Security & Trust
Effective date: 10 June 2026 · Last updated: 10 June 2026
ProspeQ is operated by NovaSQ Pty Ltd (ABN 34 693 165 114) trading as ProspeQ. We take the security and privacy of your data seriously. Here is how the service is built.
Hosting and data location
- Your data is held on Australian servers - a primary server in Melbourne and an encrypted offsite replica at a second Australian location for disaster recovery. Both are in Australia.
- Our backups are also held in Australia. Some processing necessarily involves overseas providers (notably the AI providers in the United States, our payment processor, and our CDN provider Cloudflare) - see our Sub-processors page. We do not claim that all processing happens in Australia.
Tenant isolation
- ProspeQ is multi-tenant. Each organisation's data is logically isolated and access-controlled at the database layer using row-level security and per-organisation scoping, so one customer cannot see another's data.
Authentication and access
- Passwords are stored hashed (bcrypt), never in plain text.
- Multi-factor authentication (TOTP) is required for accounts created on or after 10 June 2026, set up at first sign-in. Organisations can require it for all members. Accounts created before that date may enable it.
- Sessions use signed tokens with server-side revocation and "sign out everywhere"; login is rate-limited with account lockout on repeated failures.
- Staff access is least-privilege and logged; any staff support access to a tenant is recorded and the organisation owner is notified.
Encryption
- In transit: all traffic is encrypted with TLS.
- At rest: in our production environment, customer data is held on an AES-256 encrypted volume (encryption at rest); the encryption key is managed on the hosting appliance. (We do not offer customer-managed keys or a separate hardware security module.)
Payments
- Card payments are handled entirely by Stripe; card data never reaches NovaSQ's servers. We hold only billing metadata.
Logging, monitoring and audit
- We keep an audit log of data-modifying actions (who, what, when), security event logging, and error monitoring to support investigations.
Backups and recovery
- Data is backed up daily; snapshots are encrypted and held in Australia on a rolling 30-day retention window, with an encrypted offsite copy at a second Australian location.
Data breach response
- We maintain a documented incident-response process aligned with Australia's Notifiable Data Breaches scheme: we assess any eligible breach promptly (and in any case within 30 days of becoming aware of it) and, where required, notify the OAIC and affected individuals as soon as practicable. Where affected individuals (including prospects) cannot reasonably be contacted directly, we may notify by publishing a statement, as the scheme permits.
Designed to prevent spam, not enable it
- ProspeQ prepares research and drafts outreach for a human to review - it does not blast messages on your behalf. This human-in-the-loop, relevance-first design is deliberate.
Sub-processors and DPA
- The third parties that help us run the service are listed on our Sub-processors page. A Data Processing Agreement is available on request - email info@prospeq.com.au.
Reporting a security issue
- Please report any suspected vulnerability or security concern to info@prospeq.com.au. We appreciate responsible disclosure and will respond promptly.
