Product

Frameworks

Company

About Trust Centre Blog Contact Portal Login (Australia)Portal Login (Global)

Book a Demo

TRUST CENTRE

We use our own platform to manage our own compliance.

Everything we ask customers to do, we do ourselves. Here's how we protect your data.

ISO/IEC 27001:2022 Certified

Australian Data Residency

Per-Organisation Isolation

Annual Penetration Testing

CERTIFICATIONS

ISO/IEC 27001:2022 Certified.

Certified to ISO/IEC 27001:2022. We certified early, before it was commercially necessary, because it validated our own platform.

Standard	ISO/IEC 27001:2022
Certification Body	Prescient Security LLC
Scope	CyberHeed platform and operations
Surveillance	Annual surveillance audits
Recertification	Three-year cycle

We chose to certify early, before customers required it. If CyberHeed helps organisations achieve ISO 27001, we should demonstrate it works by using it ourselves.

Our ISMS covers the entire platform. When we improve CyberHeed, we experience those improvements as users first.

DATA PROTECTION

Your data is isolated, controlled, and audited.

Per-Organisation Data Isolation

Each organisation's data is logically isolated at the database level. Isolation is enforced at the application layer and validated through automated testing in our CI/CD pipeline.

Evidence Storage

Evidence files are stored in encrypted S3 buckets with per-organisation key separation. Access controlled through application-layer authorisation.

Role-Based Access Control

Access governed by RBAC enforced at both application and API layers. Every permission grant and revocation is logged.

Audit Logging

All administrative actions logged in append-only, tamper-resistant storage. Logs include timestamp, actor, action, target, and outcome for every auditable event.

AI SECURITY

How we secure AI interactions with your compliance data.

Per-Organisation AI Context

AI interactions are scoped to your organisation's data only. No cross-contamination between organisations.

No Model Training on Customer Data

Your compliance data is never used to train AI models. Policies, evidence, conversations: none of it.

AI Output Review

Human in the loop. All AI-generated content is presented for your team to review before it becomes part of your compliance record.

OUR COMPLIANCE PRACTICES

What we do to maintain our own security posture.

Annual Penetration Testing

Independent third-party testing covering web application, API, authentication, authorisation, data isolation, and infrastructure.

Vulnerability Scanning

Automated scanning across infrastructure and application stack. Critical vulnerabilities prioritised for immediate remediation.

Incident Response

Documented procedures covering detection, assessment, containment, eradication, recovery, and post-incident review. Managed on CyberHeed.

Security Awareness Training

All team members complete training. Phishing simulations, secure development practices, and incident reporting tracked as ISMS controls.

Supplier Security Assessment

Third-party suppliers assessed against security requirements covering data handling, access controls, and compliance posture.

Business Continuity

BCP and DR plans documented, tested, and reviewed. Backup procedures automated. RPO and RTO defined and tested regularly.

FREQUENTLY ASKED QUESTIONS

Common security questions.

Questions we hear most often from security teams evaluating CyberHeed.

All customer data is stored in Australian AWS regions. This includes compliance data, evidence files, SmartPrep conversation records, user information, and AI-generated content. There is no data routing through international jurisdictions. Australian data residency is a hard architectural constraint.

No. Each organisation operates in a fully isolated workspace. Data isolation is enforced at the application layer and validated through automated testing in our CI/CD pipeline.

No. Your compliance data, evidence, policies, and SmartPrep conversations are never used to train AI models. The AI models are pre-trained on general knowledge and fine-tuned on compliance framework content.

CyberHeed is ISO/IEC 27001:2022 certified, issued by Prescient Security LLC. We manage our own ISMS on CyberHeed and undergo annual surveillance audits with full recertification on a three-year cycle.

All data encrypted at rest using AES-256 and in transit using TLS 1.2+. This applies to all data paths. We enforce HSTS and use per-organisation key separation for evidence storage.

Yes. Independent third-party penetration testing is conducted annually covering the full application stack. Findings are triaged, remediated according to SLAs, and verified.

Yes. All your compliance data is available for export at any time. Your data is yours. CyberHeed is a tool for managing it, not a lock-in mechanism.

Data is retained for a defined period to allow for export. After the retention period, data is permanently deleted from all systems including backups. Deletion is confirmed and documented.

Yes. Contact us and we'll provide a copy of our certificate along with any additional security documentation you need for your procurement or vendor assessment process.

Questions about our security?

We're transparent about how we protect your data. Questions about security practices, certifications, or data handling? We're here.