Built for regulated enterprises, globally.
Our platforms run on enterprise-grade infrastructure with the controls, transparency, and assurance buyers in financial services, healthcare, government, and critical infrastructure require. Our consulting practitioners bring decades of delivery across ASX Top 50, FTSE-listed, and APRA-regulated environments.
Built by practitioners who have passed enterprise reviews.
Our team has delivered risk, cyber, and AI governance work for some of the most security-sensitive organisations in the region - ASX Top 50 listed companies, APRA-regulated insurers and banks, and government agencies. We have been on both sides of every procurement, vendor assessment, and security review you are likely to run.
Top 50 delivery experience
Our consultants have led risk, cyber, and resilience work for ASX Top 50 listed enterprises. We understand the rigour of board reporting, listing rule disclosure, and material risk identification at scale.
Banks, insurers, super
Direct delivery experience with APRA-regulated banks, health insurers, and superannuation funds. CPS 220, CPS 230, CPS 234 alignment is not theoretical - it is what we have built.
Government & SOCI Act
Risk and cyber programs for federal and state government, container terminals, and critical infrastructure operators - including Security of Critical Infrastructure (SOCI) Act readiness and reporting.
Five programs, honest reporting.
We publish the real status of every compliance program, including what is complete, what is in flight, and what is planned. No ambiguous "ISO-aligned" claims - you see exactly where we are, with target dates.
ISO 27001:2022
Information Security Management System certification underway. Scope: all platform engineering, customer data handling, and supporting business operations. Independent audit firm engaged.
SOC 2 Type II
SOC 2 Type II audit covering Security, Availability, and Confidentiality Trust Services Criteria. Scope: RiskBridge, MaturityOne, and Wahid AI platforms. Audit window: 6 months.
APRA CPS 230 & CPS 234
Operational risk and information security controls aligned to APRA prudential standards. Documented mapping of platform controls and supplier relationships to CPS 230 and CPS 234 requirements.
ISO/IEC 42001:2023
AI Management System aligned for Wahid AI platform. ISO 42001 Lead Auditor on team. Mapping covers governance, risk management, and lifecycle controls per the standard.
EU AI Act
Wahid AI platform aligned to the EU AI Act risk classification, conformity, and transparency obligations. Risk classification documented per use case. Audit-ready evidence model.
APAC Privacy & Data Protection
Australian Privacy Principles (APPs), Hong Kong PDPO, Singapore PDPA, and GDPR (where applicable). Data Processing Agreements available with all customers in regulated jurisdictions.
Regional residency, customer-chosen.
Customer data stays in the region you declare. Australia is the default - Sydney primary, Melbourne DR - but we operate active regions across APAC, so customers can keep data in Singapore, Tokyo, Jakarta, Seoul, or Hong Kong when regulatory or commercial context calls for it.
This is not just a deployment option. Residency is a contract-level commitment. Once your region is declared, customer data - primary, backup, analytics, logs - does not leave it. Offshore support access is not default; it is a per-ticket exception with written customer approval, logged and reviewable.
For GCC and UK customers, deployment to Dubai, Riyadh, and London regions is available on Enterprise tier.
au-southeast1 SydneySingapore, Tokyo, Hong KongDoha, London (Enterprise)Defence in depth, by design.
Security is not a layer added at the end - it is architected into every module, every deployment, every user interaction. Below are the controls your security team will ask about first.
Authentication
SSO via SAML 2.0 and OIDC (Okta, Azure AD, Google Workspace). MFA enforceable at tenant level. Session management with configurable timeouts. Password policy defaults exceed NIST SP 800-63B.
Encryption
AES-256 at rest for all customer data including backups. TLS 1.3 only in transit - older versions blocked at the load balancer. Customer-managed encryption keys (CMEK) available on Enterprise tier.
Role-based access control
Granular RBAC across all platforms. Role templates for Risk Owner, Second Line, Audit, Steerco, and Admin. Custom roles on Enterprise. Least-privilege by default. Every permission change audit-logged.
