How It WorksAgentsUse CasesTrustAboutBook a Demo

Security Policy

Snowvault Pty Ltd | ABN 22 677 502 911

Last updated: February 2026

1. Introduction

At Snowvault, security is foundational to everything we build. Our platform is designed to safely handle sensitive organisational knowledge, documents and workflows while enabling AI-assisted creation, curation and collaboration.

This security policy summarises the controls, principles and practices we use to protect customer data.

2. Security Framework

Tenancy Model

Snowvault is a multi-tenant platform with strict logical isolation between customer organisations.

Each organisation's data is isolated at the tenancy and workspace level. Access boundaries are enforced using scoped identities, tenancy-aware authorisation checks, and least-privilege policies. Platform management operations are performed via shared services that are technically prevented from accessing customer content unless explicitly authorised for support or troubleshooting.

Data Movement

Data movement is configured per organisation and per connector (such as Microsoft 365).

All processing occurs in ephemeral execution environments with no persistent local storage. Execution context, authorisation and tenancy identity are bound together for every request, preventing cross-tenant data access. AI processing and agent execution only operate on data explicitly authorised within the current workspace or workflow context.

Data Storage

Customer data is stored in logically isolated data stores with tenancy-scoped access controls.

Role-based access control restricts access to data by organisation, workspace and role. Write paths such as ingestion, indexing and enrichment are segregated from read paths such as retrieval, analysis and generation. Vectorised and derived representations inherit the same tenancy and access constraints as their source documents.

Secrets and Access Credentials

Credentials for connected systems are stored only as required to operate approved integrations.

Secrets are stored in a secure, encrypted secrets vault managed by the cloud provider. Customer secrets are encrypted using dedicated encryption keys per organisation. Access to customer credentials is tightly restricted, logged, and limited to authorised Snowvault operations staff when required for support or incident resolution.

Encryption

All data is encrypted in transit using modern TLS standards.

All data is encrypted at rest, including documents, metadata, derived artefacts and backups. Encryption key management follows cloud-provider best practices with separation between data and key access.

3. Zero Trust Model

Snowvault operates under a zero-trust security model.

  • Every request requires explicit authentication and authorisation
  • All services operate using least-privilege identities
  • Ephemeral compute services run with scoped permissions and no standing credentials
  • Internal service-to-service communication uses managed credentials and message validation
  • External endpoints are protected by Web Application Firewalls with protections against common web-based threats, including the OWASP Top 10

4. Cloud Native Infrastructure

Snowvault is built using modern cloud-native infrastructure and trusted third-party services.

Cloud Infrastructure

Snowvault runs on Amazon Web Services (AWS).

Infrastructure is deployed using infrastructure-as-code and environment isolation. IAM roles and policies enforce strict resource access boundaries. AWS provides a broad range of security and compliance certifications, including SOC and ISO standards.

Connected Platforms

Snowvault integrates with customer systems such as Microsoft 365 using OAuth-based delegated access.

Data access is limited to explicitly authorised scopes and locations. Snowvault does not modify or delete customer source data unless explicitly instructed.

5. Security Operations

Identity and Access Control

Access to Snowvault internal systems is managed through single sign-on with mandatory multi-factor authentication.

Strong password policies and access controls are enforced. Role-based access controls restrict access to customer data to authorised personnel only. Administrative access is tightly limited, logged and reviewed.

Compliance, Monitoring and Alerting

Snowvault employs layered security controls across awareness, preventative, detective and remediation categories.

Cloud audit logs and configuration state are continuously monitored. Automated detection mechanisms identify anomalous or non-compliant behaviour. Automated remediation is applied where safe to do so, and alerts are raised to operations staff for investigation and escalation when required.

Secure Software Delivery

All production changes follow peer-reviewed pull request workflows.

Infrastructure and configuration changes are managed using infrastructure-as-code. Automated static application security testing and dependency scanning are used to detect vulnerabilities. Identified issues are tracked and remediated as part of the software development lifecycle.

6. Incident Response

Snowvault maintains an incident response framework to ensure rapid and consistent handling of security events.

The incident response process includes containment, analysis, remediation, and post-incident review. Customers are notified of incidents in accordance with contractual and regulatory obligations.

7. Audit and Logging

Authentication events, data access, administrative actions and system changes are logged.

Audit logs are retained in tamper-resistant storage and monitored for anomalous behaviour. Logs support forensic investigation and incident response activities when required.

8. Contact

For security-related enquiries, please contact us.