Security Policy
The Secure Forensic Document Intake system is designed from the ground up with security, privacy, and compliance as core principles.
System Architecture
This system is not a document management system. It is a secure document transfer broker that temporarily receives forensic and legal documents, enforces access controls, transfers custody to practitioners, and automatically deletes documents after delivery.
Encryption & Data Protection
- HTTPS everywhere - All connections use TLS 1.2 or higher encryption
- No unencrypted transmission - Files never transmitted over unencrypted connections
- Audit Logging - All security-relevant events are logged to a tamper-evident audit log
- Data soverenty - Data is securely stored in Australia. Documents uploaded to this system do not leave Australia
- Compliance - Compliant with Australian Privacy Principles (APPs) & Austrlian Cyber Security Guidelines
For maximum security, files never pass through application servers:
- User requests upload authorization from backend API
- Backend generates time-limited presigned URL (24-hour expiry)
- Browser uploads directly to Amazon S3 using presigned URL
- Upload confirmation sent to backend for metadata recording
This architecture ensures files are encrypted immediately upon upload and never exist in unencrypted form on application servers.
Access Controls
Authentication
- Magic link authentication - No passwords to compromise, phish, or leak
- Email verification - One-time links expire after 10 minutes
- Domain allow-lists - Only approved law firm domains can access the system
- Session management - Secure HTTP-only cookies with SameSite protection
Data Retention & Deletion
Automatic Deletion Policy
To minimize data exposure, documents are automatically deleted 30 days after first download:
- Law firm uploads documents (stored in S3)
- Mindstate staff assigns matter to practitioner
- System creates ZIP archive and deletes original documents
- Practitioner downloads ZIP (first download triggers 30-day countdown)
- After 30 days, cleanup Lambda deletes ZIP and archives matter
Important: This is a compliance requirement and cannot be extended. Practitioners must save documents to their own secure storage within 30 days.
No Long-Term Storage
- Temporary custody only - System does not provide long-term document storage
- Single source of truth - Law firms retain original documents
- Transfer broker model - Documents deleted after successful transfer
Incident Response
In Case of Security Incident
- Detection - Automated monitoring alerts team
- Containment - Affected resources isolated immediately
- Investigation - Audit logs reviewed to determine scope
- Notification - Affected users notified within 72 hours
- Remediation - Vulnerabilities patched and systems restored
- Post-mortem - Root cause analysis and prevention measures
Third-Party Services
| Service | Provider | Purpose | Data Storage Location |
|---|---|---|---|
| File Storage | Amazon S3 | Encrypted document storage | Sydney, Australia |
| Database | Neon | PostgreSQL database | Sydney, Australia |
| AWS SES | Magic link delivery | Sydney, Australia | |
| Hosting | Vercel | Application hosting | Global CDN |
| Compute | AWS Lambda | Serverless functions | Sydney, Australia |
Contact Security Team
If you have security concerns or wish to report a vulnerability:
- Email: forensic.admin@mindstatepsychology.com.au
- Subject line: “Security Inquiry” or “Vulnerability Report”
- Response time: Within 1 business day for security issues
For more information:
Last updated: 25 February 2026