Privacy, security + compliance 

 Award Force uses best practice security measures to protect you,
your company, your judges + entrants, and their personal data 

You’re concerned about security. So are we.

We are confident that we have one of the most secure online application + evaluation solutions worldwide.
If not the most secure.

In this section


The Award Force application and hosting stack have been architected with security practices and features built in so you’ll never have to worry about the security of data stored in Award Force. 

Multi-factor authentication (MFA)

Server security

Our multi-server architecture is secured in a Virtual Private Cloud (VPC). There is no access via FTP. Server access is only possible by authorised staff via SSH key-based authentication through VPN access to our VPC.

Access to our AWS infrastructure is only available to authorised Award Force staff and is governed by Identity and Access Management (IAM) and multi-factor authentication (MFA).

Multi-factor authentication (MFA)

Physical security

All our application stack physical infrastructure and data storage is within Amazon Web Services (AWS) data centres in a choice of residency locations. AWS data centre and network architecture are built to comply with stringent global standards such as SOC 1, SOC 2, SOC 3, and Cloud Security Alliance Controls. These standards meet the requirements of the most security-sensitive organisations.

AWS data centres are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilising video surveillance, intrusion detection systems and other electronic means.

Multi-factor authentication (MFA)

Data encryption

In keeping with best-practice security, all data at rest (in our databases and media stores) is stored encrypted. All data in transit (including login credentials and credit card details for paid entry awards) is protected using TLS 1.2 (https) by default, with (AES)-256 bit encryption and SHA-256 signed certificates.

Multi-factor authentication (MFA)

Encrypted personal data

Personal data, sometimes referred to as Personally Identifiable Information (PII), is information that can be used to uniquely identify, contact or locate a single individual. Keeping PII secure is dictated by various regulations and privacy laws internationally. Additional layers of encryption can be applied for elevated security on sensitive data fields. 

Multi-factor authentication (MFA)

Role and permission-based access control

Award Force has an extensible system for defining user roles and associated system use permissions so that users can only access functionality they’re permitted to, whether they be entrants, judges, coordinators or managers.

Multi-factor authentication (MFA)

Optional multi-factor authentication

Individual users can choose to increase protection of their account against unauthorised access by enabling multi-factor authentication (MFA). MFA can also be required for specific roles with elevated access levels.

The primary authentication method after password is a Time-based One-Time Password (TOTP). Backup recovery methods include recovery codes and SMS.

Multi-factor authentication (MFA)


User account access is password protected. Passwords are stored with one-way bcrypt hashing. As a result, the original password can never be read, seen or recovered by anyone, even those with direct access to the system database. 

A minimum password length of 12 characters is enforced.

Multi-factor authentication (MFA)

Credit card data

Award Force integrates directly with 3rd-party payment gateways for credit card payment handling on paid entries.

User credit card details are never stored in Award Force databases. They are passed directly to the payment gateway.

Our PCI-DSS attestation certificate is listed in the certifications and documentation section below. 

Multi-factor authentication (MFA)


Award Force performs rigorous security testing including risk analysis, automated scanning, and third-party vulnerability and penetration testing. In the unlikely event a security incident or data breach occurs, we have a best-practice resolution path in place and will alert account owners by email immediately. 

If clients wish to perform their own penetration testing, we will be happy to facilitate this on a special-purpose non-production clone stack by arrangement. Our most recent penetration testing certificate is available on request.


Award Force is extremely privacy conscious. Our staff work together to handle your data responsibly and ensure your right to privacy is maintained at all times. Our product is also designed to help you comply with local privacy laws by offering choice in data storage region. 

Multi-factor authentication (MFA)

Data residency

When it comes to your data hosting location, you have the freedom to choose between several supported regions.
Learn more about our data residency feature 

Multi-factor authentication (MFA)

Data handling

We’ve developed and implemented comprehensive processes, privacy safeguards and ongoing training for our teams to ensure we are following best-practice data handling procedures. 

Multi-factor authentication (MFA)

Privacy policy

Learn more about our privacy policy as mandated by our parent company, Creative Force.

Data regulation compliance

Award Force is packed full of features to help you maintain compliance with requirements under the various regulations listed below. Our team regularly works to expand our compliance coverage to help you meet your compliance needs.

