Security & Trust
Last updated: 26 June 2026
At BiteSpaces, protecting the people who use our platform — community space owners and mobile food vendors across Australia — is a responsibility we take seriously. This page explains, in plain terms, how we protect your data today and where we are heading.
An honest note on certifications
We want to be transparent: BiteSpaces is not currently SOC 2 or ISO 27001 certified. These are independent, audited attestations that take time to earn. We have built a strong technical security foundation and are actively working through a structured readiness program toward those standards. We will only ever claim a certification once an accredited auditor has issued it.
How we protect your data today
Encryption
- All traffic to BiteSpaces is encrypted in transit using HTTPS/TLS, with HSTS enforced.
- Your data is encrypted at rest by our cloud infrastructure providers (Google Firebase).
- Sensitive vendor compliance documents are stored in private storage and shared only through short-lived, access-controlled links.
Authentication & access
- Authentication is handled by Firebase Authentication, with server-side verification of every session, including immediate revocation of disabled accounts.
- Strong password requirements (minimum 10 characters with mixed character types).
- Strict server-side authorization so users can only access their own data, with separate protections for administrative actions.
Application & infrastructure security
- Hardened HTTP security headers (Content Security Policy, HSTS, clickjacking and MIME-sniffing protections, and more).
- Rate limiting across the platform to defend against abuse and brute-force attempts.
- Input validation and sanitisation to protect against common web attacks.
- Secure file uploads with type, size, and filename restrictions.
- Append-only logging of security-relevant events to support monitoring and investigation.
Payments
- Payments are processed by Stripe, a PCI-DSS compliant provider. We do not store your card numbers.
- Payment amounts are calculated and verified server-side, and payment notifications are cryptographically verified.
Privacy
- We comply with the Australian Privacy Act 1988 and the Australian Privacy Principles. See our Privacy Policy.
- You can export or delete your personal data at any time from your account.
- We follow the Notifiable Data Breaches scheme for any eligible breach.
Our roadmap toward SOC 2 & ISO 27001
Becoming audit-ready is a journey of both technology and process. We have documented an internal compliance program — including security policies, a risk register, incident response, and vendor management — and are working through it methodically. Current focus areas include:
- Enforcing multi-factor authentication across administrative access.
- Centralised, retained security logging and alerting.
- Regularly tested backups and disaster recovery.
- Independent penetration testing and ongoing vulnerability management.
A note on vendor documents
BiteSpaces provides tools for vendors to share compliance documents (such as permits, insurance, and Working With Children Checks) with space owners. We securely store and transmit these documents, but BiteSpaces does not independently verify them. Space owners are responsible for reviewing documents and satisfying their own due-diligence and regulatory obligations.
Reporting a security issue
We welcome reports from security researchers and users. If you believe you have found a vulnerability, please contact us at security@bitespaces.com.au. You can also review our security.txt. Please give us a reasonable opportunity to investigate and address the issue before public disclosure.
Questions about our security or privacy practices? Reach out at security@bitespaces.com.au.