One PDF. Eighty percent of the questionnaire.
The same set of questions lands in every InfoSec review. We put the answers in one pack, sourced and current, so you can forward it on and get back to the rest of your day.
ISO 27001:2022 certified.
Independent third-party audited information security management system. Certificate available in the full pack. Annual surveillance audits.
AES-256 in transit and at rest.
All customer data encrypted with AES-256 in transit (TLS 1.3) and at rest. Per-tenant encryption keys. No shared crypto material between customers.
SAML 2.0, OpenID Connect, SCIM 2.0.
Single sign-on through your existing IdP (Azure AD / Entra, Okta, Google Workspace, Ping). Just-in-time and SCIM provisioning. Group-based role assignment.
Data residency per region.
AU customers on AWS Sydney. UK on AWS London. NZ on AWS Auckland. US on AWS Virginia. No cross-region replication of customer data without explicit consent.
GDPR, Privacy Act 1988, PIPEDA, UK GDPR.
Region-appropriate privacy framework adherence. DPIA support, subject access request workflow, data retention controls per tenant. DPO contactable in the pack.
AI usage, transparent.
Where AI assists (audio detection, fatigue flagging, content drafting): we tell you, name the model class, and document the human-review step. No silent training on your data. No customer data used for training.
Audited, every year.
The certifications below are the ones we hold today, by region. Each one is independent of Duress and renewable annually.
- ISO 27001:2022 Global

- ASIAL A1 AU monitoring centre

- BS 5979 / NSI Gold UK monitoring centre

- ULC Canada monitoring centre

- EN 50518 EU monitoring centre
Every question your security team will ask.
- Executive summary · one-page
- ISO 27001:2022 certificate (current revision)
- Information security policy summary
- Encryption posture · in transit, at rest, key management
- Identity, SSO, SCIM provisioning
- Data residency map · per region
- Sub-processor list · current
- Penetration test summary · latest engagement
- Vulnerability disclosure policy
- Incident response process · SLAs
- Backup, retention, deletion controls
- Privacy posture · GDPR / Privacy Act / PIPEDA
- AI usage statement · models, data, human review
- Business continuity + DR
- DPO + security contact details