Immutable audit logging
Every user action, every data change, every permission modification - logged to a write-once audit store. Retained for 7 years by default. Exportable via API. Tamper-evident, cryptographically signed.
Backup & DR
Point-in-time recovery on primary databases. Daily backups to DR region with 35-day retention. RTO 4 hours, RPO 15 minutes. DR test conducted quarterly with documented results.
Incident response
Documented incident response plan aligned to NIST SP 800-61. Severity-based SLAs for customer notification - 72-hour maximum for any security incident affecting customer data. Post-incident reports provided for Enterprise tier.
The controls behind the platform.
Technical controls are the easy half. Operational controls - the people, processes, and vendors that surround the platform - are where most incidents actually happen. Here is what we do there.
Personnel vetting
Every employee and contractor with production access passes a police check, reference verification, and confidentiality undertaking. Production access is role-based, time-limited, and reviewed quarterly. No shared credentials, ever.
Security training
Mandatory annual security awareness training for all staff. Role-specific training for engineers (secure coding, OWASP Top 10), support (social engineering, data handling), and leadership (incident decision-making). Completion tracked, refresher enforced.
Vendor assessment
Every sub-processor undergoes security review before onboarding. DPAs in place with all vendors who touch customer data. Sub-processors list published - see next section. Exits from vendors who fall below the bar.
Change management
All production changes follow a controlled process - code review, automated testing, staging validation, approved change window. Emergency changes are exception-handled and documented. Every deployment traceable to a ticket and an author.
Your data is your data.
Beyond the compliance framework, we publish four promises that govern how we handle customer data. These are written into every contract and applied to every engagement - no exceptions.
No data sold, ever
We do not sell customer data. We do not anonymise and license it. We do not use it to train third-party models. Your data supports your engagement and your account - nothing else.
No advertising, no trackers
No third-party ad trackers, no behavioural analytics pixels, no retargeting cookies. Our products do not serve ads - not now, not ever. Minimal first-party telemetry, purpose-limited to product quality.
Data stays in your declared region
Customer data does not leave the region you declare. Primary and backup are both in-region. Offshore support access is not default - it is a per-ticket exception with written customer approval, logged and reviewable.
Customer-owned, fully exportable
Customer data belongs to the customer. On termination, we provide a full export in standard formats (JSON, CSV, DOCX, PDF) within 30 days, and delete originals within 60. No ransom, no lock-in, no last-minute exit fees.
Full transparency on every vendor.
Our sub-processor list is published and updated whenever a vendor is added, removed, or changes region. Every vendor has a signed DPA and undergoes periodic security review.
| Vendor | Purpose | Region | DPA |
|---|---|---|---|
| Google Cloud Platform | Primary cloud infrastructure - compute, storage, databases, networking | APAC, GCC, EU regions | Signed |
| Google Workspace | Internal productivity and email - no customer data processed | au-southeast1 | Signed |
| Cloudflare | DDoS protection, WAF - TLS terminated on GCP, not Cloudflare | Global edge | Signed |
| Stripe | Billing only - PCI handled by Stripe, no card data on our platforms | APAC | Signed |
| Anthropic | AI features (Wahid AI & Enterprise tier) - zero data retention, opt-in per tenant | Regional endpoints | Signed |
| Postmark | Transactional email - invoices, password resets, notifications | AU | Signed |
Found a security issue? Tell us directly.
We welcome and credit security researchers who report vulnerabilities through responsible disclosure. We commit to acknowledging within 48 hours, triaging within 5 business days, and keeping you informed through to remediation.
Please do not access data beyond what is necessary to demonstrate the issue, and please do not publish until we have had a chance to remediate. Bounty program is in development - early contributors will be credited when it launches.
Start with a conversation.
Whether you are evaluating GRC platforms, assessing your risk maturity, navigating AI governance, or looking for a practitioner who has done the work - we respond within one business day. No SDR sequences. No chatbots. A real conversation with a practitioner.