Security Policy
Last updated: 28 April 2026 — Common Initiative, Sydney NSW Australia
1. Our Commitment
Common Initiative takes the security of personal information seriously. We implement reasonable and appropriate technical and organisational measures to protect the personal information we hold against misuse, interference, loss, unauthorised access, modification and disclosure, as required by Australian Privacy Principle 11 (APP 11) under the Privacy Act 1988 (Cth).
Our security practices are informed by the Australian Cyber Security Centre (ACSC) guidelines and, where applicable, the Australian Signals Directorate (ASD) Essential Eight mitigation strategies.
2. Technical Security Measures
- Encryption in transit: All communications between your browser and our server are encrypted using TLS 1.2 or higher (HTTPS). We do not permit plain HTTP connections.
- Encryption at rest: Personal data stored in our database is hosted on infrastructure that applies encryption at rest.
- Password security: User passwords are hashed using a modern one-way hashing algorithm (scrypt with salt) before storage. Plaintext passwords are never stored or logged.
- Session management: Authenticated sessions are managed with server-side session tokens, signed with a strong secret key. Sessions expire automatically and are invalidated on logout.
- Access controls: Role-based access control (RBAC) restricts access to personal information based on the principle of least privilege. Administrators, mentors and mentees can only access data relevant to their role.
- Input validation: All user-supplied data is validated and sanitised server-side before processing to prevent injection attacks (e.g. SQL injection, cross-site scripting).
- Infrastructure: Our platform is hosted on reputable cloud infrastructure with physical and logical security controls, data centre redundancy and regular security patching.
3. Organisational Security Measures
- Access to administrative systems is limited to authorised personnel only.
- Volunteers and staff who handle personal information are made aware of their privacy and security obligations.
- Third-party service providers are required to maintain appropriate security standards as a condition of engagement.
- We do not retain personal information for longer than necessary (see our Privacy Policy).
4. Notifiable Data Breaches
We operate under the Notifiable Data Breaches (NDB) scheme established by Part IIIC of the Privacy Act 1988 (Cth). If we have reasonable grounds to believe an eligible data breach has occurred — one that is likely to result in serious harm to one or more individuals — we will:
- Contain the breach as quickly as possible.
- Assess whether the breach meets the threshold of an eligible data breach.
- Notify affected individuals as soon as practicable, providing details of the breach and recommended steps they should take.
- Lodge a notification with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.
All notifications will be made within 30 days of becoming aware of the breach, or sooner where practicable.
5. Responsible Disclosure
If you discover a security vulnerability in our website or platform, we ask that you report it to us responsibly before making any public disclosure. Please email info@commoninitiative.com.au with the subject line "Security Vulnerability Report" and include:
- A description of the vulnerability and the potential impact
- Steps to reproduce the issue
- Any supporting screenshots or proof-of-concept (without accessing or extracting real user data)
We will acknowledge your report within five (5) business days and aim to remediate confirmed vulnerabilities promptly. We are grateful to security researchers who help keep our community safe.
6. Your Responsibilities
You also play an important role in keeping your account secure:
- Use a strong, unique password for your Common Initiative account.
- Do not share your login credentials with anyone.
- Log out of your account when using shared or public devices.
- Notify us immediately at info@commoninitiative.com.au if you suspect unauthorised access to your account.
7. Limitations
While we take all reasonable steps to protect your personal information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security and accept no liability for breaches that result from circumstances beyond our reasonable control. We encourage all users to take their own security precautions when using the internet.
8. Contact Us
For security concerns or breach notifications, please contact us:
Common Initiative
Sydney, New South Wales, Australia
Email: info@commoninitiative.com.au