Trust

Security and Trust

Effective date: 1 January 2026Last updated: 1 January 2026

This page is a plain-language overview of how Setara protects Customer data. We avoid sensitive technical detail in public material. Customers and prospective Customers can request our security pack under NDA.

Section 01

Encryption

  • Data in transit is protected with TLS 1.2 or higher between client, platform and integrated services.
  • Data at rest is encrypted using AES-256 (or platform-equivalent strength) on managed storage.
  • Encryption keys are managed by our cloud provider's key management service with restricted operator access.
Section 02

Access controls and tenant isolation

  • Customer data is logically isolated per tenant and access is enforced at the application layer.
  • Role-based access controls govern what authorised users can see within a Customer account.
  • Production access by our staff is restricted to a small group, requires multi-factor authentication, and is granted on a least-privilege basis.
Section 03

Audit logging

We log authentication events, administrative actions, ingestion events and access to Customer data by our staff. Logs are retained for security monitoring and incident response, in line with our Data Retention page.

Section 04

Staff training and vetting

  • All staff complete security and privacy training on induction and annually.
  • Personnel with access to Customer data are subject to background checks consistent with the role.
  • Confidentiality obligations are included in every employment and contractor agreement.
Section 05

Vendor security management

We assess sub-processors and critical vendors before engagement and review them on a regular cycle. Contracts include privacy, security and breach notification obligations.

Section 06

ASD Essential Eight and certification roadmap

We align our security program with the Australian Signals Directorate Essential Eight controls (application control, patching, MFA, restrict administrative privileges, application hardening, configuration of macros, user application hardening and regular backups).

Independent certification of ISO/IEC 27001 and SOC 2 (Type II) is on our roadmap and in progress. Current target maturity and timing can be requested under NDA.

Section 07

Breach response and notification

We maintain a documented incident response plan that covers detection, triage, containment, eradication, recovery and post-incident review. Eligible data breaches are handled in line with the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act 1988 (Cth)), including notification to the OAIC and affected individuals where required.

Section 08

Security contact

To report a vulnerability or security concern, contact security@setara.com.au. Please do not include exploit details in unencrypted email.