Multi-factor authentication (MFA)

General Data Protection Regulation (GDPR)

GDPR stands for the General Data Protection Regulation and is effective as of May 25th, 2018.

GDPR replaces national privacy and security laws that previously existed within the EU with a single, comprehensive EU-wide law that governs the use, sharing, transfer and processing of any personal data that originates from the EU.

Read more about the GDPR



Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is the acronym for the Health Insurance Portability and Accountability Act. It’s U.S legislation meant to safeguard the protected health information (known as PHI) of U.S residents.

Award Force is a fully compliant business associate and we can sign a HIPAA BAA (business associate agreement) with any covered entity dealing with the health information of U.S residents. 

Read more about HIPAA

Multi-factor authentication (MFA)

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act is applicable to California residents and is effective from 1 July 2020. Award Force recognises California has recently passed an addendum to the CCPA known as the California Privacy Rights Act (“CPRA”). As with the LGPD, we will analyze the additional requirements and update our policies and materials where needed. 

Read more about the CCPA

Multi-factor authentication (MFA)

Australian Privacy Principles

The primary legislation that governs privacy in Australia is the Privacy Act 1988 (Cth). The cornerstone of the Act is the Australian Privacy Principles (APP). These principles replaced the previous National Privacy Principles in March 2014.

Read more about the APP



Lei Geral de Proteção de Dados (LGPD)

The Lei Geral de Proteção de Dados (LGPD) is a new Brazilian privacy law that went into effect on 18 September 2020, but enforcement will not start until August 2021. Like the GDPR, it regulates the collection, use, processing, storage, and transfer of personal data of Brazil data subjects. 

Award Force is committed to complying with the requirements of the LGPD, and we will analyze the requirements of this new law and update our policies and materials where needed.

Read more about the LGPD


Awards programs deal in integrity, stability and trust and are mission critical projects. As such, Award Force has been architected and is maintained to be as dependable as possibile. We are committed to delivering a service which is stable, secure at scale, readily available and recoverable. 

Multi-factor authentication (MFA)

Business continuity and disaster recovery

In the event of a disruption to our operations, our business continuity and disaster recovery plan is in place and ensures minimal impact on our clients and their programs.

Multi-factor authentication (MFA)

Stable foundation

Award Force is built on industry-leading cloud infrastructure from AWS. It is designed with redundancy and failover systems, and is dependable and optimised for performance.

Multi-factor authentication (MFA)


Award Force is built to respond to increased client data and user loads, fast. Our platform performs consistently and predictably, even under high volumes. 

Multi-factor authentication (MFA)


Since 2016, Award Force clients have enjoyed more than 99.96% service availability. The majority of downtime was for scheduled maintenance, which we communicated well in advance. We hold ourselves to these high standards on an ongoing basis.

Multi-factor authentication (MFA)

Status transparency

Real-time system status, detailing the status of various components of the platform as well as the platform as a whole, is readily available from our open and publicly accessible status page.

Certifications + documentation

Use our responses to the CAIQ to fast track your assessment of our security profile or download our IEC/ISO 27001 or PCI-DSS attestation certificates below.


The Consensus Assessments Initiative Questionnaire (CAIQ) v3.1. offers an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency.

Download our CAIQ response


Award Force has been independently audited and verified to fulfil the requirements of the ISO / IEC 27001 : 2013 standard.

Download the certificate


The Higher Education Community Vendor Assessment Tool (HECVAT) is a security assessment template that attempts to generalise higher education information security and data protection questions. It is the higher education equivalent of the CAIQ.

Download the certificate


Award Force is fully compliant with the Payment Card Industry Data Security Standard (PCI DSS), please find our attestation below.

Download the certificate

Frequently asked questions

Award Force uses Amazon Web Services (AWS) infrastructure to host the system. Our application and database servers are located in the European Union, the United States of America and Australia. For security reasons, Amazon does not publish the physical locations of their data centres.

Yes, custom domains are available on the Pro plan.

The Award Force application is packed full of features to help clients maintain GDPR, CCPA, LGPD and APP compliance.

Yes, our ISO 27001 certificate and PCI-DSS attestation is freely available above and we are more than happy to pass along our most recent penetration test results. Please get in contact if you'd like to receive a copy.