Every planning control identified for any lot | LEP + SEPP + DCP cross-referenced in one query | Approval likelihood scored for every control | Conflicts and overrides resolved automatically | Every answer cited to the source clause | Ask planning questions in plain English | Results in under 1 second | Every planning control identified for any lot | LEP + SEPP + DCP cross-referenced in one query | Approval likelihood scored for every control | Conflicts and overrides resolved automatically | Every answer cited to the source clause | Ask planning questions in plain English | Results in under 1 second |

Security

Last updated: March 2026

Security is foundational to everything we build. As a platform handling planning queries, site reports, and spatial data, we hold ourselves to the highest standards for protecting your data and our infrastructure.

Our Security Commitment

ZoneDSS (a product of QuestFeed Pty Ltd, ABN 58 632 013 855) processes planning queries, generates site reports, and stores spatial analysis data. Our architecture is designed with defense in depth, least privilege, and encryption by default at every layer.

TLS 1.3

In Transit Encryption

AES-256

At Rest Encryption

< 72h

Breach Notification

99.9%

Platform Uptime SLA

1. Infrastructure Security

ZoneDSS runs on a fully serverless architecture with no persistent servers to compromise. Every component is designed for isolation, immutability, and automated recovery.

Serverless Compute

AWS Lambda — no SSH, no persistent OS, no patch management. Functions execute in ephemeral, isolated containers that are destroyed after each invocation.

PostGIS Database

PostgreSQL with PostGIS and pgvector on AWS RDS. Encrypted at rest (AES-256), multi-AZ deployment, automated daily backups with 35-day retention and point-in-time recovery.

Tenant Isolation

Each user's query data, reports, and conversation history are stored in logically isolated environments. No cross-account data access is possible at the infrastructure level.

Immutable Deployments

All infrastructure deployed via versioned scripts with no manual access to production. Every deployment is a fresh, versioned artifact — never patched in place.

2. Data Protection

Encryption Layers

TLS 1.3

In Transit

All communications between clients and our APIs use TLS 1.3 with forward secrecy.

AES-256

At Rest

All stored data — planning reports, query results, user data, spatial overlays, and backups — encrypted with AES-256 via AWS KMS.

Isolated

In Processing

Planning queries are processed in ephemeral Lambda containers. Data is processed in memory and containers are destroyed after each invocation.

3. Authentication & Access Control

Password Security

Passwords hashed with PBKDF2. We never store plaintext passwords. Password strength requirements enforced at registration.

Session Management

JWT-based authentication with secure tokens. Sessions automatically expire after inactivity. Tokens are cryptographically signed and validated on every request.

API Security

All API endpoints require authentication. Rate limiting enforced per user. CORS policies restrict cross-origin requests to authorized domains only.

Role-Based Access

Internal systems use RBAC with the principle of least privilege. Production database access requires explicit authorization and is fully audited.

4. Network Security

DDoS Protection

Cloudflare DDoS mitigation with automatic traffic scrubbing. 330+ edge locations absorb volumetric attacks before they reach our infrastructure.

Web Application Firewall

Cloudflare WAF blocks SQL injection, XSS, and other OWASP Top 10 attacks. Rules updated continuously against emerging threats.

Rate Limiting

Intelligent rate limiting at the edge and application level prevents abuse and brute-force attacks. Per-IP and per-user limits with automatic throttling.

HTTPS OnlyHSTS EnforcedCSP HeadersX-Frame-OptionsX-Content-TypeReferrer-Policy

5. AI & LLM Data Privacy

Planning Q&A is powered by enterprise-grade large language models via API. The following safeguards apply:

No Model Training

Your planning questions and obligation context are never used for model training. The LLM provider (xAI) is contractually prohibited from using API inputs for training or fine-tuning.

30-Day Auto-Deletion

The LLM provider automatically deletes all API inputs and outputs within 30 days. During this period, data is retained solely for safety monitoring.

Data Minimization

Only the obligation data and zone context necessary for answering the planning question is sent to the LLM. Account information, query history, and payment data are never transmitted.

Encrypted In-Transit

All communication with the LLM API is over TLS 1.3. Planning context is processed for inference only and not stored beyond the temporary safety monitoring window.

6. Incident Response

Detection

< 1 hour

Automated monitoring and alerting detects anomalies across all platform components.

Containment

< 4 hours

Immediate isolation of affected systems. Revocation of compromised credentials. Preservation of forensic evidence.

Notification

< 72 hours

Affected users notified within 72 hours per GDPR and Australian Notifiable Data Breaches scheme requirements.

Recovery

As needed

Root cause analysis, system restoration, and implementation of preventive measures.

7. Compliance & Standards

Privacy Act 1988

Australian Privacy Principles (APPs)

GDPR

EU General Data Protection Regulation

CCPA

California Consumer Privacy Act

NDB Scheme

Australian Notifiable Data Breaches

OWASP Top 10

Web application security standards

PCI-DSS (via Stripe)

Payment security (Level 1 certified processor)

8. Responsible Disclosure

We welcome responsible security research. If you discover a vulnerability in our platform:

Report To

hello@zonedss.com

What to Include

  • — Description of the vulnerability and its potential impact
  • — Steps to reproduce (proof of concept if possible)
  • — Any tools, scripts, or screenshots used

Our Commitments

  • — Acknowledge receipt within 2 business days
  • — Provide an initial assessment within 5 business days
  • — No legal action against good-faith security researchers
  • — Credit in our security acknowledgements (if desired)

Security Contact

For security concerns, vulnerability reports, or questions about our security practices:

QuestFeed Pty Ltd

Email: hello@zonedss.com

Document Version: 1.0 | Effective: March 2026