Security Policy

Effective date: 10 April 2026

Last updated: 12 May 2026

This Security Policy describes how BatchBuddy, operated by The Little Tamar Dairy Company Pty Ltd (ABN 57 624 539 699), protects the data you entrust to us and how you can report security concerns.

1. Our approach

Security is foundational, not optional. We design every feature with data protection in mind and operate on the principle of least privilege — you and your team only have access to the data you need for your role.

2. Data protection

2.1 Encryption in transit

All traffic between your browser and BatchBuddy is encrypted using TLS 1.2 or higher. We do not accept unencrypted HTTP connections to any BatchBuddy service.

2.2 Encryption at rest

Your production data (recipes, batches, equipment, control points) is stored in managed database services with encryption at rest enabled by default.

2.3 Authentication

We use WorkOS AuthKit for authentication. Passwords are never stored in plaintext — WorkOS handles credential hashing and verification using industry-standard algorithms. We also support social sign-in (Google, GitHub) so you never need to create a BatchBuddy-specific password if you don’t want to.

3. Access control

BatchBuddy uses role-based access control (RBAC) scoped to your organization. Every query and mutation is checked against the authenticated user’s role and organization membership before returning data.

  • You can only see data that belongs to your organization.
  • Staff with lower-permission roles cannot access admin-only data.
  • API requests without a valid session token are rejected.

4. Vulnerability disclosure

If you believe you have found a security vulnerability in BatchBuddy, we want to hear from you. Please report it responsibly by emailing security@batchbuddy.io.

We ask that you:

  • Give us a reasonable amount of time to investigate and fix the issue before disclosing it publicly.
  • Avoid accessing or modifying data that does not belong to you.
  • Avoid degrading the service for other users (no denial-of-service testing).

We will acknowledge your report within 3 business days and keep you updated as we investigate. We do not currently run a paid bug bounty program, but we will publicly credit you for valid reports if you wish.

Our machine-readable security contact is also published at /.well-known/security.txt in accordance with RFC 9116.

5. Incident response

In the event of a confirmed security incident that affects your data, we will notify you directly via email as soon as we have enough information to be useful. We aim to provide an initial notification within 72 hours of confirming an incident, in line with our obligations under the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act 1988 (Cth)).

6. Third parties

BatchBuddy relies on a small number of trusted third-party services:

  • WorkOS — authentication and session management
  • Convex — database and backend runtime
  • Cloudflare — edge hosting and DDoS protection
  • Loops — transactional and lifecycle email delivery

Each of these vendors operates under their own security and compliance program. We review their posture before integration and periodically thereafter.

7. Contact

Security questions or concerns that are not vulnerability reports can be sent to support@batchbuddy.io.