Compliance
Trust & Security
How XPERT Moto protects the personal information and payment data entrusted to us. Self-assessed against the ACSC Essential Eight maturity model.
Platform provider
The XPERT Moto platform is a dFortix.ai product, published by Mercury Road Equipment Pty Ltd (ABN 36 614 422 187). XPERT Moto Group Pty Ltd (ABN 72 629 456 408)operates this deployment as the data controller for its customers' personal information; Mercury Road Equipment Pty Ltd is the software vendor responsible for the platform's technical security controls described below.
Essential Eight self-assessment
The following is our honest, self-assessed maturity against each of the eight mitigation strategies published by the Australian Cyber Security Centre (ACSC). Where a control was designed for legacy Windows enterprise environments, we document the cloud-native equivalent we enforce.
| # | Control | Maturity | Evidence |
|---|---|---|---|
| 1 | Application control | ML2 (cloud-interpreted) | Dependency audit runs on every CI build (npm audit at high severity fails the pipeline). All production dependencies are pinned via package-lock.json. Server-side code runs only from the built, signed deployment artefact. |
| 2 | Patch applications | ML2 | Continuous dependency monitoring through automated vulnerability scans in CI. Critical and high-severity patches are deployed within service SLAs; the managed hosting provider patches the underlying runtime automatically. |
| 3 | Configure Microsoft Office macro settings | Not applicable | No Microsoft Office, server-side macro execution, or user-authored script environments exist in the production stack. The control does not apply. |
| 4 | User application hardening | ML1 (moving to ML2) | Strict transport security (HSTS, two-year preload), clickjacking protection (X-Frame-Options), MIME-sniffing protection, strict referrer policy, and a comprehensive Content Security Policy are enforced site-wide. Known gap: CSP is currently in report-only mode; enforcement is on the roadmap. |
| 5 | Restrict administrative privileges | ML3 | Five-role access model (Customer, Staff, Manager, Admin, Super Admin) enforced at both the route and API layers. Privileged actions require multi-factor authentication, are fully audit-logged, and support impersonation only by Super Admins with separate signed tokens. |
| 6 | Patch operating systems | ML2 | Operating system and container base-image patching is handled continuously by the managed hosting provider. Internal Docker images used for auxiliary workers are rebuilt on a defined cadence against the latest upstream security releases. |
| 7 | Multi-factor authentication | ML3 for staff · ML2 for customers | Staff and administrator accounts require TOTP multi-factor authentication with recovery codes. Customer accounts may enable TOTP optionally and all authentication is protected by per-IP rate limiting and automatic lockout after repeated failures. |
| 8 | Regular backups | ML2 | Encrypted database backups run nightly and are streamed to object storage with a 30-day retention window. Backup job status is recorded and alerts are raised on failure. Known gap: a documented quarterly restore drill is on the roadmap. |
Overall self-assessed position: Essential Eight Maturity Level 2 across applicable controls, with two declared known gaps (below). Self-assessment is not a substitute for a third-party IRAP assessment; where a customer or counterparty requires independent attestation, we can engage a qualified assessor on request.
Known gaps
We surface gaps we are aware of rather than leave them implicit. Each is tracked in our internal security backlog with an owner.
- Content Security Policy is enforced in report-only mode. We actively review reported violations and plan to move to enforcing mode once allow-listing is stable across third-party integrations (Stripe, map tiles, Sentry).
- A documented quarterly restore drill from backup is on the roadmap. Backups themselves run nightly and are monitored for success.
Data breach response
We maintain a written Data Breach Response Plan covering detection, triage, containment, notification and post-incident review. If we become aware of a data breach that is likely to result in serious harm to affected individuals, we will assess it within the thirty-day statutory window set by section 26WF of the Privacy Act 1988 (Cth), notify the Office of the Australian Information Commissioner and affected individuals as soon as practicable thereafter, and keep our customers informed throughout.
See our Privacy Policy for the access, correction and complaint channels available to individuals whose personal information we hold.
Responsible disclosure
If you believe you have identified a security vulnerability in the XPERT Moto platform, please contact us in good faith. We commit to acknowledging reports within three business days, investigating promptly, and not pursuing legal action against researchers who act in good faith and stay within the bounds of the Criminal Code Act 1995 (Cth).
Email: book@scootering.com.au
