Legal
Last updated: 1 May 2026
Data sovereignty
All data is stored in AWS ap-southeast-2 (Sydney). No cross-border replication. Aligned with PSPF and ISM requirements.
Encryption
All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Keys are managed via AWS KMS with annual rotation.
Access control
Role-based access control with least-privilege enforcement. MFA is required for all admin accounts and strongly recommended for all users.
Audit logging
All access events, authentication attempts, and data modifications are logged and retained for 12 months for audit purposes.
SovereignMesh is aligned to the Australian Government Information Security Manual (ISM) controls applicable to OFFICIAL: Sensitive data, the ASD Essential Eight (Maturity Level 2), and ISO/IEC 27001. We undergo annual independent security assessments.
We maintain a responsible disclosure programme. If you discover a potential security vulnerability, please email security@sovereignmesh.com.au with a description of the issue and steps to reproduce. We commit to acknowledging reports within 48 hours and providing a remediation timeline within 7 business days. We do not pursue legal action against good-faith researchers.
Annual penetration tests are conducted by CREST-accredited firms. Findings rated Critical or High are remediated within 30 days. Test scope includes web application, API, and infrastructure layers.
We maintain a documented Incident Response Plan aligned to ACSC guidance. In the event of a notifiable data breach under the Privacy Act 1988, affected users will be notified within 30 days of the breach being identified, and the OAIC will be notified where required.
Third-party service providers with access to platform data are assessed against our Supplier Security Standard before onboarding and reviewed annually. All providers are contractually bound to equivalent security obligations and are prohibited from offshore data transfers.