Trust Centre

Compliance, data residency, and audit evidence.

Hard evidence for procurement teams, security assessors, and IRAP auditors. We document what we've achieved, what's in progress, and what's planned — without inflating our posture.

Status key:

AlignedAvailable — NDAPlannedN/A

Compliance matrix

Frameworks, certifications, and assessment status.

“Aligned” means the framework's controls and taxonomy are implemented in the product. It is not a third-party certification. Where a certification exists or is in progress, we say so explicitly.

PSPF (Protective Security Policy Framework)

Australian Government classification

Classification schema maps directly to UNOFFICIAL → OFFICIAL → OFFICIAL:SENSITIVE → PROTECTED → SECRET → TOP SECRET. No deviation from the PSPF taxonomy.

Aligned

ISM (Information Security Manual)

Australian Government security controls

ISM control mapping available for ASD Essential Eight and ISM Chapter 3. Provided to accreditation teams upon request.

Aligned

DTA Secure Cloud Strategy

Australian Government cloud procurement

AU-region deployment by default for Australian clients. Data residency within Australian jurisdiction for database and audit trail.

Aligned

IRAP Assessment

ASD-authorised security assessment

Assessment documentation is available under NDA for agency accreditation purposes. Contact us to initiate a scoping conversation.

Available — NDA

NIST SP 800-53 / FISMA

US Federal security controls

Classification schema cross-mapped to NIST SP 800-53 controls. Not a formal certification — alignment documentation available.

Aligned

NATO Security Classifications

NATO information handling

OBEL™ classification levels map to NATO markings (UNCLASSIFIED → NATO RESTRICTED → NATO CONFIDENTIAL → NATO SECRET). Not a NATO-accredited product.

Aligned

Australian Privacy Act 1988 (APPs)

Australian privacy law

Privacy Policy, DPA, and Incident Response Plan in place. NDB scheme obligations documented. See Privacy Policy for full APP compliance detail.

Aligned

SOC 2 Type II

Security, availability, confidentiality

Formal audit engagement scoped for Q4 2026. The security controls, access policies, and monitoring infrastructure required for SOC 2 Type II are in place now — the audit formalises what is already operational. Organisations requiring the report ahead of that date can request our current security controls summary under NDA.

Planned

ISO 27001

Information security management

Planned for 2027 following SOC 2 Type II completion. ISMS policies and controls are being developed in parallel.

Planned

PCI DSS

Payment card data

OBEL™ does not process, store, or transmit payment card data. All payment processing is handled exclusively by Stripe, Inc., a PCI DSS Level 1 certified service provider.

N/A

Data residency

Where each type of data lives.

This table covers the default configuration for Australian commercial customers. Gov Highside deployments are fully within the customer's classified network boundary — no data leaves their perimeter.

Data type

Jurisdiction

Provider & region

Notes

Primary database (metadata, audit logs, user records)

Australia

Managed relational database

Australia East (Sydney, AU)

Row-level security enforced. Administrative credentials never accessible to client code.

Application layer (API routes, ARGUS-i, PII scrubber)

Australia (configurable)

Serverless application infrastructure

Australia East (Sydney, AU) — AU customers

ARGUS-i™ and PII scrubber execute server-side in this layer. Raw prompts never leave this boundary.

Audit vault (conversation transcripts)

Customer-controlled

Tamper-evident audit repository (OBEL-managed or customer-controlled)

Customer's chosen data residency

OBEL-managed vault uses an append-only repository in a default region. Custom vault option allows customers to use their own repository in any region.

Authentication & identity (email, name, session tokens)

United States

Managed identity & authentication service

United States

User PII (email, name) is stored with the identity provider. Sub-processor details in the DPA.

Payment data (billing, invoices)

United States

PCI DSS Level 1 payment infrastructure

United States

Payment data never enters OBEL infrastructure. OBEL stores only opaque customer billing identifiers, not card data.

Full sub-processor details — including data categories transferred and legal basis — are documented in the Data Processing Agreement.

Available on request

Documentation we provide to procurement and security teams.

Architecture & Data Flow Diagrams

Technical diagrams distinguishing Control Plane (UI, auth, billing) from Data Plane (ARGUS-i™, scrubber, model routing). Provided under NDA for security assessors.

IRAP Assessment Documentation

IRAP-style documentation covering architecture, data flows, security controls, and threat model. Available under NDA for agency accreditation processes.

ISM Control Mapping

Mapping of OBEL™ security controls against ASD Essential Eight and ISM Chapter 3. Provided to government customers and IRAP assessors.

Penetration Test Reports

External penetration test results available under NDA. Test scope covers the API surface, authentication, multi-tenancy isolation, and vault encryption.

Incident Response Plan

Full Incident Response Plan with NDB notification timelines and escalation procedures. Public summary available at /legal/incident-response.

Vendor Security Assessment (VSA)

Pre-completed VSA and RFP security questionnaire available for enterprise procurement teams — reduces assessment lead time significantly.

Request assessment documentation.

Architecture diagrams, IRAP documentation, control mappings, and VSA templates are available to qualified procurement teams under NDA. We aim to respond within two business days.

For government accreditation processes, we work directly with your IRAP assessor.

Request documentation security@ninthlabs.ai

All enquiries handled under NDA. We do not share assessment documentation with competitors.