Security & Compliance

Profit Guard operates on a distributed, cloud-based architecture combining edge computing and centralised processing layers. This architecture is designed to ensure low-latency decision enforcement, high availability, and defence-in-depth security across all system components.

1.1 Edge Layer (Cloudflare)

The Service leverages Cloudflare's global network as the first point of contact for all inbound requests. This layer provides:

• Secure request routing — all traffic is routed through Cloudflare's global anycast network, ensuring encrypted communication and optimal path selection to the nearest point of presence
• Edge execution of validation and control logic — lightweight financial validation rules are executed at the edge, enabling sub-millisecond enforcement of critical guardrails before requests reach the core processing layer
• Distributed denial-of-service (DDoS) protection — automated detection and mitigation of volumetric, protocol, and application-layer attacks, ensuring service continuity under adversarial conditions
• Traffic filtering and threat mitigation — real-time analysis of incoming traffic to identify and block malicious payloads, bot activity, credential stuffing attempts, and other threat vectors
• Web Application Firewall (WAF) — managed rulesets protecting against OWASP Top 10 vulnerabilities, including SQL injection, cross-site scripting (XSS), and remote code execution
• Rate limiting — configurable rate limiting policies to prevent abuse, enforce fair usage, and protect downstream systems from excessive load

1.2 Core Processing Layer (Deterministic Engine)

The core system processes all financial evaluations using a deterministic execution model. This design is fundamental to the integrity and auditability of the Service:

• All decision logic is strictly rule-based and reproducible — every evaluation follows a defined path determined by the Customer's configuration and the data present at the time of execution
• No probabilistic, heuristic, or opaque decision-making is employed — the system does not use machine learning, statistical inference, or any form of non-deterministic reasoning in its financial evaluations
• Identical inputs will always produce identical outputs — this property guarantees that any decision can be independently verified and reproduced for audit, dispute resolution, or regulatory review purposes
• State-driven execution model — the system enforces strict state transitions, preventing illegal or inconsistent financial states and ensuring that every action is a valid progression from the prior state
• Immutable decision records — once a decision is rendered, the record of that decision, including all inputs, rules applied, and the resulting outcome, is preserved as an immutable audit trail

1.3 Infrastructure Layer (Linode)

Application services and persistent data storage are hosted on Linode infrastructure, providing:

• Secure virtualised environments — all compute workloads run within isolated virtual machines with dedicated resource allocation, preventing cross-tenant interference
• Network isolation and firewall controls — production environments are segmented using private VLANs and strict ingress/egress firewall rules, limiting network access to authorised services only
• Scalable compute and storage resources — infrastructure is provisioned to accommodate variable transaction volumes, with the ability to scale horizontally in response to demand
• Geographically distributed backups — data is replicated across geographically separated storage locations to ensure durability and support disaster recovery objectives
• Encrypted block storage — persistent storage volumes are encrypted at the block level, ensuring data confidentiality even in the event of physical media compromise

The Company implements industry-standard encryption practices across all layers of the Service to protect the confidentiality and integrity of data.

2.1 Data in Transit

• All data transmitted between the Customer's systems and the Service is encrypted using TLS 1.2 or higher (Transport Layer Security)
• HTTPS is enforced across all public-facing endpoints, with HTTP Strict Transport Security (HSTS) headers applied to prevent downgrade attacks
• Certificate management is handled through automated issuance and renewal via Cloudflare, ensuring continuous certificate validity
• Internal service-to-service communication within the infrastructure is encrypted using mutual TLS (mTLS) where supported

2.2 Data at Rest

• Data stored within infrastructure environments is protected using AES-256 encryption at the block storage level, as provided by the hosting provider
• Database backups are encrypted prior to storage and transmission to backup locations
• Access to stored data is restricted via authentication controls and is not accessible to unauthorised personnel or processes
• Encryption keys are managed through the hosting provider's key management infrastructure and are not stored alongside the encrypted data

2.3 Access Control

• Role-based access controls (RBAC) are enforced across all administrative and operational interfaces, ensuring that users have access only to the resources necessary for their role
• Multi-factor authentication (MFA) is required for all administrative access to production systems
• Authentication tokens and API keys are issued with scoped permissions and configurable expiry periods
• Administrative access to production infrastructure is limited to a restricted set of authorised personnel and is subject to audit logging
• All access events, including successful and failed authentication attempts, are recorded and monitored

Profit Guard is designed with auditability as a core architectural principle. Every component of the system is built to support independent verification, regulatory review, and financial audit processes.

3.1 Deterministic Decision Logging

All system decisions:

• Are generated from defined inputs and rules — every evaluation is the product of the Customer's configuration, the applicable rule set, and the data state at the time of execution
• Can be reproduced and independently verified — given the same inputs and configuration, the system will produce an identical outcome, enabling third-party verification
• Are traceable to specific configurations and data states — each decision record includes references to the rule version, input parameters, and data sources used in the evaluation
• Are timestamped and sequenced — all records include precise timestamps and sequence identifiers to establish a clear chronological order of events

3.2 Event Traceability

The system maintains comprehensive records of all evaluated events, including:

