Independently audited. Regionally hosted. Defensible by design.
Most of what an InfoSec team wants to know is on this page. The rest is in the security pack under NDA, one click away.
Audited, not asserted.
Every claim on this page is backed by an external audit, a downloadable artefact, or a contractual commitment. Self-claims are clearly labelled.
-
ISO/IEC 27001:2022
- Scope
- Information security management system
- Auditor
- Independent third-party audit
- Cadence
- Annual surveillance, three-year recertification
-
ASIAL Grade A1
- Scope
- Australian monitoring centre
- Auditor
- Australian Security Industry Association
- Cadence
- Re-graded annually
-
Vanta continuous monitoring
- Scope
- Controls drift detection
- Auditor
- Automated, evidenced
- Cadence
- Continuous
Your data stays in your region.
No cross-region replication of customer data without explicit consent and a signed addendum. AWS is the only hosting vendor for customer data.
| Region | AWS region | Applicable framework |
|---|---|---|
| Australia | ap-southeast-2 (Sydney) | Privacy Act 1988, APP 11 |
| New Zealand | ap-southeast-2 (Sydney) with NZ data agreement | Privacy Act 2020 |
| United Kingdom | eu-west-2 (London) | UK GDPR, Data Protection Act 2018 |
| United States | us-east-1 (Virginia) | Per-customer DPA |
What's actually in place.
Mapped to NIST CSF and CIS Top 18. Full control register and evidence available under NDA in the security pack.
-
Identity and access
SAML 2.0 and OpenID Connect SSO across Microsoft Entra, Okta, Google Workspace, Ping. SCIM 2.0 user provisioning, including just-in-time and group-based role assignment. Enforced MFA for admin roles. Session timeouts and IP allow-listing configurable per tenant.
-
Encryption
AES-256 in transit (TLS 1.3) and at rest. Per-tenant encryption keys, no shared crypto material between customers. Customer-managed keys available on request for enterprise tier. Mutual TLS for device-to-platform communications.
-
Application security
Annual external penetration test by an independent CREST-accredited firm. Continuous dependency scanning via Dependabot and Snyk. SAST on every pull request. Mandatory two-reviewer code review for production changes. Production access logged and quarterly-reviewed.
-
Network and infrastructure
AWS-hosted, VPC-isolated. No public database endpoints. WAF on every public surface. DDoS protection via AWS Shield. Internal services authenticated with mTLS. Bastion-only operational access, recorded and time-bound.
-
Logging and audit
Every administrative action logged to an immutable audit trail. Customer-facing audit log exposed via Pathfinder and API. 12-month retention by default, configurable to 7 years on enterprise tier. SIEM forwarding supported.
-
Backup and recovery
Encrypted daily backups, 35-day retention. Cross-AZ replication. Recovery time objective: 4 hours. Recovery point objective: 1 hour. Quarterly tabletop recovery exercise, evidenced.
Where AI helps. Where it doesn't.
We use AI for triage acceleration, never for dispatch. Every model on the data path is named. Your data is never used for training.
-
We name what we use.
SafeSense aggression detection uses an in-house model trained on consented data. Pathfinder summarisation uses Anthropic Claude with prompt isolation per tenant. No other AI is on the path of your data.
-
Your data does not train models.
Customer recordings, transcripts, and operator notes are never used to train Duress or third-party models. We have contractual no-training clauses with every AI vendor we use.
-
Humans review safety-critical AI.
Every SafeSense alert is reviewed by a human operator before action. AI flags accelerate triage. AI does not dispatch responders.
Notification timelines, in plain numbers.
Standard contractual commitments, not best efforts. Detailed run-book in the security pack.
- 1 hour Initial assessment after detection
- 24 hours Customer notification on confirmed breach
- 72 hours Regulator notification per OAIC and ICO duties
- Quarterly Tabletop incident-response exercise
Found something? Tell us.
Co-ordinated disclosure with a 90-day fix window. Acknowledgement within 24 hours. Hall of fame for the researchers who help us.
PGP key fingerprint on request. Safe-harbour clause covers good-faith research per our policy.
The paperwork your reviewer needs.
Most under NDA. We'll send them after a quick check.
-
Security pack
ISO certificate, SOC posture, pen-test summary, sub-processor list, DPA template. The PDF that closes 80% of vendor questionnaires.
Request the pack › -
Data Processing Agreement
Our standard DPA covers GDPR, UK GDPR, Privacy Act 1988, and the New Zealand Privacy Act. Pre-signed PDF available on request.
Request DPA › -
Sub-processor list
Current list of sub-processors with role, region, and DPA reference. Updated within 30 days of any change.
Request list ›