Structured. Compliant. Covered.
You’re trusting us with your systems, your data, and your operations. That trust isn’t given lightly, and we don’t take it lightly. Here’s how we protect what matters.
Compliance & Certifications
We maintain the standards you’d expect from a firm handling sensitive business systems and data.
Australian Privacy Principles
Our data handling practices comply with Australia’s Privacy Act 1988 and the 13 Australian Privacy Principles. We collect, store, and process personal information in accordance with Australian privacy law.
GDPR Compliance
For clients with European operations or data subjects, we maintain compliance with the General Data Protection Regulation. Data processing agreements, right to deletion, data portability, and breach notification protocols are in place.
ISO 27001 Framework Alignment
Our information security management practices align with ISO 27001 standards. We maintain documented security controls, risk assessment procedures, and continuous improvement processes.
Professional Indemnity Insurance
We carry comprehensive professional indemnity insurance covering technology consulting, systems integration, and advisory services. Coverage protects both our clients and our work.
Cyber Liability Insurance
Our cyber liability policy covers data breaches, cyber incidents, and technology errors. This provides an additional layer of protection for client data and systems under our care.
Essential Eight Alignment
Our internal security posture aligns with the Australian Cyber Security Centre’s Essential Eight mitigation strategies. We apply these same standards to client engagements where applicable.
Data Handling Standards
How we handle your data, from collection to disposal.
All client data is classified by sensitivity: Public, Internal, Confidential, or Restricted. Classification determines storage, access controls, encryption requirements, and handling procedures.
- Data in transit: TLS 1.2 or higher for all network communications
- Data at rest: AES-256 encryption for stored data
- Encrypted backups with separate key management
- End-to-end encryption for sensitive client communications
- Role-based access control (RBAC) for all systems
- Multi-factor authentication (MFA) required for all team access
- Principle of least privilege: access granted only as needed
- Regular access reviews and immediate revocation upon team changes
- Separate production and development environments
- Client data retained only as long as contractually required or legally mandated
- Secure deletion protocols using industry-standard data wiping tools
- Certificate of destruction provided upon request
- Backup retention policies aligned with client requirements
- Australian data stored in Australian data centres (AWS Sydney, Azure Australia East)
- Data sovereignty requirements honoured for regulated industries
- Cross-border data transfer agreements in place where required
- Cloud infrastructure selection based on client jurisdiction requirements
When things go wrong, we move fast
We maintain documented procedures for security incidents, data breaches, and system failures.
Detection & Reporting
- 24/7 monitoring for critical systems
- Automated alerts for security anomalies
- Clear escalation paths from detection to executive leadership
- Incident logging and tracking in secure systems
Containment & Response
- Immediate containment procedures to limit impact
- Forensic preservation of evidence for investigation
- Coordinated response across technical and business teams
- Communication protocols for client notification
Client Notification
- Immediate notification for incidents affecting client data or systems
- Transparent communication of impact, cause, and remediation steps
- Compliance with notification timeframes under APP and GDPR
- Written incident reports provided within 72 hours
Post-Incident Review
- Root cause analysis conducted for every incident
- Corrective actions implemented to prevent recurrence
- Security posture improvements based on lessons learned
- Documentation updated to reflect new procedures
Rigorous governance for AI systems
As an AI and automation consultancy, we apply rigorous governance to AI systems we build and deploy.
Responsible AI Principles
- Fairness: AI systems tested for bias and discriminatory outcomes
- Transparency: Explainable AI models where decisions affect people
- Accountability: Clear ownership and human oversight of AI decisions
- Privacy: Data minimization and consent in AI training and inference
- Safety: Testing and validation before production deployment
Data for AI Training
- Client data never used to train public AI models without explicit consent
- Private, client-specific AI models isolated from other clients
- Data anonymization and pseudonymization where possible
- Opt-out mechanisms for any AI data usage
- Compliance with AI-specific regulations (EU AI Act alignment for European clients)
AI System Documentation
- Model cards documenting AI system capabilities and limitations
- Data provenance: tracking sources of training data
- Performance metrics: accuracy, precision, recall, and fairness measures
- Version control for AI models with rollback capability
- Regular retraining and performance monitoring
Human-in-the-Loop
- High-stakes AI decisions require human review
- Override mechanisms for AI recommendations
- Continuous monitoring for AI system drift or degradation
- Escalation procedures when AI confidence is low
Security Practices
Day-to-day practices that keep your systems and data secure.
Secure Development
- Secure coding standards and peer code reviews
- Automated security scanning in CI/CD pipelines
- Dependency management and vulnerability scanning
- Regular penetration testing for client-facing systems
- Security testing before production deployment
Team Security Training
- Annual security awareness training for all team members
- Phishing simulation and response training
- Secure coding training for engineering teams
- Data privacy and compliance training
- Incident response drills and tabletop exercises
Vendor & Subcontractor Management
- Security assessments of all third-party vendors
- Data processing agreements with subcontractors
- Contractual security and privacy obligations
- Right to audit subcontractor security controls
- Limited vendor access with strict oversight
Physical Security
- Secure office access controls (Sydney, Melbourne, APAC centres)
- Clean desk policy for sensitive information
- Encrypted storage for any physical media
- Secure disposal of hardware and documents
- CCTV monitoring of physical premises
Request our Security Pack
Need detailed documentation for your procurement, compliance, or risk team? Our Security Pack includes complete security policies and procedures, data processing agreement templates, incident response playbooks, insurance certificates of currency, compliance attestations and certifications, AI governance documentation, and vendor security questionnaire responses (CAIQ, SIG, VSA).