Data Security for Enterprise Agreement Ballots in Australia

An employer's responsibility protect employees personal details is a key concern in hiring third party providers.  GoVote understands the multiple priorities when running an important ballot - we combine practical, people-first processes with technical controls so you can trust votes are confidential, accurate and available when needed, without ever risking your employee's personal data.

GoVote ballots design security around people, process and technology so that every decision you make about your ballot is backed by documented controls, tested systems and no risk of exposure to overseas data security threats. Our ISO27001 Cyber Security qualification is audited every year to prove our high standards of transparency and integrity, offering our clients, and their employees reassurance and peace of mind.

We use straightforward, proven tools to protect access and traceability. The GoVote platform, Ballot Manager, is only accessible from within Australia. Two‑factor authentication is compulsory for all users and passwords are stored as hashed character strings with protections for failed attempts. Extensive logging is kept and synchronised to Network Time Protocol so every action is auditable. Where possible we use well‑maintained open source software — that transparency helps us and our clients verify behaviour and respond quickly to vulnerabilities.

Built and maintained entirely in-house, the GoVote systems are hardened across the stack. From physical infrastructure to the application layer, we follow a zero‑trust, least‑privilege approach: assume systems are exposed and verify every request. Patching is active (typically weekly), quarterly IT reviews check authentication and encryption settings, and we run annual penetration testing to validate our defences and prioritise fixes. Our Information Security Management System (ISMS) and risk logs are maintained and reviewed regularly so security decisions are traceable and continuously improving.

Access to the Ballot Manager is tightly scoped. Client users only see ballots relevant to their role; internal team access is limited on a need‑to‑know basis and backend access is physically and logically protected. Crucially, our Australian server in Melbourne is locked against access from any country outside Australia. Voters, on the other hand, are able to cast their vote from anywhere in the world. Our team sign confidentiality agreements, receive security awareness training at induction, and must follow the ‘need‑to‑know’ principle for sensitive voter or corporate data.

We back up data automatically to multiple encrypted locations, test backups monthly, and classify services by recovery needs so we meet realistic recovery time and point objectives. Redundancy is built into our architecture (Hyper‑V clustering, SSD RAID, cloud availability zones) and continuity plans are exercised and documented in our Cyber Incident Response Plan.

While GoVote has never experienced a significant data breach, we use our internal algorithms along with human eyes trained and ready to spot and report any unusual activity. Systems are in place for a rapid response should any threat be detected, for a coordinated response to lock down the system and preserve the integrity of the ballot. Quarterly reviews and signed‑off control settings give you ongoing assurance that ballots are run with detection, response and remediation in place.

GoVote combines people‑first processes, transparent open‑source practices and layered technical controls to keep ballots confidential, accurate and available — and we do it with the practical mindset of a small, agile team that listens and adapts. We build security into every layer of our systems, operate a local server locked to Australian‑only access, and back our work with documented ISMS processes, routine testing, encrypted backups and clear incident response procedures so you can trust the integrity of your enterprise ballots and board elections. We don’t treat security as a one‑off: we continuously review and improve our controls, learn from tests and audits, and evolve our systems to meet emerging threats. To give you further assurance, GoVote is audited every year to maintain ISO 27001 status, reflecting our commitment to independent verification and ongoing improvement in data security and systems management.