1

Company Information

Company name	MapVS Pty Ltd
ABN	Pending registration
Headquarters	Brisbane, Queensland, Australia
Founded	2025
Employees	1-5
Product name	ValueStream by MapVS
Product URL	https://mapvs.com
Product description	SaaS platform for planning, recording, tracking, and analysing value stream maps across any industry.

2

Data Handling & Privacy

What data does the application collect?	User account information (name, email, hashed password), value stream map data (process step names, durations, resources, notes), optional screenshots from web/desktop recorder, uploaded CSV/Excel files for import, and standard web analytics (page views, feature usage).
Where is data stored?	DigitalOcean infrastructure in the Sydney, Australia region (SGP1/SYD1). Database: PostgreSQL with encrypted volumes. File storage: DigitalOcean Spaces (S3-compatible) with server-side encryption.
Is data encrypted at rest?	Yes. AES-256 encryption on all database volumes and object storage.
Is data encrypted in transit?	Yes. TLS 1.2 minimum enforced, TLS 1.3 preferred. HSTS headers are set with a minimum max-age of one year.
What is the data retention policy?	Data is retained for the duration of the user's account. Upon account deletion, all user data is permanently purged within 30 days. Backups containing deleted data are overwritten within the 30-day backup rotation.
Can users delete their data?	Yes. Users can export all their data and permanently delete their account from Account Settings at any time.
Is there a privacy policy?	Yes. Available at mapvs.com/privacy.
Is data shared with third parties?	No customer data is sold or shared. Third-party services (Stripe for payments, Resend for transactional email) receive only the minimum data required for their function. AI features (optional) may send process data to Anthropic for analysis; users can provide their own API key to avoid this.
Do you process personal data under GDPR?	The platform stores user email and name for account purposes. We are GDPR-aware and support data export, deletion, and portability requests. A formal Data Processing Agreement (DPA) is available on request for enterprise customers.
Australian Privacy Act compliance?	Yes. We comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988.

3

Authentication & Access Control

How are passwords stored?	Passwords are hashed using bcrypt with a unique per-user salt. Plain-text passwords are never stored or logged.
What password requirements are enforced?	Minimum 8 characters. Password strength indicator encourages longer, more complex passwords.
How is session management handled?	Server-side sessions with secure, httpOnly, SameSite cookies. Sessions expire after inactivity. Session tokens are regenerated on login.
Is multi-factor authentication (MFA) supported?	Planned for Q3 2026. Will support TOTP-based MFA (Google Authenticator, Authy, etc.).
Is SSO supported?	SAML 2.0 SSO is planned for the Enterprise tier. Contact enterprise@mapvs.com.
Is role-based access control (RBAC) implemented?	Yes. Roles include: Owner, Admin, Editor, Viewer. Permissions are enforced at the API level. Team workspace admins manage member roles.
How is API authentication handled?	API keys with scoped permissions, passed via Authorization: Bearer header. Keys can be revoked at any time from Account Settings.
Are failed login attempts rate-limited?	Yes. After repeated failed attempts, progressive delays are applied. Account lockout occurs after excessive failures, requiring email verification to unlock.

4

Application Security

How is CSRF prevented?	All state-changing requests require a per-session CSRF token. Tokens are validated server-side on every POST, PUT, and DELETE request.
How is XSS prevented?	Jinja2 template engine with auto-escaping enabled by default. Content Security Policy (CSP) headers restrict inline script execution. User input is sanitised before rendering.
How is SQL injection prevented?	SQLAlchemy ORM with parameterised queries throughout. No raw SQL is used in the application. All user input passes through ORM bindings.
Is rate limiting implemented?	Yes. Per-IP and per-user rate limits on all endpoints. Stricter limits on authentication endpoints. API endpoints have tier-based rate limits (100-2000 req/min).
How is file upload validated?	File type validation by extension and MIME type. Maximum file size enforced (50 MB). Uploaded files are stored in isolated paths and never executed. CSV/Excel files are parsed in memory with row limits.
Is input validation performed?	Yes. All user input is validated on both client and server side. Field length limits, type checks, and format validation are enforced. Error messages do not expose internal details.
Are dependencies scanned for vulnerabilities?	Yes. Python dependencies are monitored via pip-audit and Dependabot. JavaScript CDN libraries are loaded from versioned, integrity-checked URLs.
What security headers are set?	Strict-Transport-Security (HSTS), X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: strict-origin-when-cross-origin, Content-Security-Policy.
Is there a vulnerability disclosure policy?	Yes. Security issues can be reported to security@mapvs.com. We acknowledge reports within 48 hours and aim to resolve critical issues within 7 days.

5

Infrastructure & Operations

Who is the hosting provider?	DigitalOcean. DigitalOcean maintains SOC 2 Type II and ISO 27001 certifications for their infrastructure.
Where are servers located?	Sydney, Australia region (DigitalOcean SGP1/SYD1). Multi-region (US East, EU Frankfurt) is on the roadmap.
What is the backup frequency?	Daily automated backups of all databases and file storage. 30-day retention. Backups are stored in a separate region for disaster recovery.
What is the target uptime?	99.9% availability target. Historical uptime is tracked and available on request.
Is there application monitoring?	Yes. Application performance monitoring, error tracking, and uptime monitoring are in place. Alerts are configured for anomalous activity, high error rates, and performance degradation.
Is there an incident response plan?	Yes. Security incidents are classified by severity. Critical incidents trigger immediate response. Affected customers are notified within 72 hours of confirmed data breaches as required by applicable regulations.
How is the application deployed?	Containerised deployment with automated CI/CD pipeline. Changes go through code review, automated testing, and staged rollout. Rollback capability is maintained for all deployments.
Is logging and audit trail maintained?	Yes. Application logs capture authentication events, data access, and administrative actions. Logs are retained for 90 days and are not accessible to end users.

6

Compliance

Is the application GDPR compliant?	We are GDPR-aware and implement data minimisation, right to access, right to erasure, and data portability. A Data Processing Agreement (DPA) is available on request.
Australian Privacy Act compliance?	Yes. We comply with the 13 Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). Our privacy policy details how personal information is collected, used, and disclosed.
SOC 2 Type II certification?	Planned. Our infrastructure provider (DigitalOcean) holds SOC 2 Type II. MapVS application-level SOC 2 Type II audit is on the roadmap for 2027.
ISO 27001 certification?	Planned. ISO 27001 certification is on the roadmap for 2027. We currently implement controls aligned with ISO 27001 Annex A.
Do you handle payment card data?	No. All payment processing is handled by Stripe, which is PCI DSS Level 1 certified. No card numbers are stored on or pass through our servers.
Is there a data breach notification process?	Yes. Affected users and relevant authorities are notified within 72 hours of a confirmed data breach, in line with GDPR and the Australian Notifiable Data Breaches (NDB) scheme.
Can a Data Processing Agreement (DPA) be provided?	Yes. Contact support@mapvs.com for a DPA or custom security addendum.

7

Third-Party Services

Service	Purpose	Data Shared	Certifications
Stripe	Payment processing	Email, payment method (handled entirely by Stripe.js)	PCI DSS Level 1, SOC 2
Resend	Transactional email (password resets, notifications)	Recipient email, message content	SOC 2 Type II
Anthropic	AI-powered analysis (Smart Suggestions, Video Analysis)	Process data from maps (opt-in only). Users can provide their own API key (BYO) to keep data within their own Anthropic account.	SOC 2 Type II
DigitalOcean	Infrastructure (compute, database, object storage)	All application data (encrypted at rest and in transit)	SOC 2 Type II, ISO 27001