top of page
Yowzaa LOGO.png

YOWZAA ENTERPRISE SECURITY OVERVIEW

Version 1.0 — 10 November 2025

Executive Summary
Yowzaa Technologies Pty Ltd (ABN 51 684 858 348) delivers a secure, scalable, AI-driven business operations platform engineered on modern cloud infrastructure and best-practice security frameworks. Our commitment to security aligns with international standards including ISO 27001 principles, SOC 2 concepts, GDPR expectations, and the Australian Privacy Act.
We combine AWS-grade infrastructure, encrypted data flows, strict access controls, responsible AI governance, and zero-trust practices to ensure that customer data remains secure and resilient across all operational environments.

1. Infrastructure & Hosting Security
1.1 Cloud Infrastructure
Yowzaa is hosted on Bubble.io, which utilises Amazon Web Services (AWS) data centres located in the United States.

AWS provides:
  • Tier 1 physical security
  • Redundant power and cooling
  • Biometric access control
  • 24/7 monitoring
  • Best-in-class network perimeter protection
     
AWS maintains compliance certifications including:
ISO 27001, SOC 1/2/3, PCI DSS, FedRAMP, CSA STAR, GDPR-compliant infrastructure.

1.2 Network Architecture
Yowzaa benefits from Bubble’s secure multi-tenant cloud architecture, offering:
  • Isolated execution environments
  • Automatic scaling
  • Managed load balancing
  • DDoS protection
  • Firewall-level traffic filtering
     
2. Data Security
2.1 Encryption Standards
All customer data is encrypted:
In transit: TLS 1.3
At rest: AES-256 encryption
Session tokens, OTP codes, and authentication flows are protected using cryptographically secure methods.

2.2 Data Segregation
Each Yowzaa user account is logically separated, ensuring customer data is not accessible across tenants.

2.3 Data Redundancy & Backups
Bubble maintains:
  • automated backups
  • redundant storage
  • recovery mechanisms
     
This ensures stability in case of system interruptions or outages.

3. Identity & Access Management
3.1 User Authentication
Yowzaa uses email-based One-Time Password (OTP) verification during account creation and sign-in.

3.2 Role-Based Access Control (RBAC)
User permissions within the platform are set by:
  • role
  • security level
  • organisation-level configuration
     
This ensures least-privilege access across operational workflows.

3.3 Internal Access Controls
Internal Yowzaa personnel have restricted access governed by:
  • least-privilege principles
  • forced logging
  • approval workflows
  • encrypted credential storage
     
Only authorised team members may access system-level tools for maintenance or support.

4. Application Security
4.1 Secure Development Practices
Yowzaa follows a secure SDLC (Software Development Life Cycle) model:
  • version-controlled deployments
  • environment separation (dev, test, production)
  • automated testing and quality checks
  • security-focused design reviews
     
4.2 Vulnerability Management
Yowzaa conducts ongoing:
  • vulnerability detection
  • patch management
  • dependency monitoring
  • performance and security auditing
     
Bubble’s infrastructure team performs continuous monitoring for emerging threats.

4.3 API Security
All API interactions use:
  • encrypted requests
  • signed tokens
  • rate limiting
  • access control checks
     
Third-party tokens (Xero, Square, etc.) are handled securely and stored encrypted.

5. Vendor & Integration Security
Yowzaa integrates with enterprise-grade providers including:
  • Xero (accounting)
  • Square, PayPal, Shopify (payments & POS)
  • Alibaba (supplier data)
  • Google (services & cloud functions)
  • Twilio (OTP & SMS)
  • SendGrid (email delivery)
  • OpenAI (AI processing)
     
5.1 Vendor Due Diligence
Before onboarding, each vendor is assessed for:
  • encryption & transport standards
  • data residency posture
  • access controls
  • compliance certifications
  • security documentation
     
5.2 AI Vendor Governance
When data is processed by AI models, Yowzaa:
  • anonymises or pseudonymises identifiable elements where possible
  • uses encrypted transport
  • forbids training on customer data
  • ensures confidentiality under contract
     
6. Monitoring & Incident Response
6.1 System Monitoring
Yowzaa uses real-time tracking to observe:
  • authentication activity
  • abnormal usage patterns
  • failed login attempts
  • backend performance metrics
     
6.2 Incident Response Framework
In the event of a security incident, Yowzaa follows a structured response:
  1. Detection & containment
  2. Root-cause investigation
  3. System isolation & remediation
  4. Notification to affected users
  5. Regulator notification where required
  6. Post-incident reporting & review
     
7. Data Governance & Compliance
7.1 Global Privacy Alignment
Yowzaa aligns with:
  • Australian Privacy Act
  • GDPR
  • UK GDPR
  • CCPA/CPRA principles
     
We provide GDPR-level rights to all users worldwide.

7.2 Data Retention
To maintain professional compliance:
  • financial data is retained for 7 years
  • user account data is retained for 3 years post-deletion, unless required longer by law
     
7.3 Data Minimisation
We only collect information necessary to:
  • deliver services
  • ensure security
  • provide automation
     
We do not sell customer data.

8. Responsible AI & Data Use
Yowzaa employs AI responsibly.
Key safeguards include:
  • anonymisation before processing
  • human-in-the-loop oversight
  • model accuracy monitoring
  • no use of customer data for public model training
  • secure vendor contracts
     
Our AI governance framework is detailed in our AI Transparency Statement.

9. Business Continuity & Resilience
9.1 Uptime & Redundancy
Bubble’s managed cloud environment provides:
  • automatic scaling
  • distributed hosting
  • multi-zone redundancy
     
9.2 Disaster Recovery
Operational continuity is supported by:
  • regular encrypted backups
  • failover capabilities
  • rapid restore mechanisms
     
This ensures resilience during outages or external disruptions.

10. Physical Security
Yowzaa does not operate physical data centres.
All physical security controls are managed by AWS, including:
  • biometric access
  • on-site security personnel
  • CCTV and alarm systems
  • secured server rooms
     
AWS maintains world-leading physical infrastructure protections.

11. Customer Responsibilities
Enterprise security is a shared responsibility.
Users must:
  • maintain strong email security
  • verify AI-generated outputs
  • configure user permissions wisely
  • comply with all relevant laws and regulations
  • protect their own login credentials
     
12. Contact
For enterprise security inquiries:
Yowzaa Security Office
Email: support@yowzaa.ai
Address: 3170 Surfers Paradise Blvd, Surfers Paradise QLD 4217 Australia
bottom of page