Trust

Security

Last updated 11 July 2026

Access controls

Administrator access uses email verification and server-managed sessions. Backend authorization enforces platform, organization and location boundaries. Employee access uses an employee number and PIN where configured.

Data protection

Traffic is served over HTTPS in production. Security headers restrict framing and browser capabilities. Sensitive integration tokens are encrypted before storage when the required production encryption secret is configured.

Evidence storage

Attendance photos are private and require an authorized request. The production design uses private object storage with a controlled legacy database fallback during migration. Downloads are marked private and non-cacheable.

Operational controls

Important changes create activity history. Rate limits protect authentication and public enquiry routes. Database migrations, backups, monitoring and rollback checks form part of the release process.

Responsible reporting

To report a suspected vulnerability, email hello@inoutpro.com.au with a concise description and reproduction steps. Do not access, alter or download data that is not yours.