Security & Trust

GDATA Trust Centre

ISO 27001-certified Australian data platform provider, designed to meet the security and compliance requirements of government and enterprise clients.

ISO 27001 Certified

100% Australian Data Residency

Penetration Tested

Enterprise Security Controls

Last updated: May 2026

Security Overview

Enterprise-Grade Security

Security is built into every layer of the GDATA platform, from infrastructure to application to process.

ISO 27001:2022 Certified

Certified by INTERCERT (Reg# IC-IS-2506554). Our ISMS is independently audited annually with zero non-conformities and zero opportunities for improvement at last audit.

Microsoft Azure — Australia East

All infrastructure is hosted exclusively on Microsoft Azure in the Australia East region. No offshore hosting or processing.

Encryption at Rest & in Transit

All data is encrypted using AES-256 at rest and TLS 1.2+ in transit. Encryption keys are managed through Azure Key Vault.

Multi-Factor Authentication

MFA is enforced for all user accounts and administrative access. No exceptions.

Audit Logging & Monitoring

All access and changes are logged and audited. Automated alerting for anomalous activity and unauthorised access attempts.

Role-Based Access Control

Granular RBAC ensures staff only access the data and functions required for their role. Access reviews are conducted regularly.

Data Residency

100% Australian Data Residency

All customer data is stored, processed, and backed up exclusively within Australia. No data is transferred offshore — ever.

All data hosted in Azure Australia East (Sydney)

Backups stored within Australian jurisdiction

No offshore data processing or transfer

Compliant with Australian Privacy Act 1988

All internal GDATA systems operate within Australia

Data Sovereignty Guarantee

GDATA guarantees that no customer data — including backups, logs, and metadata — will leave Australian jurisdiction at any time.

Contractually guaranteed in our Data Processing Agreement

Controls

Security Controls Summary

A summary of the key security controls implemented across the GDATA platform.

Domain	Control	Status
Certification	ISO 27001 ISMS	Active
Access Control	MFA enforced for all users	Active
Access Control	Role-based access control (RBAC)	Active
Monitoring	Comprehensive audit logging	Active
Data Security	Encryption at rest (AES-256) & in transit (TLS 1.2+)	Active
Infrastructure	Hosted in Azure Australia East	Active
Backups	Daily automated backups with tested restores	Active
Security Testing	Independent penetration testing	Active
Incident Response	Documented IR plan with defined SLAs	Active
Business Continuity	BCP & disaster recovery plans tested annually	Active

Compliance

Compliance Frameworks

GDATA maintains alignment with industry-leading security and compliance frameworks relevant to Australian government organisations.

Certified

ISO/IEC 27001:2022

Certified by INTERCERT (Reg# IC-IS-2506554). Last audit: June 2025 — zero non-conformities, zero opportunities for improvement. 31 documented security policies maintained.

Aligned

Essential Eight Alignment

Our security controls are aligned with the Australian Cyber Security Centre's Essential Eight maturity model, covering application control, patching, MFA, and more.

Compliant

Australian Privacy Act 1988

All data handling practices comply with the Australian Privacy Principles (APPs). No data is transferred outside Australian jurisdiction.

Security Testing

Independent Penetration Testing

GDATA engages independent security providers to conduct regular penetration testing. Our most recent assessment was a black-box web application penetration test conducted by Scytale using OWASP WSTG and OSSTMM methodologies.

No critical or high-risk vulnerabilities identified

All findings remediated — 2 medium, 5 low, 3 informational resolved

Black-box testing covering OWASP Top 10 and infrastructure

Detailed reports available upon request under NDA

Testing Summary

Last TestMay 2025

Testing ProviderScytale

MethodologyOWASP WSTG / OSSTMM (Black-box)

Critical FindingsNone

High-Risk FindingsNone

Remediation StatusAll findings remediated

Incident Response

GDATA maintains a documented incident response plan with clearly defined procedures, responsibilities, and communication protocols.

Detection

Automated monitoring and alerting identifies potential security events in real time.

Assessment

Security team triages and classifies the event based on severity and potential impact.

Response

Containment, eradication, and recovery procedures are executed per our IR playbook.

Communication

Affected clients are notified within defined SLAs. Post-incident review is conducted.

For security concerns or to report a vulnerability, contact contact@gdata.com.au

Subprocessors

GDATA uses a minimal set of subprocessors, all operating within Australian jurisdiction.

Subprocessor	Purpose	Data Location
Microsoft Azure	Cloud infrastructure, compute, storage, and database services	Australia East (Sydney)
Microsoft Entra ID	Identity and access management, single sign-on, MFA	Australia
Azure Key Vault	Encryption key management and secrets storage	Australia East (Sydney)

Documentation

Security Documentation

Download our Trust Package for a comprehensive overview. Additional documentation is available upon request.

Available upon request

ISO 27001:2022 Certificate (INTERCERT)

Statement of Applicability (SOA)

Information Security Policy Suite (31 policies)

Risk Assessment & Treatment Framework

Internal Audit Report

Penetration Test Report (Scytale)

Disaster Recovery Plan & Drill Report

Data Processing Agreement

For additional security documentation or to request access, contact contact@gdata.com.au

GDATA PTY LTD — Trust Centre — 2026