• Evaluated transactions — every transaction submitted for evaluation is recorded, including the full set of input parameters and the resulting decision
• Applied or rejected decisions — the outcome of each evaluation (allow, block, or escalate) is recorded along with the specific rules that determined the outcome
• Policy enforcement outcomes — records of when and how merchant-defined policies were applied, including any threshold calculations, margin assessments, or stacking evaluations
• Integration events — records of data received from and transmitted to connected third-party systems, including Shopify webhooks, API calls, and POS interactions

This traceability framework enables:

• Financial verification — merchants and their advisors can independently verify that the system acted in accordance with its configured rules
• Internal audit processes — organisations can incorporate Profit Guard decision logs into their internal audit and compliance workflows
• External review — decision records can be produced for external auditors, regulators, or legal proceedings where required
• Dispute resolution — in the event of a disputed transaction or decision, the complete evaluation history can be retrieved and examined

3.3 Configuration Accountability

All outcomes are a direct function of Customer-defined inputs. The system maintains full traceability of:

• Rule configurations — a versioned history of all rule definitions, including creation, modification, activation, and deactivation events
• Financial assumptions — records of all financial parameters configured by the Customer, including margin thresholds, cost of goods inputs, capital cost assumptions, and valuation models
• Policy changes — an audit trail of all changes to merchant-defined policies, including the identity of the user who made the change and the effective date
• Integration configurations — records of connected platforms, API credentials (excluding secrets), webhook registrations, and data mapping definitions

This ensures that every decision outcome can be attributed to a defined and documented set of parameters, supporting full accountability and transparency.

The Company implements and maintains a comprehensive set of operational security measures to protect the Service, its data, and its users against internal and external threats.

• Continuous monitoring — production systems are monitored in real time for performance anomalies, security events, and operational irregularities using automated alerting and observability tooling
• Centralised logging — all application, infrastructure, and access logs are aggregated in a centralised logging system, enabling correlation analysis and forensic investigation
• Intrusion detection — network and application-layer intrusion detection mechanisms are deployed to identify suspicious activity, including unauthorised access attempts, data exfiltration patterns, and privilege escalation
• Controlled deployment processes — all code changes are subject to peer review, automated testing, and staged rollout procedures before being deployed to production environments
• Environment separation — development, staging, and production environments are strictly separated, with no shared credentials, data, or network access between environments
• Incident response procedures — documented incident response plans are maintained and periodically reviewed, covering identification, containment, eradication, recovery, and post-incident analysis
• Vulnerability management — the Company maintains an active vulnerability management programme, including regular dependency scanning, security patch application, and assessment of newly disclosed vulnerabilities
• Personnel security — access to production systems is granted on a least-privilege basis and is reviewed periodically to ensure continued appropriateness

The Service relies on the continued availability and secure operation of third-party infrastructure and platform providers. The Company has selected providers that maintain industry-recognised security certifications and practices.

The Company ensures that all third-party providers meet or exceed industry-standard security practices. However, the Company does not assume responsibility for the independent operations, security incidents, or service disruptions of any third-party provider.

Profit Guard is designed and operated to support enterprise and financial oversight requirements. The system provides the following compliance-supporting capabilities:

• Transparent and auditable decision processes — every financial evaluation is fully documented and reproducible, supporting compliance with internal governance frameworks and external regulatory requirements
• Consistent rule-based financial controls — the deterministic nature of the system ensures that financial policies are enforced uniformly, without discretion or variation, across all transactions and channels
• Full traceability of all system actions — comprehensive audit trails enable organisations to demonstrate compliance with record-keeping, reporting, and accountability obligations
• Separation of duties support — the system enforces a clear distinction between configuration (merchant responsibility) and execution (system responsibility), supporting governance frameworks that require segregation of functions
• Data minimisation and purpose limitation — the Service collects and processes only the data necessary to perform its functions, in accordance with applicable data protection principles

The Service supports, but does not replace, the Customer's own obligations relating to:

• Financial reporting — including statutory reporting, management accounts, and investor disclosures
• Regulatory compliance — including obligations arising under the Corporations Act, ASIC regulations, tax legislation, and industry-specific regulatory frameworks
• Internal governance — including board oversight, risk management frameworks, and internal audit functions
• Data protection compliance — including obligations arising under the Privacy Act 1988, the Australian Privacy Principles, and, where applicable, the GDPR

While the Company implements robust security and compliance measures, the following limitations apply:

• No system can guarantee absolute security — despite the implementation of industry-standard security controls, the Company cannot warrant that the Service will be entirely free from security vulnerabilities or immune to sophisticated attack vectors
• Outcomes depend on the accuracy of Customer-provided inputs — the quality, completeness, and accuracy of financial evaluations are directly dependent on the data and configuration provided by the Customer
• The Service operates within the constraints of integrated third-party systems — the security, availability, and data integrity of connected platforms (including Shopify, payment processors, and POS systems) are outside the Company's direct control
• Compliance support does not constitute compliance assurance — while the Service is designed to support compliance objectives, it does not guarantee that the Customer's use of the Service will satisfy all applicable legal, regulatory, or contractual obligations

This Security & Compliance Statement may be updated from time to time to reflect changes in infrastructure, security practices, regulatory requirements, or the introduction of new features or capabilities.

Material changes will be communicated to Customers via email or in-app notification. Continued use of the Service following the effective date of any update shall constitute acceptance of the revised Statement.

For security or compliance inquiries, including vulnerability reports, data protection requests, or audit-related questions, please contact: