Security & Compliance

Australian-first. Enterprise-grade.

Your operational data stays in Australia, encrypted end-to-end, and governed by the Privacy Act 1988. We've built our security posture for the Australian regulatory environment.

SOC 2 Type II

Roadmap Q2 2026

ISO 27001

Roadmap Q4 2026

Annual Penetration Test

Completed — Synack 2024

APP Compliance

Active

NGER Alignment

Active

WHS Alignment

Active

Hosting: AWS Sydney (ap-southeast-2)

  • All data stored and processed in AWS ap-southeast-2 (Sydney)
  • Your data never leaves Australian borders — contractually guaranteed
  • Multi-AZ deployment: automatic failover within the Sydney region
  • RPO: 15 minutes | RTO: 1 hour
  • Daily automated backups retained for 30 days

Privacy Act 1988 + Australian Privacy Principles

  • Full compliance with all 13 Australian Privacy Principles (APPs)
  • Downloadable Privacy Statement and Data Processing Agreement
  • Data minimisation: we collect only what the platform needs
  • Right of access, correction, and deletion enforced
  • DPA available for Enterprise customers (GDPR-equivalent)

Encryption at rest and in transit

  • TLS 1.3 for all data in transit — no TLS 1.0/1.1 fallback
  • AES-256 encryption for all data at rest
  • AWS KMS-managed keys — customer-managed keys available (Enterprise)
  • Database connections use certificate pinning
  • Secrets managed via AWS Secrets Manager

Identity, Access & MFA

  • Multi-factor authentication (MFA) required by default
  • SAML 2.0 / OIDC SSO for Enterprise customers
  • Hardware token support (FIDO2 / WebAuthn)
  • Role-based access: Owner / Admin / Manager / Operator / Viewer
  • Session tokens expire after 8 hours (configurable)
  • IP allowlisting available on request

NGER Act 2007 alignment

  • Energy & Emissions module uses NGER-compliant calculation methodology
  • NGA Factors (National Greenhouse Accounts) applied to all combustion data
  • Audit-ready NGER report export — financial year, calendar year, or custom
  • Scope 1, 2, and 3 categorisation aligned with NGER definitions

WHS Act 2011 alignment

  • Safety module metrics aligned with Model WHS Act definitions
  • TRIFR, LTIFR, and AIFR calculated per Safe Work Australia methodology
  • Incident reporting workflow supports DMIRS notification timelines
  • Notifiable incident tracking (serious injuries, dangerous incidents, fatalities)

Immutable audit logs

Every access, every query, every export — logged immutably with user ID, timestamp, and IP. Exportable for your own SIEM. Retained for 12 months by default (Enterprise: unlimited).

Disaster recovery

15 min

RPO

1 hr

RTO

99.9%

Uptime SLA

30 days

Backup Retention