TRUST & SECURITY

Built for regulated enterprises, globally.

Our products are built on Google Cloud Platform certified to ISO/IEC 27001, ISO 27017, ISO 27018, SOC 1 / 2 / 3, PCI DSS, HIPAA and assessed against IRAP (Australian Government) at the Protected classification, with Australian data residency in Sydney and Melbourne. Our consulting practitioners bring decades of delivery across ASX-listed, FTSE-listed, and APRA-regulated environments.

GCP
ASX-listed engagements delivered
ISO 27001
APRA CPS 230 & CPS 234 Alignment
SOC 2
SOC 2 Type II Target
IRAP
ISO 42001 Lead Auditor on team
Compliance Status

Four programs, honest reporting.

We publish the real status of every compliance program, including what's complete, what's in flight, and what's planned. No ambiguous "ISO-aligned" claims you'll see exactly where we are, with target dates.

In Progress

ISO 27001:2022

Information Security Management System certification, targeted for Q4 2026.

Scope defined · ISMS documentation completeDone
Risk assessment & treatment planDone
Statement of Applicability · Annex ADone
Internal audit cycle · first roundQ2 2026
Stage 1 audit · certification bodyQ3 2026
Stage 2 audit · certificationQ4 2026
Planned · Q3 2026

SOC 2 Type II

American Institute of CPAs Service Organization Controls Type II report for security, availability, and confidentiality.

Control framework mapped to TSCsDone
Evidence collection infrastructureQ2 2026
Observation period beginsQ2 2026
Type I report (interim)Q2 2026
Type II report (6-month window)Q3 2026
Aligned

APAC Financial Regulators

Alignment with the prudential and operational risk regulators across APAC's largest financial markets.

APRA CPS 230 · operational risk (Australia)Done
APRA CPS 234 · information security (Australia)Done
MAS TRM · technology risk (Singapore)Done
HKMA TM-G-1 · operational resilience (Hong Kong)Done
RBNZ BS11 · outsourcing policy (New Zealand)Done
Continuous control monitoringOngoing
Aligned

APAC Privacy & Data Protection

Privacy regulations vary across APAC. We align to the strictest applicable standard per customer region.

Privacy Act 1988 & APPs (Australia)Done
PDPA · Personal Data Protection Act (Singapore)Done
PDPO & PCPD (Hong Kong)Done
NZ Privacy Act 2020 · IPPs (New Zealand)Done
GDPR-aligned data subject rights (baseline)Done
Data Residency & Infrastructure

Regional residency, customer-chosen.

Customer data stays in the region you declare. Australia is the default Sydney primary, Melbourne DR but we operate active regions across APAC, so customers can keep data in Singapore, Tokyo, Jakarta, Seoul, or Taiwan when regulatory or commercial context calls for it.

This isn't just a deployment option. Residency is a contract-level commitment. Once your region is declared, customer data primary, backup, analytics, logs does not leave it.

Infrastructure at a glance
Cloud ProviderGoogle Cloud PlatformSingle-Cloud
Default Regionau-southeast1 Sydney
APAC Regionsasia-southeast1 SG · asia-northeast1 Tokyo
Additional Regionsasia-southeast2 ID · asia-northeast3 KR
Data ResidencyCustomer-declaredGuaranteed
Encryption · RestAES-256 · CMEK available
Encryption · TransitTLS 1.3 only · HSTS enforced
Backup Retention35 days rolling · PITR enabled
Recovery SLOsRTO 4h · RPO 15min
Security Architecture

Defence in depth, by design.

Security isn't a layer added at the end it's architected into every module, every deployment, every user interaction. Below are the controls your security team will ask about first.

Authentication

SSO via SAML 2.0 and OIDC (Okta, Azure AD, Google Workspace). MFA enforceable at tenant level. Session management with configurable timeouts.

Encryption

AES-256 at rest for all customer data including backups. TLS 1.3 only in transit older versions blocked. CMEK available on Scale and Enterprise tiers.

Role-based access control

Granular RBAC across all modules. Role templates for Risk Owner, Second Line, Audit, Steerco, and Admin. Custom roles on Enterprise.

Immutable audit logging

Every user action, every data change, every permission modification logged to a write-once audit store. Retained for 7 years by default.

Backup & DR

Point-in-time recovery on primary databases. Daily backups to au-southeast2 DR region with 35-day retention. RTO 4 hours, RPO 15 minutes.

Incident response

Incident response plan aligned to NIST SP 800-61. SLAs for customer notification 72-hour maximum for any incident affecting customer data.

Operational Security

The controls behind the platform.

Technical controls are the easy half. Operational controls the people, processes, and vendors that surround the platform are where most incidents actually happen.

01

Personnel vetting

Every employee and contractor with production access passes a police check, reference verification, and confidentiality undertaking. Production access is role-based, time-limited, and reviewed quarterly. No shared credentials, ever.

02

Security training

Mandatory annual security awareness training for all staff. Role-specific training for engineers (secure coding, OWASP Top 10), support (social engineering, data handling), and leadership (incident decision-making). Completion tracked, refresher enforced.

03

Vendor assessment

Every sub-processor undergoes security review before onboarding. DPAs in place with all vendors who touch customer data. Sub-processors list published and updated on change see next section. Exits from vendors who fall below the bar.

04

Change management

All production changes follow a controlled process code review, automated testing, staging validation, approved change window. Emergency changes are exception-handled and documented. Every deployment traceable to a ticket and an author.

Data Handling Commitments

Your data is your data.

Beyond the compliance framework, we publish four promises that govern how we handle customer data. These are written into every contract and applied to every engagement.

No data sold, ever

We don't sell customer data. We don't anonymise and license it. We don't use it to train third-party models. Your data supports your engagement.

No advertising, no trackers

No third-party ad trackers, no behavioural analytics pixels, no retargeting cookies. The product doesn't serve ads not now, not ever.

Data stays in your declared region

Customer data does not leave the region you declare. Primary and backup are both in-region. Offshore support access is not default it's a per-ticket exception.

Customer-owned, fully exportable

Customer data belongs to the customer. On termination, we provide a full export in standard formats (JSON, CSV, DOCX, PDF) within 30 days.

Sub-Processors

Full transparency on every vendor.

VendorPurposeRegionStatus
Google Cloud PlatformPrimary cloud infrastructureAPAC regionsSigned
Google WorkspaceInternal productivity - no customer dataau-southeast1Signed
CloudflareDDoS protection, WAF - TLS terminated on GCPAPAC edgeComing Soon
StripeBilling only - PCI handled by StripeAPACComing Soon
AnthropicAI features (Scale/Enterprise) - zero retentionRegionalComing Soon
FastmailTransactional email - notifications, invoicesAUComing Soon
Responsible disclosure

Found a security issue? Tell us directly.

We welcome and credit security researchers who report vulnerabilities through responsible disclosure. We commit to acknowledging within 48 hours, triaging within 5 business days, and keeping you informed through to remediation.

Please don't access data beyond what's necessary to demonstrate the issue, and please don't publish until we've had a chance to remediate. Bounty program is in development early contributors will be credited when it launches.

Emailsecurity@effectiverm.com
PGP KeyAvailable on request
Response SLA48 hours · 5 biz days
Due Diligence & Security Review

Need the full compliance pack?

For APRA-regulated customers and enterprise security reviews, we provide a detailed trust pack under NDA covering the ISMS, architecture, and reports.