Security

Last updated: January 2025

1. Our Security Commitment

At Bill Zap, security isn't an afterthought—it's built into every aspect of our electricity bill comparison service. We understand that you're trusting us with sensitive financial information, and we take that responsibility seriously.

Our security approach is based on three core principles:

Defence in Depth: Multiple layers of security protection
Zero Trust: Verify everything, trust nothing
Privacy by Design: Security measures that protect your privacy

2. Data Encryption

2.1 Encryption in Transit

TLS 1.3 Encryption

All data transmission protected with latest TLS 1.3 protocol
Perfect Forward Secrecy ensures past communications remain secure
Strong cipher suites: ChaCha20-Poly1305, AES-256-GCM
HTTP Strict Transport Security (HSTS) enforced

2.2 Encryption at Rest

AES-256 Encryption

All stored data encrypted using AES-256 encryption
Separate encryption keys for different data types
Key rotation performed regularly
Hardware Security Modules (HSMs) for key management

2.3 Processing Encryption

Encrypted Processing

Data remains encrypted during OCR processing
Encrypted memory allocation for sensitive operations
Secure enclaves for bill analysis algorithms
Immediate encryption of extracted data

3. Infrastructure Security

3.1 Australian Data Sovereignty

Local Hosting

All servers located in Australian data centres
Compliance with Australian Government security requirements
Physical security controls including biometric access
24/7 security monitoring and surveillance

3.2 Network Security

Multi-Layer Protection

Network segmentation isolating sensitive systems
Web Application Firewall (WAF) filtering malicious traffic
DDoS protection with automatic mitigation
Intrusion Detection and Prevention Systems (IDS/IPS)

3.3 Server Hardening

Secure Configuration

Minimal service installation (principle of least functionality)
Regular security patching and updates
Secure boot and trusted platform modules
File integrity monitoring and change detection

4. Application Security

4.1 Secure Development

Security by Design

OWASP Top 10 vulnerability protection
Static Application Security Testing (SAST)
Dynamic Application Security Testing (DAST)
Regular code reviews and security assessments

4.2 Input Validation and Sanitisation

Data Validation

Comprehensive input validation for all user data
SQL injection prevention through parameterised queries
Cross-Site Scripting (XSS) protection
File upload restrictions and malware scanning

4.3 Authentication and Session Management

Secure Sessions

Secure session token generation and management
Session timeout and automatic logout
Protection against session fixation attacks
Secure cookie configuration with HttpOnly and Secure flags

5. Access Controls

5.1 Administrative Access

Multi-Factor Authentication

MFA required for all administrative access
Hardware security keys for privileged accounts
Time-based One-Time Passwords (TOTP)
Biometric authentication where available

5.2 Role-Based Access Control

Principle of Least Privilege

Granular permissions based on job requirements
Regular access reviews and recertification
Automatic deprovisioning of inactive accounts
Separation of duties for critical operations

5.3 Privileged Access Management

Elevated Access Controls

Just-in-time access for privileged operations
Session recording and monitoring
Approval workflows for sensitive changes
Emergency access procedures with full audit trails

6. Monitoring and Incident Response

6.1 Security Monitoring

24/7 Surveillance

Security Information and Event Management (SIEM)
Real-time threat detection and alerting
User and Entity Behavior Analytics (UEBA)
Automated incident response workflows

6.2 Vulnerability Management

Proactive Security

Regular vulnerability scanning and assessment
Penetration testing by certified security professionals
Bug bounty program for responsible disclosure
Rapid patching of identified vulnerabilities

6.3 Incident Response

Rapid Response

Dedicated incident response team available 24/7
Documented incident response procedures
Automated containment and mitigation systems
Post-incident analysis and improvement processes

7. Data Protection Measures

7.1 Automatic Data Anonymisation

Privacy Protection

Automated removal of personal identifiers
Pattern matching for names, addresses, account numbers
Data masking and tokenisation techniques
Differential privacy for statistical analysis

7.2 Secure Data Deletion

Permanent Removal

Cryptographic erasure of encryption keys
Multiple-pass overwriting of storage media
Secure deletion verification and logging
Physical destruction of decommissioned hardware

7.3 Backup Security

Protected Backups

Encrypted backups with separate key management
Air-gapped backup storage for critical systems
Regular backup integrity testing
Immutable backup storage to prevent tampering

8. Compliance and Certifications

8.1 Australian Compliance

Privacy Act 1988: Full compliance with Australian Privacy Principles
Notifiable Data Breaches: Incident response procedures aligned with requirements
Australian Government ISM: Security controls based on ISM recommendations
Essential Eight: Implementation of ASD's Essential Eight strategies

8.2 International Standards

ISO 27001: Information security management system alignment
SOC 2 Type II: Independent security audit (planned)
OWASP: Web application security best practices
NIST Cybersecurity Framework: Risk management approach

9. Third-Party Security

9.1 Vendor Security Assessment

All third-party providers undergo rigorous security evaluation:

Security questionnaires and audits
Penetration testing requirements
Compliance certification verification
Ongoing security monitoring and reviews

9.2 Google Cloud Security

Our OCR processing partner provides:

ISO 27001, SOC 2, and other security certifications
Data processing in Australian regions only
Encryption in transit and at rest
Immediate data deletion after processing

10. User Security Best Practices

10.1 Safe Bill Uploading

To protect yourself when using Bill Zap:

Only upload bills from trusted devices and networks
Ensure you're on the official billzap.com.au website
Look for the padlock icon indicating secure connection
Don't share your upload session with others

10.2 Email Security

If you subscribe to savings notifications:

Use a secure email provider with two-factor authentication
Be cautious of phishing emails claiming to be from Bill Zap
We'll never ask for passwords or sensitive information via email
Unsubscribe anytime using the link in our emails

11. Security Updates and Improvements

11.1 Continuous Improvement

We continuously enhance our security through:

Regular security architecture reviews
Adoption of emerging security technologies
Staff security training and certification
Industry threat intelligence integration

11.2 Security Research

We welcome responsible security research:

Coordinated vulnerability disclosure program
Recognition for security researchers
Collaboration with the security community
Regular security conference participation

12. Contact Our Security Team

12.1 Security Concerns

For security-related questions or concerns:

Email: security@billzap.com.au
Response Time: Within 24 hours for security issues

12.2 Vulnerability Reporting

To report security vulnerabilities:

Email: security@billzap.com.au
PGP Key: Available on request for sensitive reports
Responsible Disclosure: We commit to working with researchers

12.3 Security Incidents

If you believe you've experienced a security incident:

Immediate Contact: security@billzap.com.au
24/7 Response: Critical incidents handled immediately
Investigation: Full incident investigation and response