Yes. Clients can request a security audit against the engagement. Independent penetration testing is run at least annually.

ENTERPRISE SECURITY

Trust is the work, not the claim.

Q: Where does our data live?

Australia. AWS Sydney by default, multi AZ. No offshore storage, no offshore failover, no offshore backup by default. Any variation is contracted in writing before it happens.

Q: How are your platforms separated between clients?

Every client has its own database, its own credentials and its own application namespace. Logical segregation end to end.

Q: Who can access our data, and how is that controlled?

Australian based operations staff only. Multi factor authentication on all administrative access. Developer access to production is through a sanitised copy. Access is logged and reviewed.

Q: How fast do you respond to a critical security issue?

Critical patches within 48 hours on managed platforms. Incidents are triaged 24/7 through our on call rotation. Notification to the client starts immediately and continues through resolution.

Q: How do you handle a data breach?

Documented incident response plan covering containment, investigation, notification and post incident review. Notifiable Data Breach obligations under the Privacy Act are honoured as a floor, not a ceiling. Clients are informed throughout, not at the end.

Q: Do you use our data to train AI models?

No. Client content is not used to train foundation models, and this is contracted, not only stated in policy. Retrieval stores are isolated per client.

Q: What evidence can you provide?

The trust pack includes policies, control attestations, the subprocessor register and our incident response plan. Requestable below.

We build and run digital platforms for organisations where security, sovereignty and accountability are not optional. This page is the summary. The evidence is available on request.

TRUST APPLIED FOR AUSTRALIAN GOVERNMENT AND REGULATED ENTERPRISE

ML2

Essential Eight maturity applied across managed hosting.

100%

Australian infrastructure. Australian engineers. Australian law.

48hr

Critical patch SLA on managed platforms.

24/7

Monitoring, alerting and on call escalation.

How we operate

Trust is the work, not the claim.

Most vendors answer trust questions once they are already in procurement. We answer them before.

The agencies and regulated businesses we work with have to justify every platform choice to auditors, risk committees and eventually the public. That is a hard job. It is easier when the vendor has already done the thinking out loud.

Three areas come up on every engagement. How we run the platform. Where the data lives. How we use AI. Each has a summary below. If you need the underlying policies, controls and attestations, ask for the trust pack.

Hosting: AWS Sydney, multi AZ
Operations: Australian staff, under Australian law
Framework: Essential Eight ML2 applied
Security management: ISO 27001 aligned ISMS
AI use: Sovereign, isolated, auditable
Breach disclosure: Privacy Act, Notifiable Data Breach scheme
Evidence: Trust pack on request

Patch and vulnerability management.

Critical patches deployed within 48 hours through dev, staging and production promotion. Dependency scanning and static analysis run on every build. CVE response tracked through our ticketing with named owners.

Access control.

Individual accounts, not shared credentials. Multi factor authentication mandatory for all administrative access. SSH restricted by IP allowlist to company VPN. Developer access to production only through sanitised copies.

Data separation.

Every client runs in its own database with its own credentials. Application containers in separate namespaces. No scenario in the architecture where one client's content becomes visible to another.

Encryption.

TLS 1.2 and 1.3 for data in transit, modern cipher suites, no downgrade to older protocols. AES 256 at rest on managed storage. Keys in the cloud KMS, with client held keys available.

Perimeter and platform defence.

Signal Sciences next generation WAF inspecting traffic at origin. Fastly DDoS mitigation at the edge. AWS Shield Standard across the AWS estate. All three on every managed platform, not as paid upgrades.

Backups and recovery.

Daily backups retained for a rolling week. Weekly backups retained for a year. Monthly backups retained seven years where required. Restores tested. Backup storage stays in the same Australian region as primary.

Logging and monitoring.

Application, infrastructure and security events logged centrally. Infrastructure monitored 24 hours a day, seven days a week, with on call escalation. Anomalies generate tickets before they become incidents.

Penetration testing.

Independent penetration testing at least every 12 months, and before any material platform change. Remediation tracked to closure.

Supply chain.

Published subprocessor register covering every third party that touches client infrastructure, with jurisdiction and purpose. No surprise suppliers. Material changes notified in advance.

Sovereignty

Data sovereignty, not just data residency.

Residency says where the bytes are stored. Sovereignty says who can compel access to them, who can change the rules, and whose law governs the answer. We treat all three as one question.

Our managed platforms run on AWS Sydney, across multiple availability zones, staffed by Australian based engineers working under Australian law. No default offshore mirroring. No quiet failover out of region. Any variation from that, and there are legitimate reasons for some, is documented, approved and contracted before it happens.

Primary region: AWS Sydney, multi AZ
Secondary: Melbourne availability on request
Operations: Australian based engineers, under Australian law
Encryption keys: Provider managed. Client held available.
Offshore flow: None by default. Exceptions contracted.
Deployment options: Managed cloud, dedicated tenancy, agency operated
Contracts: Sovereignty terms in every MSA

No training on your data.

Client content never used to train foundation models. Written into the contract, not just a policy commitment.

Per tenant isolation.

Isolation by deployment. Retrieval stores, indexes, keys and logs separate per client, with no cross tenant visibility.

Human review on consequential actions.

Humans approve decisions that affect a person. The approval gate is designed in, not bolted on afterwards.

Adversarial testing at build and release.

Jailbreak and adversarial prompts run before deployment and on every release. A release that fails doesn't go out.

Cited sources on retrieval augmented answers.

Retrieval augmented responses cite their sources. Every claim has a trail the reviewer can follow back to origin.

Full audit trail.

Every prompt, retrieval, model response and human approval logged. Queryable by the client at any time.

Where does our data live?

How are your platforms separated between clients?

Who can access our data, and how is that controlled?

How fast do you respond to a critical security issue?

How do you handle a data breach?

Do you use our data to train AI models?

Can we audit you?

What evidence can you provide?

Talk to our security team

Find out more about our security posture.

Request the trust pack

Trust is the work, not the claim.

Trust is the work, not the claim.

Security operations in practice.

Patch and vulnerability management.

Access control.

Data separation.

Encryption.

Perimeter and platform defence.

Backups and recovery.

Logging and monitoring.

Penetration testing.

Supply chain.

Data sovereignty, not just data residency.

How we build AI that earns trust.

No training on your data.

Per tenant isolation.

Human review on consequential actions.

Adversarial testing at build and release.

Cited sources on retrieval augmented answers.

Full audit trail.

Common questions from procurement and risk.

Talk to our security team

Services

Products

Company

Connect