Trust Centre

At Fitness Passport Pty Ltd and Fitness Passport NZ Ltd (“Fitness Passport” or “FP”), we prioritise the security and privacy of your data by employing industry best practices and technologies. We continuously monitor and manage our products and services, adapting as necessary to address emerging threats and changes in security standards.

Compliance

FP complies with Australian and New Zealand regulations, including applicable security and privacy requirements. We continuously invest in assurance practices to ensure compliance with relevant standards and regulations.

• Australian Privacy Act 1988 – FP established information security and privacy policies and standards following the legislation requirement of Privacy Act and the guidance of Australian Privacy Principles (APPs).
• PCI DSS – FP does not store or process credit card transactions and, as such, complies with PCI DSS requirements.
• Direct Debit Payments – Payments are processed through trusted partners: Westpac for Australian customers and GoCardless for New Zealand customers.
  Further details can be found:
  westpac.com.au/security/how-we-protect-you
  gocardless.com/privacy

FP builds up cyber security capabilities and performs relevant practices following the guidance of leading industry standards and frameworks. We are in the journey to get ISO 27001 certified.

Privacy

FP adheres to Australian and New Zealand privacy laws. Our privacy policies outline how we collect, store, use, and disclose personal information. For further details, please refer to our Privacy Policy.

For more information of privacy principles, refer to the links below:

APP – Australian Privacy Principles Quick Reference

NZ Privacy Principles – New Zealand Privacy Principles Quick Reference

Independent security testing

FP undergoes regular independent security reviews and audits to assess adherence to security frameworks and overall security posture. Technical security reviews and system penetration testing are conducted regularly in line with FP’s information security policies and standards. Please refer to our latest Statement of Attestation from Oct 2024.

High Availability Architecture (Amazon AWS)

FP’s Web Portal utilizes cloud-hosted services provided by Amazon Web Services (AWS), which offers robust security and monitoring of physical equipment against threats and environmental hazards.

• For details on AWS Security, Privacy, and Compliance, please visit aws.amazon.com/security
• FP’s architecture leverages AWS server-less frameworks and AWS Virtual Private Cloud (VPC) to provide a secure, contained environment.

Access Management

• FP’s Web Portal implements Role-Based Access Controls (RBAC), ensuring least-privilege access based on user roles.
• Customer data is stored in a centralised database, with access segregation managed through RBAC.
• End-user access is secured using Multi-Factor Authentication (MFA).

Data Hosting

FP’s Web Portal is hosted within onshore AWS data centers in Australia (Sydney region), utilising two availability zones with auto-failover capabilities, which are tested annually or as required under our Business Continuity Plan (BCP) and Disaster Recovery (DR) protocols.

• For more details on AWS data center controls, please visit aws.amazon.com/compliance/data-center/controls
• For details about Security, Privacy, Compliance and Audits in Amazon Web Services ANZ region, refer to Security and Compliance for Australia and New Zealand.

Data outside Australia

FP leverages multiple tools and platforms in providing enhanced service delivery to its members, customers and partners. Some of FP’s Third party systems are hosted in USA and data within is managed under strict adherence to the Australian & New Zealand Privacy Acts, and as per our Privacy Policy.

Backups & Recovery

• Databases are backed up using both daily snapshots and transactional backups, stored in AWS-hosted environments with encryption.
• Backups are retained for 30 days and are encrypted in transit and at rest using encryption and SSL.
• Disaster Recovery Plans (DRP) are tested annually or as required.

Data Retention

FP securely retains customer data in compliance with Australian and New Zealand regulations and our Privacy Policy:

• Membership Data: Retained for the duration of the membership plus one year after termination.
• Customer Contact Information: Retained for five years after membership termination.
• Financial Information: Retained for one month post-membership termination (provided all outstanding fees are settled).
• Corporate Records: Financial transaction records are retained for seven years.
• Data beyond retention periods is obfuscated to protect privacy.

People

FP is an Australian-based business with its head office in Sydney, Australia.
Our staff is located in Australia and New Zealand, with operations centers in the Philippines. Our technology teams are based in Australia and Sri Lanka.

• We have a dedicated internal security team responsible for cyber security, incident management and ensuring secure application development and testing practices are in place.
• FP has an established onboarding practice and conducts relevant assessments of employees, contractors and third-party personnel. Background checks and security screenings are conducted for all employees and contractors with system or data access.
• The use of technology within FP is described in the acceptable usage policy governing the use of the corporate network, internet, email and software.
• All employees undergo Compliance, Ethics, Privacy, and Cybersecurity Awareness training upon hiring, with periodic refresher training, including phishing simulations.

Monitoring and Auditing

• System monitoring utilises AWS CloudTrail, AWS CloudWatch, and DataDog for proactive web portal monitoring, along with additional endpoint security tools.
• All access attempts and system changes are logged and retained for at least 30 days or as required.

Secure Software Development Lifecycle (SDLC)

FP follows a secure software development lifecycle (SDLC) that adheres to OWASP guidelines.

• All code is centrally managed with version control and access is restricted.
• Peer-reviewed code changes undergo automated deployment processes to ensure security best practices are maintained.
• Introduction of new systems and major changes to existing systems follow a formal process of documentation, specification, testing, quality control and managed implementation.
• Development, test and operational environments are separated to reduce the risk of unauthorized access or changes to the operational environment.

 

updated: 04.03.2025