Information security and confidentiality.

Working principles.

Engagements are scoped under confidentiality from first contact. Where the work touches Defence, regulator or accountable-authority matters, the engagement is structured to align with the security and disclosure obligations of the client, including any requirement for cleared personnel, sovereign data handling or restricted distribution.

Working files are held in business-grade Australian-tenanted Microsoft 365 systems with access restricted to engagement personnel. Document control, version handling and disposal are operated to match the sensitivity of the engagement and the requirements of the client.

This website does not operate analytics or third-party tracking. Web fonts are currently served by Google Fonts; this is the only third-party request made by the site at launch, and the firm intends to self-host fonts in a future build to remove the dependency. The Contact form submits an enquiry to the firm’s Australian-tenanted Microsoft 365 mailbox. The firm does not on-sell, share or use enquiry data for any purpose other than responding to the enquiry.

Detailed security commitments for individual engagements are confirmed in writing as part of the engagement letter. Where a client requires a specific security construct, for example sovereign-only storage, cleared personnel only or air-gapped reporting, this is agreed before work commences.

Website infrastructure and data residency.

The website is hosted on Microsoft Azure Static Web Apps. The static content is served from Microsoft’s global content delivery network, with Australian points of presence used for visitors in Australia. The Contact form is handled by a Microsoft Azure Function running in the East Asia region (Microsoft datacentres in Hong Kong or Singapore), because Azure Static Web Apps does not currently offer Australia East as a managed Function region. Enquiry data passes through the East Asia Function only long enough to be validated and dispatched to the firm’s Australian-tenanted Microsoft 365 mailbox via Microsoft Graph. Enquiry data is not stored in the East Asia region.

Personnel and cleared engagements.

Directors hold, or have held, security clearances appropriate to their prior service and current engagements. The firm accepts cleared-personnel-only engagements where the client’s required clearance level can be met by named personnel. The firm does not currently hold facilities accreditation for the handling of classified material at any caveat. Where engagements involve classified material, the material is handled inside the client’s accredited facilities under the client’s authority.

Accreditations.

The firm does not currently hold ISO/IEC 27001 certification or an Information Security Registered Assessors Programme (IRAP) assessment. The firm’s working practices are aligned to the principles of those frameworks. A formal accreditation pathway will be considered if and when commercial demand makes it the right step.