Help & Documentation

Learn how to use StructureGram

Sensitive Data Protection Overview

StructureGram takes the security and privacy of your sensitive information seriously. This guide explains what sensitive data is, how we protect it, and what you can expect when working with sensitive fields in the application.

What is Sensitive Data?

In StructureGram, sensitive data refers to confidential identification numbers that must be handled with extra care:

Tax File Numbers (TFN)

  • What it is: A 9-digit Australian tax identification number
  • Format: XXX XXX XXX (e.g., 123 456 789)
  • Used for: Tax reporting, financial transactions, and compliance
  • Found in: Individual entity records

Director Identification Numbers (DIN)

  • What it is: A 15-digit identifier for company directors in Australia
  • Format: XXX XXX XXX XXX XXX (e.g., 123 456 789 012 345)
  • Used for: Director identification and corporate compliance
  • Found in: Individual entity records (when they are company directors)

Why Are These Numbers Encrypted?

These identification numbers are sensitive and could be used for identity theft or fraud if exposed. That's why StructureGram encrypts them using bank-grade security standards:

Our Protection Standards

  • Military-grade encryption: We use AES-256-GCM encryption, the same standard used by banks and government agencies
  • Encrypted at rest: Your TFN and DIN are encrypted before being stored in our database
  • Encrypted in transit: All data travels over secure HTTPS connections
  • Never exposed in logs: These numbers never appear in system logs or debugging information
  • Tenant isolation: Your organization's data is completely isolated from other organizations

What This Means for You

✅ Your Data is Protected

If our database were ever accessed without authorization, your TFN and DIN numbers would appear as meaningless encrypted text that cannot be read or used by unauthorized parties. Only authorized users within your organization can decrypt and view these numbers.

✅ You Stay in Control

  • You can enter, update, and view sensitive data when needed
  • Access is limited to members of your organization
  • Every time sensitive data is viewed, we create an audit record
  • You always see masked versions by default (e.g., "*** *** 789")

✅ Compliance Made Easy

  • Our encryption meets Australian privacy law requirements
  • Audit trails help with compliance reporting
  • Your sensitive data is never shared with third parties
  • We follow data protection best practices

How It Works (Simple Version)

  1. When you enter a TFN or DIN: The full number is encrypted immediately and only the encrypted version is stored
  2. When you view a record: You see a masked version (e.g., "*** *** 789") showing only the last 3 digits
  3. When you need the full number: You can click to reveal it, and it automatically hides again after 30 seconds
  4. Always secure: The encryption keys are managed securely and never exposed to end users

Key Security Features

Masked Display by Default

  • TFN shows as: *** *** 789 (only last 3 digits visible)
  • DIN shows as: *** *** *** *** 345 (only last 3 digits visible)
  • This allows you to identify records without exposing full numbers
  • The data is not decrypted sent to you until you specifically request it

Reveal on Demand

  • Click the lock icon to reveal the full number when needed
  • Numbers automatically hide again after 30 seconds
  • Each reveal is logged for security audit purposes

Audit Trail

  • Every time someone views a TFN or DIN, we record:
    • Who accessed it
    • When they accessed it
    • Which fields were viewed
  • This helps with compliance and security monitoring

What Happens During a Security Breach?

While we take extensive measures to prevent unauthorized access, it's important to understand what would happen in the unlikely event of a database breach:

What Attackers Would See

  • Encrypted text that looks like random characters
  • Without the encryption keys (which are stored separately), this data is unusable
  • The last 3 digits are visible, but these alone cannot be used for identity theft or fraud

What Attackers Would NOT See

  • Full TFN or DIN numbers
  • Any way to decrypt the data without the encryption keys
  • Other sensitive information (which is also encrypted or protected)

Our Additional Protections

  • Database access is restricted and monitored
  • Encryption keys are stored separately from the data
  • Multiple layers of security protect against unauthorized access
  • Regular security audits and penetration testing

Best Practices

When Working with Sensitive Data

DO:

  • Only reveal sensitive data when necessary for your work
  • Close or lock your computer when stepping away
  • Verify you're viewing the correct individual before revealing data
  • Report any suspicious activity to your organization administrator

DON'T:

  • Take screenshots of revealed sensitive data
  • Share sensitive numbers via email, chat, or other communication tools
  • Leave sensitive data displayed on your screen unattended
  • Access sensitive data unless you have a legitimate business need

Frequently Asked Questions

Q: Can I export TFN/DIN data?

Currently, encrypted sensitive fields are not included in data exports for security reasons. This prevents accidental exposure of sensitive information.

Q: Who can see these numbers in my organization?

Any member of your organization with access to individual records can reveal TFN/DIN numbers. All access is logged for audit purposes.

Q: What if I forget to hide a revealed number?

Don't worry - revealed numbers automatically hide themselves after 30 seconds to minimize exposure risk.

Q: Can I disable this encryption?

No. The encryption of TFN and DIN numbers is mandatory for all organizations to ensure compliance and security.

Q: What happens if encryption keys are lost?

Encryption keys are backed up securely and are managed by StructureGram's infrastructure team. In the extremely unlikely event of key loss, we have recovery procedures in place.

Need Help?

If you have questions about sensitive data protection or notice any security concerns, please contact your organization administrator or reach out to our support team.

Remember: Protecting sensitive data is a shared responsibility. By following best practices and using the security features provided, you help keep everyone's information safe.