Security at ParallaxOS.

ParallaxOS holds rail compliance data — timesheets, D&A test results, incident reports, identity records — that must stand up to ONRSR audit. Defensibility is engineered in, not bolted on.

Cryptographic record seal

Every timesheet, pre-start, D&A test, incident report, and approval is hashed with SHA-256 at the moment of submission. The hash includes the user, device, GPS coordinates, ISO timestamp, and the full payload. The resulting digest is stored alongside the record and cannot be altered without invalidating the seal.

This makes records tamper-evident — any modification after submission produces a different hash and is immediately detectable in the audit log.

Encryption

• In transit: TLS 1.3, modern cipher suites only, HSTS preloaded.
• At rest: AES-256 on Supabase (PostgreSQL) with encrypted file storage.
• Database row-level security: every table has RLS policies — no client query can return another company's data even if the application code has a bug.
• Local mobile storage: WatermelonDB encrypted at the OS level; offline records carry their own SHA-256 seal and device-keyed signature.

Hosting & data residency

ParallaxOS is hosted in Australian regions (AWS Sydney). Data does not leave Australia. This is a deliberate sovereignty choice — Australian rail compliance data, on Australian infrastructure, under Australian jurisdiction.

Authentication

• Email + password with bcrypt hashing (Starter, Professional)
• SSO / OAuth via Google Workspace and Microsoft 365 (Enterprise)
• Worker Portal: biometric authentication on supported devices (Face ID / fingerprint)
• Optional 2FA on all admin accounts (TOTP)

Authorisation & RBAC

Role-based access control on Enterprise lets you separate concerns — payroll officers see timesheets but cannot change billing settings, site administrators see field operations but cannot view payroll data. Every permission decision is logged.

Audit log

Every action in the system is recorded — who changed what, when, from which IP, with which device fingerprint. The audit log is exportable on Enterprise and is the canonical reference if ONRSR or an internal HSEQ team needs to reconstruct a timeline.

Vulnerability management

• Dependencies are scanned daily by GitHub Dependabot and Snyk.
• Static analysis runs in CI on every commit.
• Penetration testing on an annual cadence (Enterprise customers receive the executive summary on request).
• Coordinated disclosure: report vulnerabilities to security@parallaxos.com.au.

Incident response

Security incidents are triaged within four hours of detection. Affected customers are notified within 24 hours of confirmation, with a remediation timeline included. Post-incident reviews are shared with Enterprise customers via the customer success manager.

Data export & deletion

• Full data export (timesheets, compliance records, D&A results, incidents) as a ZIP archive on request — Enterprise tier, self-serve from Settings; other tiers, by support request.
• Worker deletion is soft (record retained in audit log to preserve compliance history) by default; hard deletion is available for Privacy Act right-to-erasure requests subject to retention obligations.
• Account closure: data is retained for 90 days post-closure, then deleted, except where law requires longer retention.

Subprocessors

ParallaxOS uses the following subprocessors. The list is updated when changes occur and Enterprise customers are notified at least 30 days in advance of new subprocessors.

Security questionnaires

For Tier 1 procurement teams running supply-chain security questionnaires, contact security@parallaxos.com.au. We have completed CAIQ-Lite and Avetta security PQF submissions and can return a turnaround within five business days.