Security, privacy, and data practices

How Rostrum collects, uses, and protects data. Questions? Email [email protected].

Last updated: 7 April 2026 · Rostrum (developer preview)

Australian-hosted infrastructure. All data is stored and processed in AWS ap-southeast-2 (Sydney, Australia). No data is transferred outside Australia for processing.

Privacy Policy

Rostrum (referred to as "we", "us", or "our") is committed to protecting personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).

What information we collect

We collect and hold the following types of information:

Account information — email address provided when requesting API access.
API usage data — API keys (stored as SHA-256 hashes, never in plaintext), request counts, quota usage, and timestamps of API operations.
Auction data — auction titles, bid amounts, currencies, and outcomes submitted via the Rostrum API. This data is owned by the customer who submitted it.
Technical data — log records necessary for security, debugging, and billing (IP addresses retained for 30 days, then deleted).

How we use it (APP 6 — use and disclosure)

We use personal information only for the primary purpose it was collected:

Operating and providing the Rostrum API service
Enforcing write quotas and managing API keys
Communicating service-related updates (not marketing without consent)
Security monitoring and abuse prevention

We do not sell, rent, or share personal information with third parties for marketing purposes.

Third-party sub-processors

We use the following sub-processors to operate the service, all of which process data in Australia:

Amazon Web Services (AWS) ap-southeast-2 — compute, database (RDS PostgreSQL), cache (ElastiCache Redis), and queuing (SQS)

Data retention (APP 11 — security)

API key records: retained for the life of the account, deleted within 30 days of account closure.
Auction and bid data: retained for 12 months after the auction closes, then deleted.
API write logs (quota tracking): retained for 13 months (to support monthly quota resets), then deleted.
IP address logs: retained for 30 days, then deleted.

Access and correction (APP 12 & 13)

You may request access to, or correction of, personal information we hold about you. Email [email protected] with your request. We will respond within 30 days.

Complaints (APP 1)

If you believe we have breached an APP, you may lodge a complaint by emailing [email protected]. We will acknowledge your complaint within 5 business days and respond substantively within 30 days. If you are not satisfied with our response, you may escalate to the Office of the Australian Information Commissioner (OAIC).

Data Residency

All Rostrum data is stored and processed exclusively in AWS ap-southeast-2 (Sydney, Australia). This applies to:

The API application and Lambda runtime
PostgreSQL database (RDS, Sydney region)
Redis cache (ElastiCache, Sydney region)
Message queues (SQS, Sydney region)

No customer data is transferred outside Australia for storage or processing. This makes Rostrum suitable for Australian businesses with data sovereignty requirements.

Security

Encryption

In transit: All API endpoints are HTTPS-only (TLS 1.2+). ElastiCache Redis uses TLS for in-transit encryption. No unencrypted connections are accepted.
At rest: RDS PostgreSQL storage is encrypted at rest (AES-256). ElastiCache Redis data is encrypted at rest. SQS queues use AWS-managed encryption.

API key handling

API keys are stored as SHA-256 hashes — raw tokens never appear in our database or logs.
Keys are transmitted only over HTTPS and are never logged in plaintext.

Access controls

All data access is scoped to customer_id — customers can only access their own auctions and bids.
The ops dashboard is protected by password authentication and a 24-hour JWT session with brute-force rate limiting (5 failed attempts triggers a 5-minute lockout).
AWS IAM roles follow least-privilege: Lambda functions have only the permissions they require.

Vulnerability management

We run automated dependency audits (npm audit) and patch high-severity CVEs within 24 hours. To report a security vulnerability, email [email protected]. We aim to acknowledge reports within 24 hours.

Compliance Contact

For privacy, security, or compliance enquiries — including enterprise or government procurement evaluation — email [email protected].

Entity: Rostrum (developer preview). ABN registration in progress.
Jurisdiction: New South Wales, Australia
Privacy Act compliance: Australian Privacy Principles (Privacy Act 1988 (Cth))