Security & Trust
Your subbies' documents, handled carefully.
This page is maintained by SubbieSafe to describe the security controls we currently have in place. It is not a certification or independent audit.
Encryption in transit & at rest
All traffic is served over HTTPS/TLS. Documents and database content are encrypted at rest by our managed infrastructure provider.
Row-level access control
Every document is owned by a specific account. Row-level security policies enforce that owners can only ever read or write their own data.
Signed download links
Files are stored in a private bucket. Downloads use short-lived signed URLs — no public file URLs are ever exposed.
Tokenised subbie portals
Subcontractor upload pages use unguessable tokens. No subbie can see another subbie's documents or upload to the wrong record.
Leaked-password protection
Sign-ups and password changes are checked against the HaveIBeenPwned breached-password list to block weak or compromised passwords.
Branded, authenticated email
Reminder emails are sent from a verified sending domain with SPF, DKIM and DMARC managed automatically, reducing spoofing risk.
Shared responsibility
SubbieSafe provides the platform-level controls listed above. You remain responsible for account hygiene (strong unique passwords, prompt removal of ex-team members) and for confirming that the documents you accept actually satisfy your insurance and regulatory requirements.
Reporting a vulnerability
If you believe you have found a security issue, email admin@subbiesafe.com.au. Please do not publicly disclose details until we have had a reasonable chance to investigate.