Built for regulated enterprises, globally.
Our products are built on Google Cloud Platform certified to ISO/IEC 27001, ISO 27017, ISO 27018, SOC 1 / 2 / 3, PCI DSS, HIPAA and assessed against IRAP (Australian Government) at the Protected classification, with Australian data residency in Sydney and Melbourne. Our consulting practitioners bring decades of delivery across ASX-listed, FTSE-listed, and APRA-regulated environments.
Four programs, honest reporting.
We publish the real status of every compliance program, including what's complete, what's in flight, and what's planned. No ambiguous "ISO-aligned" claims you'll see exactly where we are, with target dates.
ISO 27001:2022
Information Security Management System certification, targeted for Q4 2026.
SOC 2 Type II
American Institute of CPAs Service Organization Controls Type II report for security, availability, and confidentiality.
APAC Financial Regulators
Alignment with the prudential and operational risk regulators across APAC's largest financial markets.
APAC Privacy & Data Protection
Privacy regulations vary across APAC. We align to the strictest applicable standard per customer region.
Regional residency, customer-chosen.
Customer data stays in the region you declare. Australia is the default Sydney primary, Melbourne DR but we operate active regions across APAC, so customers can keep data in Singapore, Tokyo, Jakarta, Seoul, or Taiwan when regulatory or commercial context calls for it.
This isn't just a deployment option. Residency is a contract-level commitment. Once your region is declared, customer data primary, backup, analytics, logs does not leave it.
au-southeast1 Sydneyasia-southeast1 SG · asia-northeast1 Tokyoasia-southeast2 ID · asia-northeast3 KRDefence in depth, by design.
Security isn't a layer added at the end it's architected into every module, every deployment, every user interaction. Below are the controls your security team will ask about first.
Authentication
SSO via SAML 2.0 and OIDC (Okta, Azure AD, Google Workspace). MFA enforceable at tenant level. Session management with configurable timeouts.
Encryption
AES-256 at rest for all customer data including backups. TLS 1.3 only in transit older versions blocked. CMEK available on Scale and Enterprise tiers.
Role-based access control
Granular RBAC across all modules. Role templates for Risk Owner, Second Line, Audit, Steerco, and Admin. Custom roles on Enterprise.
Immutable audit logging
Every user action, every data change, every permission modification logged to a write-once audit store. Retained for 7 years by default.
Backup & DR
Point-in-time recovery on primary databases. Daily backups to au-southeast2 DR region with 35-day retention. RTO 4 hours, RPO 15 minutes.
Incident response
Incident response plan aligned to NIST SP 800-61. SLAs for customer notification 72-hour maximum for any incident affecting customer data.
The controls behind the platform.
Technical controls are the easy half. Operational controls the people, processes, and vendors that surround the platform are where most incidents actually happen.
Personnel vetting
Every employee and contractor with production access passes a police check, reference verification, and confidentiality undertaking. Production access is role-based, time-limited, and reviewed quarterly. No shared credentials, ever.
Security training
Mandatory annual security awareness training for all staff. Role-specific training for engineers (secure coding, OWASP Top 10), support (social engineering, data handling), and leadership (incident decision-making). Completion tracked, refresher enforced.
Vendor assessment
Every sub-processor undergoes security review before onboarding. DPAs in place with all vendors who touch customer data. Sub-processors list published and updated on change see next section. Exits from vendors who fall below the bar.
Change management
All production changes follow a controlled process code review, automated testing, staging validation, approved change window. Emergency changes are exception-handled and documented. Every deployment traceable to a ticket and an author.
Your data is your data.
Beyond the compliance framework, we publish four promises that govern how we handle customer data. These are written into every contract and applied to every engagement.
No data sold, ever
We don't sell customer data. We don't anonymise and license it. We don't use it to train third-party models. Your data supports your engagement.
No advertising, no trackers
No third-party ad trackers, no behavioural analytics pixels, no retargeting cookies. The product doesn't serve ads not now, not ever.
Data stays in your declared region
Customer data does not leave the region you declare. Primary and backup are both in-region. Offshore support access is not default it's a per-ticket exception.
Customer-owned, fully exportable
Customer data belongs to the customer. On termination, we provide a full export in standard formats (JSON, CSV, DOCX, PDF) within 30 days.
Full transparency on every vendor.
Found a security issue? Tell us directly.
We welcome and credit security researchers who report vulnerabilities through responsible disclosure. We commit to acknowledging within 48 hours, triaging within 5 business days, and keeping you informed through to remediation.
Please don't access data beyond what's necessary to demonstrate the issue, and please don't publish until we've had a chance to remediate. Bounty program is in development early contributors will be credited when it launches.
Need the full compliance pack?
For APRA-regulated customers and enterprise security reviews, we provide a detailed trust pack under NDA covering the ISMS, architecture, and reports.
