable, the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.

9. Reporting a Vulnerability

If you believe you have discovered a security vulnerability or any incident affecting Decide Your Money or its users, please email us immediately at security@decideyourmoney.com with as much detail as possible. We will acknowledge your report and investigate promptly. We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to respond. Decide Your Money does not currently operate a paid bug bounty programme but appreciates good-faith security research.

10. Limitations

No internet transmission or electronic storage method is completely secure. While we use reasonable technical and organisational measures, we cannot guarantee absolute security. You are also responsible for keeping your own devices, browsers, and account credentials secure.

11. Changes to This Policy

We may update this Security Policy from time to time as our infrastructure or threat landscape evolves. Material changes will be reflected by updating the “Last updated” date at the top of this page.

12. Contact

For questions about this Security Policy or our security practices, please use our contact form. For vulnerability reports specifically, see section 10 above.