Security Policy
Last Updated: 24 February 2026
LEXYLON | ABN 81 834 713 796
1. Our Commitment
At LEXYLON, security is not an afterthought — it is foundational to everything we build, deliver, and operate. We engineer systems for organisations where failure is not an option: global logistics, financial services, healthcare, and critical infrastructure.
Our security-first philosophy means that every architectural decision, every line of code, and every deployment pipeline is designed with defence-in-depth principles. We treat your data with the same rigour we apply to our own.
This Security Policy outlines how we protect your information, our infrastructure, and our products — including the VOLT macOS application.
2. Data Protection
We implement multiple layers of data protection across all systems:
All stored data is encrypted using AES-256 encryption. Database volumes, backups, and file storage are encrypted at the infrastructure level with keys managed via dedicated key management services.
All data in transit is protected with TLS 1.3. We enforce HTTPS across all endpoints, APIs, and client-server communications. HSTS headers are enabled with a minimum max-age of one year.
Credentials, API keys, tokens, and other secrets are never stored in plaintext. We use environment-isolated secret managers and hardware-backed keystores. Source code repositories are scanned for accidental secret exposure.
We collect and retain only the minimum data necessary for service delivery. Personal data is pseudonymised where possible and purged according to our retention schedule.
3. Application Security (VOLT)
VOLT is built with a local-first, privacy-by-design architecture. Security is embedded at every layer:
4. Infrastructure
Our infrastructure is designed for resilience, performance, and security:
Our web properties are hosted on Framer and Vercel, leveraging their globally distributed edge networks for sub-100ms response times and automatic failover across multiple regions.
Enterprise-grade DDoS mitigation is provided at the edge layer. Traffic is automatically filtered and rate-limited to prevent volumetric, protocol, and application-layer attacks.
We use DNSSEC-enabled providers with automatic certificate management via Let's Encrypt. CAA records restrict certificate issuance to authorised certificate authorities only.
Production, staging, and development environments are fully isolated with separate credentials, network boundaries, and access controls. No development data touches production systems.
5. Access Control
- Principle of Least Privilege — Every team member is granted the minimum access required for their role. Permissions are reviewed quarterly and revoked immediately upon role change or offboarding.
- Multi-Factor Authentication (MFA) — MFA is mandatory for all internal systems, code repositories, cloud providers, and production infrastructure. We enforce hardware security keys where supported.
- Single Sign-On (SSO) — Centralised identity management with SSO reduces credential sprawl and provides a single audit trail for access events.
- Audit Logging — All access to sensitive systems is logged with timestamps, user identity, action performed, and source IP. Logs are retained for a minimum of 12 months and are immutable.
- Device Security — All company devices run full-disk encryption, automatic screen lock, and managed endpoint protection. Remote wipe capability is enabled for all devices with access to company systems.
6. Incident Response
We maintain a documented incident response plan that is tested and updated regularly:
Automated monitoring and alerting across all production systems. Anomalous activity triggers immediate investigation by our engineering team.
Affected systems are isolated immediately. Root cause analysis begins within 1 hour of confirmed incident. Patches and mitigations are deployed on an emergency basis.
Affected clients are notified within 72 hours of a confirmed data breach, in compliance with the Australian Notifiable Data Breaches scheme and GDPR Article 33. Where possible, we aim for notification within 24 hours.
Every incident produces a blameless post-mortem with root cause, impact assessment, and concrete remediation steps. Findings are shared with affected parties as appropriate.
7. Vulnerability Disclosure
We welcome responsible security research and vulnerability reports from the community:
Email hello@lexylon.com.au with the subject line "Security Vulnerability Report". Include a detailed description of the vulnerability, steps to reproduce, and any proof-of-concept code.
We will acknowledge receipt within 2 business days, provide an initial assessment within 5 business days, and keep you informed of remediation progress. We will not pursue legal action against researchers acting in good faith.
Our disclosure program covers lexylon.com.au, all associated subdomains, the VOLT macOS application, and any public-facing APIs. We ask that researchers avoid accessing or modifying other users' data, disrupting services, or publicly disclosing vulnerabilities before a fix is available.
8. Compliance
We align our security practices with recognised standards and regulatory requirements:
Full compliance with the Privacy Act and Australian Privacy Principles (APPs), including the Notifiable Data Breaches (NDB) scheme under Part IIIC.
For EU/EEA users, we implement GDPR-aligned data protection measures including data minimisation, purpose limitation, and rights of access, rectification, and erasure.
We are working towards SOC 2 Type II certification, with current practices aligned to the Trust Services Criteria for security, availability, and confidentiality.
All web applications and APIs are developed following OWASP Top 10 guidelines. Code reviews and automated scanning are integrated into our CI/CD pipeline.