For the gatekeeper

One PDF. Eighty percent of the questionnaire.

The same set of questions lands in every InfoSec review. We put the answers in one pack, sourced and current, so you can forward it on and get back to the rest of your day.

ISO 27001:2022 certified.

Independent third-party audited information security management system. Certificate available in the full pack. Annual surveillance audits.

AES-256 in transit and at rest.

All customer data encrypted with AES-256 in transit (TLS 1.3) and at rest. Per-tenant encryption keys. No shared crypto material between customers.

SAML 2.0, OpenID Connect, SCIM 2.0.

Single sign-on through your existing IdP (Azure AD / Entra, Okta, Google Workspace, Ping). Just-in-time and SCIM provisioning. Group-based role assignment.

Data residency per region.

AU customers on AWS Sydney. UK on AWS London. NZ on AWS Auckland. US on AWS Virginia. No cross-region replication of customer data without explicit consent.

GDPR, Privacy Act 1988, PIPEDA, UK GDPR.

Region-appropriate privacy framework adherence. DPIA support, subject access request workflow, data retention controls per tenant. DPO contactable in the pack.

AI usage, transparent.

Where AI assists (audio detection, fatigue flagging, content drafting): we tell you, name the model class, and document the human-review step. No silent training on your data. No customer data used for training.

Independent accreditations

Audited, every year.

The certifications below are the ones we hold today, by region. Each one is independent of Duress and renewable annually.

  • ISO 27001:2022 mark
    ISO 27001:2022 Global
  • ASIAL A1 mark
    ASIAL A1 AU monitoring centre
  • BS 5979 / NSI Gold mark
    BS 5979 / NSI Gold UK monitoring centre
  • ULC mark
    ULC Canada monitoring centre
  • EN 50518 mark
    EN 50518 EU monitoring centre
What's in the pack

Every question your security team will ask.

  1. Executive summary · one-page
  2. ISO 27001:2022 certificate (current revision)
  3. Information security policy summary
  4. Encryption posture · in transit, at rest, key management
  5. Identity, SSO, SCIM provisioning
  6. Data residency map · per region
  7. Sub-processor list · current
  8. Penetration test summary · latest engagement
  9. Vulnerability disclosure policy
  10. Incident response process · SLAs
  11. Backup, retention, deletion controls
  12. Privacy posture · GDPR / Privacy Act / PIPEDA
  13. AI usage statement · models, data, human review
  14. Business continuity + DR
  15. DPO + security contact details

Need something the pack doesn't cover? Email security@duress.com.