Security & Regulatory Compliance

All submission documents and assessment data are hosted exclusively on Australian-based servers — AWS Sydney Region (ap-southeast-2) and/or Azure Australia East.

No submission data is transmitted to or stored on servers outside Australian jurisdiction. This satisfies the data residency requirements under the Privacy Act 1988 (Cth) and applicable State privacy legislation.

We align with the Australian Signals Directorate (ASD) Essential Eight maturity model. Our implemented controls include:

• Application Control
• Patch Applications
• Configure MS Office Macros
• User Application Hardening
• Restrict Admin Privileges
• Patch Operating Systems
• Multi-Factor Authentication
• Daily Immutable Backups

Every automated extraction and every human verification step is logged with a time-stamped, immutable record. This provides a complete and transparent regulatory audit trail for:

— Certifier review and sign-off events
— Document extraction and analysis events
— System access and authentication events
— Any modification to assessment records

Audit logs are retained for a minimum of 7 years and are available on request for regulatory and legal proceedings.

Multi-Factor Authentication (MFA) is mandatory for all user accounts. Access to assessment data is role-based and least-privilege by default.

Admin privileges are strictly controlled, monitored, and reviewed quarterly. All authentication events are logged and anomaly-detected in real time.