Enterprise-grade security. Australian data sovereignty by design.

Compliant with the Privacy Act 1988. Data collected, stored, and processed entirely in Australia.

• Transparent data collection with published privacy policy
• No cross-border data transfer — all AI processing in NSW
• Data export and account deletion available
• No data sold or used for model training
• Third-party services (payments, OAuth) disclosed in privacy policy
• Formal complaints process with OAIC escalation path

Strong application hardening and access controls. MFA enforcement and automated backups on the roadmap.

• Application hardening with CSP, WAF, and DOMPurify
• Multi-factor authentication available (TOTP)
• Dependency scanning and containerised deployments
• Admin privilege restriction with role-based access
• MFA enforcement for privileged accounts — in progress
• Automated backup strategy — in progress

Strong transport encryption and access controls. Encryption at rest and formal incident response being implemented.

• TLS 1.2+ with HSTS preload and OCSP stapling
• Per-user data isolation and access controls
• Suspicious activity detection with alerting
• Activity audit trail with user, IP, and timestamp
• Field-level encryption at rest — in progress
• Formal incident response plan — in progress

Good Annex A control coverage. Backup procedures and MFA enforcement being finalised.

• Documented security policies and development patterns
• Strong cryptographic controls (PBKDF2-SHA256, TLS)
• Incident detection with email alerts
• Data export and right-to-deletion support
• MFA enforcement for privileged access — in progress
• Documented backup and recovery procedures — in progress

Protective Security Policy Framework alignment for Australian government deployments. Strong technical controls with MFA enforcement in progress.

• Full data sovereignty on Australian infrastructure
• Comprehensive security headers (HSTS, CSP, X-Frame-Options)
• Session management with absolute TTL enforcement
• CrowdSec behavioural threat detection
• MFA enforcement for all users — in progress

Comprehensive web application security protections across all OWASP Top 10 categories.

• ModSecurity WAF with OWASP Core Rule Set v4
• CSP with per-request nonces prevents XSS
• SQLAlchemy ORM — parameterised queries throughout
• Password hashing (PBKDF2-SHA256) with strength validation
• Containerised deployments with dependency scanning

Purpose-built protections against the OWASP Top 10 for Large Language Model Applications.

• Prompt injection isolation — system prompts separated from user input
• DOMPurify output sanitisation on all AI-generated content
• Self-hosted open-source models — no external API calls for inference
• Tool scope limits — no code execution, no filesystem access
• Per-tier rate limiting with token caps and thinking time cutoffs
• Per-user vector embedding isolation prevents cross-user data leakage