CyberHeed's security posture is managed on CyberHeed. Everything we ask our customers to do, we do ourselves. Here's how we protect your data and maintain our own compliance.
Our information security management system is certified to the ISO/IEC 27001:2022 standard. We certified early — before it was commercially necessary — because it validated our own platform.
| Standard | ISO/IEC 27001:2022 |
| Certification Body | Prescient Security LLC |
| Scope | CyberHeed platform and operations |
| Surveillance | Annual surveillance audits |
| Recertification | Three-year cycle |
We chose to certify early — before customers required it. Not because it was commercially necessary, but because it validated our own platform. If CyberHeed helps organisations achieve ISO 27001, we should be able to demonstrate that it works by using it ourselves.
Our ISMS covers the entire CyberHeed platform. We manage our ISMS on CyberHeed. When we improve the platform, we experience those improvements as users first.
Our infrastructure is designed for security, performance, and Australian data sovereignty.
CyberHeed runs on Amazon Web Services using ECS Fargate — serverless container infrastructure with automatic scaling, patching, and isolation. Containers are ephemeral — created for each request and destroyed after processing.
All data encrypted at rest using AES-256 and in transit with TLS 1.2+. Every data path encrypted. HSTS enforced to prevent protocol downgrade attacks.
All traffic passes through Cloudflare. DDoS protection, bot mitigation, rate limiting, and threat intelligence applied at the edge before requests reach our infrastructure.
All customer data stored and processed within Australian borders. No data routing through international jurisdictions. A hard architectural constraint, not a configuration option.
Every organisation on CyberHeed operates in its own isolated environment.
Each organisation's data is logically isolated at the database level. Isolation is enforced at the application layer and validated through automated testing in our CI/CD pipeline.
Evidence files are stored in encrypted S3 buckets with per-organisation key separation. Access controlled through application-layer authorisation.
Access governed by RBAC enforced at both application and API layers. Every permission grant and revocation is logged.
All administrative actions logged in append-only, tamper-resistant storage. Logs include timestamp, actor, action, target, and outcome for every auditable event.
AI interactions are scoped to your organisation's data only. One organisation's AI interactions cannot influence, inform, or leak into another organisation's experience.
Your compliance data is not used to train AI models. Your policies, evidence, SmartPrep conversations — none of it is used as training data.
AI-generated content is always presented for human review before it becomes part of your compliance record. The AI drafts. Your team reviews, edits, and approves.
Independent third-party testing covering web application, API, authentication, authorisation, data isolation, and infrastructure.
Automated scanning across infrastructure and application stack. Critical vulnerabilities prioritised for immediate remediation.
Documented procedures covering detection, assessment, containment, eradication, recovery, and post-incident review. Managed on CyberHeed.
All team members complete training. Phishing simulations, secure development practices, and incident reporting tracked as ISMS controls.
Third-party suppliers assessed against security requirements covering data handling, access controls, and compliance posture.
BCP and DR plans documented, tested, and reviewed. Backup procedures automated. RPO and RTO defined and tested regularly.
Questions we hear most often from security teams evaluating CyberHeed.
We're transparent about how we protect your data. If you have questions about our security practices, certifications, or data handling — we're here to answer them.