Security

Independently audited. Regionally hosted. Defensible by design.

Most of what an InfoSec team wants to know is on this page. The rest is in the security pack under NDA, one click away.

Certifications

Audited, not asserted.

Every claim on this page is backed by an external audit, a downloadable artefact, or a contractual commitment. Self-claims are clearly labelled.

  • ISO/IEC 27001:2022

    Scope
    Information security management system
    Auditor
    Independent third-party audit
    Cadence
    Annual surveillance, three-year recertification
  • ASIAL Grade A1

    Scope
    Australian monitoring centre
    Auditor
    Australian Security Industry Association
    Cadence
    Re-graded annually
  • Vanta continuous monitoring

    Scope
    Controls drift detection
    Auditor
    Automated, evidenced
    Cadence
    Continuous
Data residency

Your data stays in your region.

No cross-region replication of customer data without explicit consent and a signed addendum. AWS is the only hosting vendor for customer data.

Region AWS region Applicable framework
Australia ap-southeast-2 (Sydney) Privacy Act 1988, APP 11
New Zealand ap-southeast-2 (Sydney) with NZ data agreement Privacy Act 2020
United Kingdom eu-west-2 (London) UK GDPR, Data Protection Act 2018
United States us-east-1 (Virginia) Per-customer DPA
Controls

What's actually in place.

Mapped to NIST CSF and CIS Top 18. Full control register and evidence available under NDA in the security pack.

  • Identity and access

    SAML 2.0 and OpenID Connect SSO across Microsoft Entra, Okta, Google Workspace, Ping. SCIM 2.0 user provisioning, including just-in-time and group-based role assignment. Enforced MFA for admin roles. Session timeouts and IP allow-listing configurable per tenant.

  • Encryption

    AES-256 in transit (TLS 1.3) and at rest. Per-tenant encryption keys, no shared crypto material between customers. Customer-managed keys available on request for enterprise tier. Mutual TLS for device-to-platform communications.

  • Application security

    Annual external penetration test by an independent CREST-accredited firm. Continuous dependency scanning via Dependabot and Snyk. SAST on every pull request. Mandatory two-reviewer code review for production changes. Production access logged and quarterly-reviewed.

  • Network and infrastructure

    AWS-hosted, VPC-isolated. No public database endpoints. WAF on every public surface. DDoS protection via AWS Shield. Internal services authenticated with mTLS. Bastion-only operational access, recorded and time-bound.

  • Logging and audit

    Every administrative action logged to an immutable audit trail. Customer-facing audit log exposed via Pathfinder and API. 12-month retention by default, configurable to 7 years on enterprise tier. SIEM forwarding supported.

  • Backup and recovery

    Encrypted daily backups, 35-day retention. Cross-AZ replication. Recovery time objective: 4 hours. Recovery point objective: 1 hour. Quarterly tabletop recovery exercise, evidenced.

AI posture

Where AI helps. Where it doesn't.

We use AI for triage acceleration, never for dispatch. Every model on the data path is named. Your data is never used for training.

  • We name what we use.

    SafeSense aggression detection uses an in-house model trained on consented data. Pathfinder summarisation uses Anthropic Claude with prompt isolation per tenant. No other AI is on the path of your data.

  • Your data does not train models.

    Customer recordings, transcripts, and operator notes are never used to train Duress or third-party models. We have contractual no-training clauses with every AI vendor we use.

  • Humans review safety-critical AI.

    Every SafeSense alert is reviewed by a human operator before action. AI flags accelerate triage. AI does not dispatch responders.

Incident response

Notification timelines, in plain numbers.

Standard contractual commitments, not best efforts. Detailed run-book in the security pack.

  • 1 hour Initial assessment after detection
  • 24 hours Customer notification on confirmed breach
  • 72 hours Regulator notification per OAIC and ICO duties
  • Quarterly Tabletop incident-response exercise
Vulnerability disclosure

Found something? Tell us.

Co-ordinated disclosure with a 90-day fix window. Acknowledgement within 24 hours. Hall of fame for the researchers who help us.

PGP key fingerprint on request. Safe-harbour clause covers good-faith research per our policy.

Downloads

The paperwork your reviewer needs.

Most under NDA. We'll send them after a quick check.

  • Security pack

    ISO certificate, SOC posture, pen-test summary, sub-processor list, DPA template. The PDF that closes 80% of vendor questionnaires.

    Request the pack ›
  • Data Processing Agreement

    Our standard DPA covers GDPR, UK GDPR, Privacy Act 1988, and the New Zealand Privacy Act. Pre-signed PDF available on request.

    Request DPA ›
  • Sub-processor list

    Current list of sub-processors with role, region, and DPA reference. Updated within 30 days of any change.

    Request list ›
Questions reviewers ask

Short, factual answers.

Are you SOC 2 certified?
We are ISO/IEC 27001:2022 certified, which is the equivalent international standard. We share our pen-test summary, ISO certificate, and detailed control mappings to NIST CSF and CIS Top 18 under NDA. SOC 2 Type II is on our 2026 roadmap.
Where is our data stored?
AU customers: AWS Sydney. UK: AWS London. NZ: AWS Sydney with a New Zealand data-sharing agreement under the Privacy Act 2020. US: AWS Virginia. No cross-region replication of customer data without explicit consent and a signed addendum.
How long do you keep our data?
Operational data is retained for the life of the contract plus 90 days for export. Audit logs default to 12 months and can be extended to 7 years on enterprise tier. Incident video and audio retention is set per tenant, defaulting to 90 days.
What happens to our data if we leave?
You have a 90-day window to export everything via Pathfinder or API. After that, all customer data is purged from production within 30 days and from backups within the backup retention window (35 days). Certificate of destruction available on request.
Do you use customer data to train AI?
No. Customer recordings, transcripts, and operator notes are never used to train Duress models or any third-party model. We have contractual no-training clauses with every AI vendor on our data path.
Can we run a penetration test against your environment?
Yes, with notice. Enterprise customers can run a co-ordinated test under a signed test agreement. Findings are triaged jointly. Most customers prefer to receive our annual external pen-test summary, which is available under NDA.
What does your incident response look like?
Initial assessment within 1 hour of detection. Customer notification within 24 hours of confirmed breach. Regulator notification within 72 hours per OAIC and ICO obligations. Full run-book in the security pack.
Who owns the data we put into Duress?
You do. We are the processor; you are the controller. Our standard DPA codifies that. We have no rights to use, share, or sell your data outside the contracted service.

Ready to forward this to your reviewer?