Legal

Security

Last updated: May 2026

Azurum Pty Ltd operates ethyx for workforce and behavioural analytics used by regulated employers and care providers. Security and privacy are designed into how we collect survey responses, store outcomes, and deliver reports.

Our marketing site displays a verified security-tested badge reflecting independent security review of our production environment. This page summarises our security posture for procurement and IT due diligence.

Security overview

We apply defence-in-depth controls across infrastructure, application, and operational layers. Access to production systems is restricted to authorised personnel on a need-to-know basis with multi-factor authentication.

The behavioural scoring algorithm runs in an isolated microservice with API-key authentication only — it is not exposed as a public endpoint and does not hold direct database access, reducing blast radius if a component were compromised.

Data handling

Participant and client data is processed only for agreed purposes under contract and consent. Survey links expire after seven days. Outcome fields are time-gated so future-dated employment outcomes cannot be recorded early.

We align collection and retention practices with the Australian Privacy Principles. See our Privacy Policy for rights of access and correction.

Infrastructure and encryption

  • Hosting on reputable cloud providers with encryption in transit (TLS) for all public endpoints
  • Encryption at rest for databases and object storage used by the platform
  • Segregation between marketing website traffic and authenticated client portal environments
  • Regular patching and dependency monitoring for known vulnerabilities

Access control and monitoring

  • Role-based access within the client portal
  • Audit logging of administrative and sensitive operations where applicable
  • Principle of least privilege for engineering and support access
  • Incident response procedures for suspected breaches or abuse

Independent security testing

We engage independent security testing of our production environment. Results inform remediation prioritisation. Specific test reports and scope summaries are available to enterprise clients under NDA as part of vendor due diligence.

Security testing is one control among many; it does not replace your own risk assessment or contractual requirements.

Your organisation's responsibilities

Clients remain responsible for lawful basis to survey participants, accurate roster data, and secure use of credentials issued to their staff. We recommend SSO where available, strong passwords, and prompt offboarding of users who leave your organisation.

Reporting security concerns

To report a vulnerability or security concern, contact info@ethyx.com with sufficient detail to reproduce the issue. We ask researchers to act in good faith and allow reasonable time for remediation before public disclosure.