Security
Last updated 11 July 2026
Access controls
Administrator access uses email verification and server-managed sessions. Backend authorization enforces platform, organization and location boundaries. Employee access uses an employee number and PIN where configured.
Data protection
Traffic is served over HTTPS in production. Security headers restrict framing and browser capabilities. Sensitive integration tokens are encrypted before storage when the required production encryption secret is configured.
Evidence storage
Attendance photos are private and require an authorized request. The production design uses private object storage with a controlled legacy database fallback during migration. Downloads are marked private and non-cacheable.
Operational controls
Important changes create activity history. Rate limits protect authentication and public enquiry routes. Database migrations, backups, monitoring and rollback checks form part of the release process.
Responsible reporting
To report a suspected vulnerability, email hello@inoutpro.com.au with a concise description and reproduction steps. Do not access, alter or download data that is not yours.