Security

Our Approach to Security

At Aurevault Precious Metals Pty LTD, the security of your assets, personal information, and our operational infrastructure is our highest priority. We employ a layered, defence-in-depth approach that integrates physical, operational, digital, and procedural security controls across every aspect of our business. Our security program is designed to meet or exceed the standards expected of institutional-grade precious metals custodians and is subject to regular independent audit and review.

1. Physical Security

Our vault facilities are purpose-built to the highest physical security standards and incorporate the following measures:

• Vault Construction: Class 5 rated vault rooms constructed with reinforced concrete walls, floors, and ceilings, integrated steel reinforcing bar (rebar) mesh, and anti-drill, anti-cut, and anti-torch plate. Vault doors are multi-point locking with time-delay mechanisms and dual custody (two-person) opening protocols.
• Access Control: All access to secure areas requires multi-factor authentication combining biometric verification (fingerprint and/or retinal scan), personal identification number (PIN), and physical access credentials. Access is restricted to authorised personnel only and is logged and auditable at all times.
• Surveillance: High-definition, 360-degree CCTV cameras are deployed throughout all facilities, including vault rooms, corridors, loading bays, and external perimeters. All footage is recorded, stored for a minimum of 90 days, and monitored in real-time by on-site and off-site security operations centres. Video analytics including motion detection, facial recognition, and behavioural anomaly detection are employed.
• Intrusion Detection: Multi-zone alarm systems incorporating seismic sensors (to detect drilling, cutting, or forced entry attempts), passive infrared (PIR) motion sensors, vibration sensors, glass break detectors, and magnetic door contacts. All alarms are connected to a 24/7 monitoring centre with armed response capability.
• Perimeter Security: Secure perimeter fencing with anti-climb and anti-cut features, controlled vehicle entry with bollards and barriers, security lighting with backup power, and manned security checkpoints.
• Environmental Controls: Climate-controlled vault environments with fire suppression systems (clean agent / inert gas), smoke and heat detection, flood detection and mitigation, and uninterruptible power supply (UPS) with generator backup.

2. Secure Transport

All transportation of precious metals and high-value assets is conducted via armoured vehicles operated by licensed and vetted security personnel. Transport operations include:

• GPS-tracked armoured vehicles with real-time monitoring and geofencing alerts.
• Dual-custody protocols requiring a minimum of two authorised security personnel for all asset movements.
• Pre-planned and risk-assessed routes with contingency route options.
• Tamper-evident seals and serialised packaging for all shipments with photographic chain-of-custody documentation at each transfer point.
• Full insurance coverage for the declared value of assets during the entire transit period.
• Immediate notification to the client upon departure, arrival, and secure handover of assets.

3. Digital and Information Security

Our digital security program is aligned with AS/NZS ISO 27001 information security management principles and includes the following controls:

• Encryption: All sensitive data is encrypted at rest using 256-bit AES encryption and in transit using TLS 1.3 or higher. Cryptographic keys are managed through a hardware security module (HSM) with strict access controls and key rotation policies.
• Authentication: Multi-factor authentication (MFA) is required for all user accounts and administrative access. Password policies enforce minimum complexity, length, and rotation requirements. Privileged access management (PAM) solutions are deployed for all systems containing sensitive data.
• Network Security: Enterprise-grade firewalls, intrusion detection and prevention systems (IDS/IPS), web application firewalls (WAF), and distributed denial-of-service (DDoS) mitigation. Network segmentation isolates critical systems and data.
• Vulnerability Management: Regular vulnerability assessments and external penetration testing conducted by independent, accredited security consultants. Critical vulnerabilities are remediated within defined SLAs.
• Security Monitoring: 24/7 security event monitoring through a Security Information and Event Management (SIEM) system with automated alerting and incident escalation procedures.
• Data Backup and Recovery: Geographically distributed, encrypted backup systems with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). Backup restoration is tested at least quarterly.
• Secure Development: Application code is developed following OWASP Secure Coding Practices and undergoes security review and testing before deployment.

4. Personnel Security

All Aurevault employees, contractors, and third-party personnel with access to secure areas, client data, or critical systems undergo:

• Pre-employment background checks including criminal history, identity verification, employment and qualification verification, and financial history (where permitted by law).
• Execution of confidentiality and non-disclosure agreements.
• Security awareness training at induction and annually thereafter, covering physical security, cybersecurity, social engineering, and incident reporting.
• Role-based access control (RBAC) ensuring personnel have access only to the systems and areas necessary for their duties (principle of least privilege).
• Periodic review of access rights and prompt revocation of access upon role change or termination.

5. Insurance and Asset Protection

All client assets stored in Aurevault vault facilities are covered by comprehensive, all-risk insurance policies underwritten by reputable, A-rated (or equivalent) insurance carriers. Our insurance coverage includes:

• Coverage for theft (including employee dishonesty), robbery, burglary, and mysterious disappearance.
• Coverage for physical damage from fire, flood, natural disaster, and other insured perils.
• Transit coverage for all assets during armoured transport, from point of collection to point of delivery.
• Professional indemnity insurance covering errors, omissions, and negligent acts in the provision of custodial and advisory services.
• Cyber liability insurance covering data breach response costs, client notification, credit monitoring, and regulatory defence costs.

Evidence of insurance coverage is available to clients upon request. Insurance policies are reviewed and renewed annually to ensure adequacy of coverage limits relative to assets under custody. The cost of standard insurance coverage is included in storage fees.

6. Incident Response

Aurevault maintains a documented Incident Response Plan (IRP) that defines procedures for the detection, assessment, containment, eradication, recovery, and post-incident review of security incidents affecting physical assets, digital systems, or personal information. The IRP is tested at least annually through tabletop exercises and simulated incident scenarios. In the event of a data breach involving personal information that is likely to result in serious harm, Aurevault will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).

7. Business Continuity

We maintain a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) to ensure the continued availability of our services and the protection of client assets in the event of a disruptive incident. Key elements include:

• Identification and assessment of critical business functions and dependencies.
• Defined recovery strategies for each critical function, including failover to secondary sites where applicable.
• Regular testing and exercising of BCP and DRP procedures.
• Communication plans for notifying clients, regulators, and stakeholders in the event of a significant disruption.
• Post-incident review and continuous improvement processes.

8. Responsible Disclosure

Aurevault encourages responsible disclosure of security vulnerabilities in our digital systems. If you believe you have discovered a security vulnerability, please contact our Security Team at the details below. We request that you provide us with reasonable time to investigate and remediate the vulnerability before making any public disclosure, and that you refrain from accessing or modifying other users’ data.