ENTERPRISE SECURITY

Trust is the work, not the claim.

We build and run digital platforms for organisations where security, sovereignty and accountability are not optional. This page is the summary. The evidence is available on request.

TRUST APPLIED FOR AUSTRALIAN GOVERNMENT AND REGULATED ENTERPRISE

Australian Federal Police Australian Passport Office State Government of Victoria Port Authority NSW PFD Food Services
ML2
Essential Eight maturity applied across managed hosting.
100%
Australian infrastructure. Australian engineers. Australian law.
48hr
Critical patch SLA on managed platforms.
24/7
Monitoring, alerting and on call escalation.
How we operate

Trust is the work, not the claim.

Most vendors answer trust questions once they are already in procurement. We answer them before.

The agencies and regulated businesses we work with have to justify every platform choice to auditors, risk committees and eventually the public. That is a hard job. It is easier when the vendor has already done the thinking out loud.

Three areas come up on every engagement. How we run the platform. Where the data lives. How we use AI. Each has a summary below. If you need the underlying policies, controls and attestations, ask for the trust pack.

Hosting
AWS Sydney, multi AZ
Operations
Australian staff, under Australian law
Framework
Essential Eight ML2 applied
Security management
ISO 27001 aligned ISMS
AI use
Sovereign, isolated, auditable
Breach disclosure
Privacy Act, Notifiable Data Breach scheme
Evidence
Trust pack on request

Security operations in practice.

Frameworks are the language. The work is what happens between audits.

Patch and vulnerability management.

Critical patches deployed within 48 hours through dev, staging and production promotion. Dependency scanning and static analysis run on every build. CVE response tracked through our ticketing with named owners.

Access control.

Individual accounts, not shared credentials. Multi factor authentication mandatory for all administrative access. SSH restricted by IP allowlist to company VPN. Developer access to production only through sanitised copies.

Data separation.

Every client runs in its own database with its own credentials. Application containers in separate namespaces. No scenario in the architecture where one client's content becomes visible to another.

Encryption.

TLS 1.2 and 1.3 for data in transit, modern cipher suites, no downgrade to older protocols. AES 256 at rest on managed storage. Keys in the cloud KMS, with client held keys available.

Perimeter and platform defence.

Signal Sciences next generation WAF inspecting traffic at origin. Fastly DDoS mitigation at the edge. AWS Shield Standard across the AWS estate. All three on every managed platform, not as paid upgrades.

Backups and recovery.

Daily backups retained for a rolling week. Weekly backups retained for a year. Monthly backups retained seven years where required. Restores tested. Backup storage stays in the same Australian region as primary.

Logging and monitoring.

Application, infrastructure and security events logged centrally. Infrastructure monitored 24 hours a day, seven days a week, with on call escalation. Anomalies generate tickets before they become incidents.

Penetration testing.

Independent penetration testing at least every 12 months, and before any material platform change. Remediation tracked to closure.

Supply chain.

Published subprocessor register covering every third party that touches client infrastructure, with jurisdiction and purpose. No surprise suppliers. Material changes notified in advance.
Sovereignty

Data sovereignty, not just data residency.

Residency says where the bytes are stored. Sovereignty says who can compel access to them, who can change the rules, and whose law governs the answer. We treat all three as one question.

Our managed platforms run on AWS Sydney, across multiple availability zones, staffed by Australian based engineers working under Australian law. No default offshore mirroring. No quiet failover out of region. Any variation from that, and there are legitimate reasons for some, is documented, approved and contracted before it happens.

Primary region
AWS Sydney, multi AZ
Secondary
Melbourne availability on request
Operations
Australian based engineers, under Australian law
Encryption keys
Provider managed. Client held available.
Offshore flow
None by default. Exceptions contracted.
Deployment options
Managed cloud, dedicated tenancy, agency operated
Contracts
Sovereignty terms in every MSA

How we build AI that earns trust.

No training on your data.

Client content never used to train foundation models. Written into the contract, not just a policy commitment.

Per tenant isolation.

Isolation by deployment. Retrieval stores, indexes, keys and logs separate per client, with no cross tenant visibility.

Human review on consequential actions.

Humans approve decisions that affect a person. The approval gate is designed in, not bolted on afterwards.

Adversarial testing at build and release.

Jailbreak and adversarial prompts run before deployment and on every release. A release that fails doesn't go out.

Cited sources on retrieval augmented answers.

Retrieval augmented responses cite their sources. Every claim has a trail the reviewer can follow back to origin.

Full audit trail.

Every prompt, retrieval, model response and human approval logged. Queryable by the client at any time.

Common questions from procurement and risk.

Talk to our security team

Find out more about our security posture.

Request the trust pack