MMustr
Security & Compliance

Security built into the architecture

Not bolted on. Not an afterthought. Security and data protection are architectural decisions at Mustr — from database-level tenant isolation to encryption of sensitive employment records.

How we protect your data

Security practices

Australian data residency

Primary infrastructure runs in the DigitalOcean Sydney (SYD1) region. Customer data at rest stays in Australia — see the Trust Centre for the full subprocessor list.

Encryption at rest and in transit

All data encrypted in transit via TLS 1.3 (HTTPS everywhere). Sensitive fields (TFN, bank details) are AES-256 encrypted at rest before storage.

Row-level security (RLS)

PostgreSQL Row-Level Security enforces tenant isolation at the database level. It is architecturally impossible for a query to return another tenant's data.

Authentication & access control

JWT sessions with httpOnly cookies (not localStorage). Bcrypt password hashing. Rate limiting (5 attempts per 15 minutes per IP). Session invalidation on role change.

RBAC permission matrix

Role-based access control with four roles (Employee, Manager, Admin, Owner). Every API procedure checks permissions before executing. No implicit access.

Audit logging

All administrative actions logged with timestamp, user, and change detail. Pay calculations produce step-by-step audit trails. All records tamper-evident.

7-year record retention

Time records, wage records, leave records, and superannuation records retained for the Fair Work Act minimum of 7 years. Deletion before that is prevented.

Security headers

HSTS with 2-year max-age, CSP restricting resource origins, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin.

Regulatory compliance

Built for Australian law

Fair Work Act 2009

National employment standards, award system, record-keeping obligations.

Privacy Act 1988 (+ 2024 amendments)

Data handling, automated decision transparency, breach notification.

Closing Loopholes Acts 2023/2024

Right to disconnect, casual conversion, wage theft criminalisation.

Superannuation Guarantee Act

SG obligations, Payday Super readiness (July 2026).

Legal entity

Keystone Systems

ABN 16 401 201 936

Perth, Western Australia

For security inquiries: security@mustr.com.au

Your data. In Australia. Encrypted. Isolated.

Request private pilot access with confidence. Customer data stays in Australia.

Request Pilot Access