INTAXIO SECURITY OVERVIEW (API PLATFORM)

Last Updated: 1 December 2025

This Security Overview describes the key technical and organisational measures implemented by Intaxio Payroll Pty Ltd (Intaxio) to protect the confidentiality, integrity and availability of data processed via the Intaxio APIs and Developer Portal.

It should be read alongside the Customer API Agreement, the Data Processing Addendum (DPA), the Service Level Agreement (SLA) and the relevant Product Data Sheets.

1. SECURITY GOVERNANCE

Intaxio maintains information security policies covering access control, acceptable use, incident management, change management and data classification.
Security responsibilities are assigned to named roles within the business, with oversight from senior management.
Employees receive security and privacy training as part of onboarding and regularly thereafter (for example, phishing awareness and secure handling of payroll/tax data and TFN information).

2. INFRASTRUCTURE AND HOSTING

The Intaxio platform is hosted in modern, professionally managed data centres provided by a leading cloud infrastructure provider (for example, AWS) in Australian regions, unless otherwise agreed.
Infrastructure is provisioned using infrastructure-as-code and is subject to standard change control and review processes.
Production and non-production environments are logically segregated.

3. ACCESS CONTROL AND IDENTITY MANAGEMENT

Administrative access to production systems is restricted to a limited set of authorised personnel under the principle of least privilege.
Strong authentication (for example, multi-factor authentication) is required for administrative access and for key management systems.
Role-based access control (RBAC) is used to assign permissions within internal systems and the Developer Portal.
Access reviews are conducted periodically, and access is promptly revoked when staff leave or change roles.

4. DATA PROTECTION

4.1 In Transit

All external access to the Intaxio APIs and Developer Portal is enforced over encrypted channels (for example, TLS/HTTPS).
Mutual authentication and signing mechanisms may be supported for ATO/STP and other integration points, consistent with regulator requirements.

4.2 At Rest

Data at rest is encrypted using industry-standard encryption (for example, AES-256) at the storage layer and/or application layer.
Encryption keys are managed using a secure key management service with restricted access and rotation policies.

5. NETWORK SECURITY

Network access to production services is controlled using security groups, firewalls and/or network access control lists, with only necessary ports exposed.
Management interfaces are not exposed to the public internet; access is restricted via VPN, bastion hosts or equivalent secure mechanisms.
Web-facing endpoints are protected by managed services (for example, WAF, DDoS protection) where appropriate.

6. APPLICATION SECURITY

The Intaxio APIs and Developer Portal are developed following secure development practices, including code review, dependency management and segregation of environments (development, test and production).
Static and/or dynamic application security testing may be performed on key components.
Third-party libraries and dependencies are monitored for known vulnerabilities and updated as required.

7. LOGGING, MONITORING AND ALERTING

Security-relevant events (for example, authentication failures, privilege changes, API key use, system errors) are logged and retained for an appropriate period.
Centralised logging and monitoring are used to detect suspicious or anomalous activity.
Alerts are configured for defined thresholds and key events, with on-call processes for escalation.

8. BUSINESS CONTINUITY AND DISASTER RECOVERY

Backups are performed for key data and configurations at regular intervals and stored securely.
The platform is designed with redundancy at multiple layers (for example, availability zones) to reduce single points of failure, where supported by the hosting provider.
Disaster recovery and continuity plans exist to support restoration of service in the event of major incidents, subject to the service levels described in the SLA.

9. VULNERABILITY AND PATCH MANAGEMENT

Operating systems and platform components are patched regularly, with priority given to security-critical updates.
Vulnerability scanning is conducted on relevant infrastructure and applications.
Material vulnerabilities are assessed and remediated in line with defined timeframes based on severity and risk.

10. INCIDENT MANAGEMENT

Intaxio maintains an incident response process, including triage, containment, investigation, remediation and post-incident review.
Incidents involving potential compromise of Personal Information are handled in accordance with the DPA and applicable notifiable data breach regimes.
Customers are notified of material security incidents impacting their data without undue delay, in line with the DPA and SLA.

11. DATA RETENTION AND DELETION

Intaxio retains Customer data for the duration of the Agreement and for any additional period required by law or specified in the relevant Product Data Sheet (for example, minimum retention periods for tax/employment records).
On termination or upon Customer’s request (subject to technical feasibility and legal obligations), data can be exported and then securely deleted or de-identified in accordance with documented retention and deletion procedures.

12. CUSTOMER RESPONSIBILITIES

Security is a shared responsibility. Customer is responsible for:

securing its own systems, networks and devices that integrate with the Intaxio APIs;
managing its own users’ access to the Intaxio Developer Portal and related tools, including enforcing strong authentication where available;
protecting API keys, client secrets and other credentials issued by Intaxio; and
validating the correctness and fitness-for-purpose of API integrations, configurations and outputs in the context of Customer’s own environment and compliance obligations.