Security

How we protect your data and your account

At NextFrameBase, the security of your personal information, financial data and account is our highest priority. We employ multiple layers of industry-leading security measures to ensure that your experience on our platform is safe and secure.

1. Data Encryption

1.1 Encryption in Transit

All communication between your browser and NextFrameBase servers is encrypted using TLS 1.3 (Transport Layer Security), the latest and most secure version of the protocol. This ensures that any data you send to us — including login credentials, personal details and payment information — cannot be intercepted or read by third parties.

Our SSL certificates are issued by trusted Certificate Authorities and use RSA 2048-bit or higher key lengths. We enforce HTTPS across our entire platform with HTTP Strict Transport Security (HSTS) headers.

1.2 Encryption at Rest

Sensitive data stored on our servers, including passwords, financial information and identity documents, is encrypted using AES-256 encryption. This is the same encryption standard used by banks, government agencies and military organisations worldwide.

Passwords are never stored in plain text. We use industry-standard password hashing algorithms (bcrypt with appropriate cost factors) with unique salts for each user, making it computationally infeasible for anyone — including NextFrameBase staff — to reverse-engineer your password.

2. Account Security Features

2.1 Two-Factor Authentication (2FA)

We strongly recommend enabling two-factor authentication on your account. With 2FA enabled, you will need to provide a one-time code from your authenticator app (such as Google Authenticator or Authy) in addition to your password when logging in. This significantly reduces the risk of unauthorised access, even if your password is compromised.

To enable 2FA, navigate to "My Account" > "Security" > "Two-Factor Authentication".

2.2 Session Management

• Automatic timeout: Sessions are automatically terminated after 30 minutes of inactivity.
• Concurrent session limits: You can only be logged in from a limited number of devices simultaneously.
• Session overview: View and manage all active sessions from your account settings, and remotely log out of any device.

2.3 Login Notifications

You will receive an email notification whenever your account is accessed from a new device or location. If you did not authorise this login, you can immediately secure your account by changing your password and contacting our support team.

2.4 Account Lockout

After five consecutive failed login attempts, your account will be temporarily locked for 15 minutes to prevent brute-force attacks. Repeated lockouts may trigger additional security verification steps.

3. Infrastructure Security

3.1 Hosting and Data Centres

NextFrameBase infrastructure is hosted in Tier III+ data centres located in Australia. Our data centres feature:

• 24/7 physical security with biometric access controls and CCTV surveillance.
• Redundant power supplies with uninterruptible power systems (UPS) and backup generators.
• Redundant network connectivity with multiple internet service providers.
• Fire suppression and environmental monitoring systems.
• Geographic redundancy with data replicated across multiple locations for disaster recovery.

3.2 Network Security

• Web Application Firewall (WAF): Protects against common web attacks including SQL injection, cross-site scripting (XSS) and cross-site request forgery (CSRF).
• DDoS protection: Enterprise-grade distributed denial-of-service mitigation to ensure platform availability.
• Intrusion Detection/Prevention Systems (IDS/IPS): Real-time monitoring for suspicious network activity.
• Network segmentation: Critical systems are isolated on separate network segments with strict access controls.

3.3 Application Security

• Secure software development lifecycle (SDLC) with security reviews at every stage.
• Regular code reviews and static/dynamic application security testing (SAST/DAST).
• Dependency scanning to identify and patch vulnerable third-party libraries.
• Content Security Policy (CSP) headers to prevent cross-site scripting attacks.
• Input validation and output encoding to protect against injection attacks.

4. Payment Security

NextFrameBase is PCI DSS Level 1 compliant — the highest level of certification in the Payment Card Industry Data Security Standard. This means:

• Payment card data is processed by certified third-party payment providers and is never stored on our servers.
• All payment transactions are encrypted and tokenised.
• Regular PCI DSS audits are conducted by qualified security assessors.
• We implement strong access controls and monitoring for all payment-related systems.

We support 3D Secure (Verified by Visa / Mastercard SecureCode) for an additional layer of payment authentication.

5. Security Auditing and Testing

We maintain a rigorous security testing programme:

• Penetration testing: Independent third-party penetration tests are conducted at least annually, and after any major platform changes.
• Vulnerability scanning: Automated vulnerability scans are run weekly across our infrastructure and applications.
• Security audits: Comprehensive security audits are performed by external auditors on an annual basis.
• Log monitoring: Centralised log management and Security Information and Event Management (SIEM) systems monitor for anomalous activity 24/7.

6. Incident Response

NextFrameBase maintains a documented Incident Response Plan that outlines procedures for detecting, responding to and recovering from security incidents. Key elements include:

• A dedicated incident response team available 24/7.
• Defined escalation procedures and communication protocols.
• Notification of affected users within 72 hours of a confirmed data breach, as required by the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988.
• Post-incident review and remediation processes.
• Notification to AUSTRAC, OAIC and other relevant regulators as required by law.

7. Responsible Disclosure Programme

We value the security research community and encourage the responsible disclosure of security vulnerabilities. If you discover a potential security issue on our platform, we ask that you report it to us privately so we can address it before it can be exploited.

Disclosure Guidelines

• Do not access, modify or delete data belonging to other users.
• Do not perform denial-of-service attacks or disrupt platform operations.
• Do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it (typically 90 days).
• Provide sufficient detail for us to reproduce and verify the issue.
• Act in good faith and comply with all applicable laws.

What We Offer

• Acknowledgement of your report within 2 business days.
• Regular updates on the status of the remediation.
• Public acknowledgement (with your permission) once the issue is resolved.
• We will not pursue legal action against researchers who comply with these guidelines.

8. Your Security Responsibilities

While we work hard to protect your account, you also play an important role in keeping your information secure:

• Use a strong, unique password: At least 12 characters with a mix of uppercase, lowercase, numbers and symbols. Do not reuse passwords from other websites.
• Enable two-factor authentication: This is the single most effective step you can take to protect your account.
• Keep your software updated: Ensure your browser, operating system and antivirus software are always up to date.
• Beware of phishing: NextFrameBase will never ask for your password via email, phone or chat. If you receive a suspicious message claiming to be from us, do not click any links — contact us directly to verify.
• Secure your email: Your email account is a gateway to your NextFrameBase account (via password resets). Protect it with a strong password and 2FA.
• Log out on shared devices: Always log out of your account when using a shared or public computer.
• Monitor your account: Regularly review your transaction history and active sessions for any unauthorised activity.

9. Contact Our Security Team