An employer's responsibility protect employees personal details is a key concern in hiring third party providers.  GoVote understands the multiple priorities when running an important ballot - we combine practical, people-first processes with technical controls so you can trust votes are confidential, accurate and available when needed, without ever risking your employee's personal data.

GoVote ballots design security around people, process and technology so that every decision you make about your ballot is backed by documented controls, tested systems and no risk of exposure to overseas data security threats. Our ISO27001 Cyber Security qualification is audited every year to prove our high standards of transparency and integrity, offering our clients, and their employees reassurance and peace of mind.

We use straightforward, proven tools to protect access and traceability. The GoVote platform, Ballot Manager, is only accessible from within Australia. Two‑factor authentication is compulsory for all users and passwords are stored as hashed character strings with protections for failed attempts. Extensive logging is kept and synchronised to Network Time Protocol so every action is auditable. Where possible we use well‑maintained open source software — that transparency helps us and our clients verify behaviour and respond quickly to vulnerabilities.

Built and maintained entirely in-house, the GoVote systems are hardened across the stack. From physical infrastructure to the application layer, we follow a zero‑trust, least‑privilege approach: assume systems are exposed and verify every request. Patching is active (typically weekly), quarterly IT reviews check authentication and encryption settings, and we run annual penetration testing to validate our defences and prioritise fixes. Our Information Security Management System (ISMS) and risk logs are maintained and reviewed regularly so security decisions are traceable and continuously improving.

Access to the Ballot Manager is tightly scoped. Client users only see ballots relevant to their role; internal team access is limited on a need‑to‑know basis and backend access is physically and logically protected. Crucially, our Australian server in Melbourne is locked against access from any country outside Australia. Voters, on the other hand, are able to cast their vote from anywhere in the world. Our team sign confidentiality agreements, receive security awareness training at induction, and must follow the ‘need‑to‑know’ principle for sensitive voter or corporate data.

We back up data automatically to multiple encrypted locations, test backups monthly, and classify services by recovery needs so we meet realistic recovery time and point objectives. Redundancy is built into our architecture (Hyper‑V clustering, SSD RAID, cloud availability zones) and continuity plans are exercised and documented in our Cyber Incident Response Plan.

While GoVote has never experienced a significant data breach, we use our internal algorithms along with human eyes trained and ready to spot and report any unusual activity. Systems are in place for a rapid response should any threat be detected, for a coordinated response to lock down the system and preserve the integrity of the ballot. Quarterly reviews and signed‑off control settings give you ongoing assurance that ballots are run with detection, response and remediation in place.

GoVote combines people‑first processes, transparent open‑source practices and layered technical controls to keep ballots confidential, accurate and available — and we do it with the practical mindset of a small, agile team that listens and adapts. We build security into every layer of our systems, operate a local server locked to Australian‑only access, and back our work with documented ISMS processes, routine testing, encrypted backups and clear incident response procedures so you can trust the integrity of your enterprise ballots and board elections. We don’t treat security as a one‑off: we continuously review and improve our controls, learn from tests and audits, and evolve our systems to meet emerging threats. To give you further assurance, GoVote is audited every year to maintain ISO 27001 status, reflecting our commitment to independent verification and ongoing improvement in data security and systems management.

In today’s digital world, trust is built on more than promises—it’s built on proof. At GoVote, we understand that when organisations entrust us with the responsibility of conducting ballots, they are placing their confidence not only in our technology but in our ability to protect sensitive information. That’s why cyber security, data protection, and anonymity are at the heart of everything we do.

This blog post explains how our practices—anchored by ISO 27001 certification, regular penetration testing, and transparent privacy and security policies—translate into real benefits for our clients and voters.

Voting systems handle some of the most sensitive data imaginable: candidate details, voter rolls, and ballot responses. Any breach of confidentiality or integrity could undermine confidence in the process. At GoVote, we treat security as fundamental to achieving fair and transparent results.

Our approach is multi‑layered:

• Network security with 256‑bit SSL encryption to protect data in transit.
• Firewalls and monitoring to detect and prevent unauthorised access.
• Access controls that ensure only authorised personnel can interact with sensitive systems.
• Redundant servers and encrypted backups to guarantee reliability and resilience.

ISO 27001 is the international gold standard for information security management. Achieving certification means our systems, policies, and practices have been independently audited against rigorous criteria.

For clients, this translates into:

• Confidence: Assurance that your data is managed under globally recognised best practices.
• Compliance: Alignment with regulatory requirements and industry expectations.
• Transparency: Documented processes and audit trails that demonstrate accountability.

For our business, ISO 27001 is not a badge—it’s a framework. It guides how we design workflows, train staff, and continually improve. Every decision is measured against the principle of protecting confidentiality, integrity, and availability of information.

Even the strongest systems must be tested. That’s why GoVote engages independent experts to conduct penetration testing. These simulated cyber‑attacks probe our infrastructure for vulnerabilities, ensuring that weaknesses are identified and addressed before they can be exploited.

For clients, penetration testing means:

• Peace of mind: Knowing our defences are validated by external specialists.
• Continuous improvement: Each test informs enhancements to our systems.
• Resilience: Confidence that ballots will remain secure even in the face of evolving threats.

Our Privacy Policy outlines our commitment to safeguarding personal information. Whether it’s client details, candidate statements, or voter contact information, we treat all data as confidential.

Key points:

• Limited use: Voter and candidate information is used only for running ballots, never for marketing.
• Transparency: Clients are responsible for informing individuals when their data is shared, ensuring compliance with privacy laws.
• Rights: Individuals can access, correct, or restrict the use of their personal information.

Our Security Statement details the technical and organisational measures we employ. Highlights include:

• SSL encryption for all communications.
  
• 24‑hour monitoring to detect unauthorised activity.
  
• Daily, weekly, and monthly backups, encrypted and securely stored.
  
• Least‑privilege access controls, ensuring staff only access data necessary for their role.
  

These measures are not static. We continually review and update our protocols to meet evolving client needs and industry standards.

Perhaps the most critical aspect of voting is anonymity. Our Anonymity Statement makes clear that ballot responses are anonymous by design.

How we achieve this:

• Separate databases: Voter roll data and ballot responses are stored independently, ensuring preferences cannot be traced back to individuals.
  
• Secure authentication: Even when voters use PINs or provide personal details, anonymity is preserved.
  
• Non‑negotiable principle: We will not conduct a ballot unless anonymity is guaranteed.
  

For voters, this means confidence that their voice is heard without fear of identification. For clients, it means ballots are conducted with integrity and fairness.

When you partner with GoVote, you’re not just choosing a voting provider—you’re choosing a security partner. Our ISO 27001 certification, penetration testing, and transparent policies ensure:

• Audit‑ready processes for compliance and governance.
  
• Reassurance for stakeholders that data is protected.
  
• Confidence for voters that their anonymity is guaranteed.
  

At GoVote, we believe that secure systems are the foundation of democratic processes. By embedding ISO 27001 standards, conducting regular penetration testing, and upholding strict privacy, security, and anonymity commitments, we provide more than ballots—we provide trust.

For organisations, this means peace of mind. For voters, it means confidence. For us, it means living up to our responsibility as custodians of one of society’s most important processes.