Your Data Security is Our Priority

Every piece of data you entrust to ImmiIQ is protected by multiple layers of encryption, both while it travels across the network and while it sits in our databases.

• Encryption in transit — all connections use TLS 1.3, the latest and strongest transport encryption standard. Data is encrypted from the moment it leaves your browser to the moment it reaches our servers.
• Encryption at rest — your data is stored on enterprise-grade database infrastructure with AES-256 encryption at rest, the same standard used by financial institutions and government agencies.
• Signed, time-limited document access — uploaded documents are never publicly accessible. Every file download generates a unique, cryptographically signed URL that expires within one hour. After expiry, the link becomes permanently invalid.
• No public document access — there is no way to access a client document without an authenticated, time-limited authorisation token. Direct URLs to documents do not exist.

We enforce strict boundaries around who can see and do what within your organisation, ensuring that sensitive client data is only available to the people who need it.

• Role-based permissions — every team member is assigned a role (Admin or Member) with clearly defined capabilities. Admins control team access, billing, and organisation settings. Members can only access the features and data their role permits.
• Organisation-level data isolation — your data is completely isolated from every other organisation on the platform. There is no mechanism for cross-organisation data access, even at the database level.
• Request-level identity verification — every API request is verified against your organisation's identity. Requests that cannot be authenticated are rejected before reaching any data.
• Automatic session expiry — sessions expire automatically after a period of inactivity, reducing the risk of unauthorised access from unattended devices.

We have eliminated the most common attack vector in software security: passwords. Our authentication system is designed to be both more secure and more convenient than traditional password-based login.

• Passwordless magic link authentication — instead of passwords (which can be guessed, phished, or leaked in data breaches), we use secure, one-time magic links sent to your verified email address. No passwords means no passwords to steal.
• Single-session enforcement — when you sign in from a new device, any existing sessions are automatically terminated. This prevents concurrent access from multiple devices without your knowledge.
• Bot protection — all authentication flows are protected by automated bot detection, preventing credential stuffing and brute-force attacks.
• Client portal verification — when your clients access their portal, they must verify their identity with a unique 6-digit code sent to their email. No shared passwords, no generic links.

Security and privacy go hand in hand. We have built privacy protections directly into the architecture of the platform, not as an afterthought.

• Australian Privacy Act 1988 (APPs) — our data handling practices comply with the Australian Privacy Principles. We collect only what is necessary, use it only for stated purposes, and give you full control over your data.
• Sensitive field exclusion — passport numbers, dates of birth, and other sensitive personal information are automatically excluded from bulk exports and API list endpoints. This data is only available when viewing an individual client record with appropriate permissions.
• Audit trail redaction — activity logs record actions taken within the platform but automatically redact personally identifiable information, ensuring audit trails are useful without becoming a privacy risk.
• AI data anonymisation — our AI features process anonymised data only. For example, we use age brackets rather than exact dates of birth, and generalised occupation categories rather than individual client details.

The platform itself is hardened against the most common and most dangerous web application attacks, following industry-leading security frameworks.

• Input validation and sanitisation — every piece of user input is validated for type, length, and content before it reaches our systems. Malformed or suspicious input is rejected at the boundary.
• Protection against common attacks — we implement defences against cross-site scripting (XSS), SQL injection, cross-site request forgery (CSRF), and insecure direct object references (IDOR), among others.
• Rate limiting — sensitive operations (authentication, data export, API calls) are rate-limited to prevent abuse and brute-force attacks.
• Automated security auditing — our codebase undergoes regular automated security scanning and periodic penetration testing to identify and remediate vulnerabilities before they can be exploited.

Client documents (passports, skills assessments, qualification certificates) require the highest level of protection. We treat every uploaded file as highly sensitive by default.

• Isolated, access-controlled storage — every uploaded document is stored in a dedicated, access-controlled environment that is completely separate from the public internet. There are no shared buckets or public directories.
• Authenticated, time-limited access — documents can only be retrieved through authenticated requests that generate time-limited signed URLs. These URLs expire automatically, ensuring documents cannot be accessed through stale or shared links.
• File type validation — uploaded files are validated for type and content to prevent malicious file uploads. We reject executable files, scripts, and other potentially dangerous content.
• Per-organisation storage quotas — storage limits are enforced at the organisation level to prevent abuse and ensure fair resource allocation across the platform.

We align our security practices with recognised Australian and international standards to provide a trustworthy foundation for your migration practice.

• Australian Privacy Act 1988 — full compliance with the Australian Privacy Principles (APPs), including data collection limitations, use and disclosure requirements, data quality obligations, and individual access rights.
• OWASP Top 10 — our development practices follow the Open Web Application Security Project (OWASP) Top 10 framework, addressing the most critical security risks in web applications.
• Regular security audits — we conduct regular internal security reviews and engage third-party specialists for periodic penetration testing to continuously improve our security posture.
• Australian-region infrastructure — your data is stored and processed within Australian-region data centres, ensuring compliance with data sovereignty requirements and reducing latency for Australian users.

Every data point surfaced in ImmiIQ comes from a verified Australian government source. We re-use that data under the applicable open-data licence and attribute it to the original publisher.

• Australian Bureau of Statistics (ABS) — ANZSCO catalogue (v1.3, 2022) and OSCA v1.0. Licensed under CC BY 4.0.
• Department of Home Affairs — visa subclass rules, skilled occupation lists (MLTSSL, STSOL, ROL, CSOL), EOI round data, and processing-time statistics. Commonwealth Crown Copyright.
• Jobs and Skills Australia — Workforce snapshots, employment projections, and the Training Occupation Pathways Dataset (v1.0, March 2026), licensed under CC BY 4.0. See JSA's methodology overview (PDF). Attribution: “Source: Jobs and Skills Australia, Training Occupation Pathways Dataset (v1.0, March 2026), licensed under CC BY 4.0.”
• training.gov.au — VET qualifications, training packages, and nationally-recognised training data. Commonwealth Crown Copyright.
• CRICOS Register — registered education providers and courses for overseas students. Commonwealth Crown Copyright.
• MARA (Office of the Migration Agents Registration Authority) — registered migration-agent directory used for MARA-number verification.

If you have security questions, want to report a vulnerability, or need details about our security practices for your own compliance requirements, we are here to help.