We take your security seriously — because governance and trust matter.
TidyHQ and TidyConnect are used by thousands of community organisations, peak bodies, and educational institutions. From local committees to national governing bodies, our users rely on Tidy to manage sensitive information, workflows, and conversations. Here's how we keep your data secure:
Hosted in Australia (AWS Sydney Region)
All Tidy data is hosted securely in Amazon Web Services (AWS) data centres, specifically in the Sydney region. AWS is a globally trusted infrastructure provider with industry-leading certifications and compliance standards.
Multi-Zone Redundancy
All data is written to multiple disks instantly, backed up daily, and stored across multiple availability zones to ensure durability and disaster recovery readiness.
Encryption In Transit and At Rest
All traffic between your browser and Tidy is encrypted using TLS 1.2 or higher. Files uploaded to Tidy are encrypted at rest. Sensitive fields (e.g., passwords) are hashed or encrypted using industry best practices.
Platform Data
All files, messages, and task content are protected by strict access controls. While structured platform data (e.g. tasks, messages, timelines) is active in our application database and not individually encrypted at rest, all infrastructure is secured and access-controlled.
Regular Security Patching
Our systems are kept up-to-date with the latest security patches and best practices. We continually assess and strengthen our infrastructure against emerging threats.
Internal Access Controls
Only authorised staff can access production systems, and access is tightly restricted and monitored.
Zero Trust Philosophy
We follow the principle of least privilege — no one gets access unless it’s required and justified.
Tidy is not formally certified, but we follow the principles and practices outlined in ISO 27001, SOC 2, and the Australian Privacy Principles (APPs) in the design of our infrastructure and operations.
Top-Tier Data Centres
Our cloud infrastructure is hosted within AWS facilities, which maintain strict physical security protocols including:
- 24/7 monitoring and surveillance
- Biometric access controls
- Redundant power, HVAC, and fire suppression
PCI-DSS Compliant Payments
All payments are processed via trusted payment processors with PCI-DSS Level 1 compliance — the highest level of certification in the payments industry. Tidy does not store or process your full credit card details directly. PCI-Compliant network.
Secure Login & Permissioning
Admin access is permission-based, with all actions tracked in an activity log. We offer strong password policies and secure email-based authentication for all users.
Passkeys & MFA (Coming Soon)
We’re actively rolling out support for Passkeys and multi-factor authentication (MFA) to further protect account access with next-generation, passwordless login options.
Audit Trails & Activity Logs
All user actions are logged to ensure accountability and transparency — essential for good governance and safeguarding practices.
Who has access to your data?
Only a small number of authorised engineers have access to production data - and only for legitimate operational reasons. Every access is logged and regularly reviewed.
Ongoing Risk Assessments
We continuously evaluate our platform for vulnerabilities and apply industry best practices to mitigate risk.
Responsible Disclosure
Security researchers are welcome to report vulnerabilities responsibly via [security@tidyhq.com].
Where is my data stored?
All Tidy data is securely stored in AWS data centres located in Sydney, Australia.
Is children’s or sensitive information protected?
Yes. All information is permission-controlled and logged. Admins can control who sees what, and all interactions are tracked for accountability.
We’re here to help. Reach out to security@tidyhq.com if you’d like further details or a copy of our internal security policies.