Skip to main content

Secure hosting

The GovCMS platform is hosted on public cloud infrastructure and managed by both the GovCMS team, and our service provider, Salsa Digital.

Security updates, patching and code release


On SaaS - the fully managed version of GovCMS hosting - the Department of Finance is responsible for all security updates, enhancements and updates to official GovCMS Drupal distributions. We also manage the deployment of updates to test and production environments. Critical patches are applied within 48 hours. Less urgent updates will be released to production within 7 days, or 14 days for lower priority issues. Regular updates, not related to security issues, are made regularly throughout the year.


If you host your site on a GovCMS PaaS, you are responsible for all security updates, enhancements and patches. You can still make use of GovCMS distributions, or you can choose completely customised installations of Drupal. You need to ensure you either have an in-house team, or an ongoing support contract with a service provider. You can approach the Department of Finance to assist with critical updates, but support is provided on a cost-recovery basis.

Web protection services

Web protection includes various tools and third-party services that help protect your site against distributed denial of service (DDoS) attacks, and malicious traffic. GovCMS makes use of a web application firewall (WAF), and a content delivery network (CDN).

Included on SaaS

You get the full web protection suite at no additional cost.

Optional extra for PaaS

You get basic DDoS protection included with your hosting. Additional web protection services are available at an additional cost. You can procure these through the GovCMS team or undertake your own procurement and choose your preferred tools and provider. If you choose your own tools, you're responsible for the installation, configuration and IRAP assessment and accreditation.

Hosted on Amazon AWS

GovCMS hosts all our sites on 3 Sydney data centres. All your data is hosted and stored in Australia.

Unclassified now, Unclassified-DLM soon

The environment and software used have been accredited for hosting UNCLASSIFIED material. Information that is classified, carries a 'Dissemination Limiting Marker' (DLM), or is personal or sensitive information must not be stored on GovCMS.

If in doubt, ask. Talk to your ITSA, or get in touch with the GovCMS team.

IRAP and other security documentation

Finance maintains a high standard for our platform security. We can provide a range of documents to assist agencies in assessing the security of GovCMS and reviewing the security risk profile of the platform. Please contact the GovCMS team to get access to documents.

Agencies are responsible for accepting the security risk profile.