Skip to main content

Security & Data Protection

Inspection data is sensitive: property details, client records, site photos, and reports that end up in disputes and transactions. InspectAndGo is built security-first, with your data stored in Australia and protected at every layer.

Australian data residency

All inspection data, photos, and reports are stored in Google Cloud Sydney (australia-southeast1). We follow the Australian Privacy Principles (APP). Some AI processing occurs overseas under a Google data-processing agreement (APP 8 disclosure); the results are stored back in Australia.

Encryption in transit and at rest

Every connection is served over HTTPS with HSTS, and all stored data is encrypted at rest with AES-256. A strict Content Security Policy and modern security headers are enforced across the application.

Malware scanning on every upload

Every file you upload (photos, videos, voice notes, prelim PDFs, receipts) is scanned for malware by an Australian-resident antivirus service before it can be served. Infected files are quarantined automatically, and the pipeline fails closed.

Strict per-tenant isolation

Each workspace is isolated at the database and storage layer. Access is enforced server-side by security rules on every read and write, so one organisation can never see another organisation's inspections, clients, or reports.

Identity and access

Sign-in is handled by the MyAndGo identity platform with support for Google, Microsoft, email, and magic-link. Two-factor authentication is honoured when enabled, bot protection (App Check / reCAPTCHA v3) guards sign-up, and idle sessions time out automatically.

Backups and recovery

The database runs with point-in-time recovery plus scheduled daily and weekly backups and delete-protection, and file storage keeps prior versions. Your inspection history is protected against accidental loss.

Consent-based AI connectors

When you connect an AI assistant such as Claude or ChatGPT, access uses OAuth 2.1 with PKCE and is gated by per-inspection consent and read or read-and-write scopes you control. You can revoke a connector at any time, and a workspace kill-switch disables AI access entirely.

Continuously audited

The platform is reviewed with regular adversarial security audits across authentication, multi-tenant isolation, backend endpoints, and infrastructure, with findings tracked and fixed. Responsible disclosure details are published at /.well-known/security.txt.

Reporting a vulnerability

We welcome responsible disclosure. If you believe you have found a security issue, email [email protected] with the details and steps to reproduce, and we will respond promptly. Please do not access or modify data that is not your own while testing.

Formal disclosure policy: /.well-known/security.txt