Security

Website security

moddy.io is our domain and is tied to our ABN.

Our subdomains, where our application takes place – app.moddy.io fall under this primary domain.

Both are protected by SSL encryption.

Data Protection

• We do not sell or share your data, it is only used within the moddy organisation
• We store revisions of your projects

Authentication

Authentication is handled entirely in-house — no third-party identity providers store your credentials

Organisation security

• Only authorised Moddy personnel are allowed to access our database and are required to authenticate themselves
• Mandatory 2FA
• Password encryption storage and systems
• 24 hour SLA

Secure development

• We perform daily backups of all application data in multiple locations
• We ensure every instance is fully encrypted and secured
• Change control procedures. GitHub versioning. Rollbacks. Data retention between versions.
• Technical reviews

Monitoring

• Uptime monitoring
• Incident response
• Support available from internal staff
• Bug monitoring systems

RunCloud – Management Software

Certified to ISO/IEC 27001:2013

Cert. No. : ISMS 00405

CloudFlare – DNS Routing

ISO 27001:2022
ISO 27701:2019
ISO 27018:2019
FedRAMP Moderate
SOC 2 Type II
PCI DSS 4.0
Global CBPR
Global PRP
EU Cloud Code of Conduct
Cyber Essentials
C5:2020
ENS (Spain National Security Framework)
IRAP
BSI Qualification
ProcessUnity Global Risk Exchange
CSA STAR
1.1.1.1 Public DNS Resolver Privacy Examination
WCAG 2.1 AA and Section 508

Vultr – Servers

SOC 2+ (HIPAA)
PCI (Merchant)
CSA Star Level 1
ISO/IEC 20000-1:2018
ISO/IEC 27001:2022
ISO/IEC 27017:2015
ISO/IEC 27018:2019

General

Name of application: Moddy

Name of vendor: Moddy Apps

Vendor website: moddy.io

Description of application: Cloud based Computer Aided Design (CAD) software that is used to draw home modifications/adaptations.

How the application is used: Users, who are typically Occupational Therapists, builders, home assessors and related staff use Moddy to design new housing plans and export their design to image files to be shared with stakeholders of that housing project.

Data

Who it is hosted by: VUTR Servers

Location of the data: VUTR Global CDN

What data is captured: Name, Email, Company Name, Billing Information, Project Filenames, Internal Project Data

Will the application be used to store or process confidential or sensitive information?

Yes. The application stores and processes limited Personally Identifiable Information (PII), including user name, email address, and company name, which are required for account management and billing. It also stores billing information (e.g., subscription details) and project-related data such as project filenames and internal project content uploaded or created by users.

No special-category (sensitive) personal data under GDPR is collected (e.g., health, biometric, or racial data), and all information processed is limited to what is necessary for providing the service.

Will any PII be stored or processed by the application?

Yes. The application stores and processes standard Personally Identifiable Information (PII) required for user account management and billing. This includes:

• Name
• Email address
• Company name
• Billing information (e.g., payment details managed via our payment provider; no full card numbers are stored directly by us)
• IP address (captured for security and logging)

No sensitive or special-category PII (such as health, biometric, or government ID data) is collected or processed.

Is PII stored or processed in a pseudo-anonymous manner?

No.

Application

Moddy is supported and maintained by internal engineers.

We are responsive to incidents and maintain relevant security measures.

As browser-based software, we are typically agnostic to desktop level antivirus software.

Our application is used as a website, which may need to be unblocked by your organisation’s firewall.

As browser-based software, typically, there are no additonal priveledges needed to run Moddy.