Security at Cybereen
Built by people whose day job, for decades, has been holding other people's organisations to the standards we now ship.
Cybereen sits in the middle of customers' compliance workflows. The standard we set for ourselves is the standard we'd want from any vendor in that position.
Who built it
The platform was designed and built by security architects and developers with decades of combined experience across cybersecurity advisory, GRC programs, and the unglamorous work of getting organisations through audit. Before Cybereen, the team ran the same kind of programs you're running — Essential Eight uplifts, ISO 27001 implementations, APRA CPS 234/230 readiness, NIST CSF mappings — for boards across Australia and the UK.
The product reflects that. We made the decisions we wished our previous tools had made for us.
Where it runs
All customer data is stored in Microsoft Azure data centres in Australia (Australia East). The application services, databases, identity stores, and backups all stay in-region. UK data residency is available on request for UK-based customers.
The marketing site is served from Azure Static Web Apps behind Cloudflare. Customer-facing platform endpoints are isolated from the marketing infrastructure — different subscription, different access boundary, different blast radius.
How it's certified
Cybereen is ISO 27001 certified. The current certificate, statement of applicability, and most recent surveillance audit report are available on request — usually within the hour, sent under a one-page mutual NDA.
We also actively maintain ISO 42001 (AI Management Systems). Self-assessed at ML2 today, with an audit roadmap in place. Where the platform uses AI — for suggestions, mappings, summaries — it's documented under the same management system controls we sell to customers.
How we operate
- Encryption. Data in transit is TLS 1.2+ only. Data at rest is encrypted with Azure-managed keys (AES-256), with customer-managed keys available on enterprise plans.
- Access. Production access is role-restricted, MFA-required, and audit-logged. No persistent direct database access — engineers work through reviewed, time-boxed change tickets.
- Vendor management. Subprocessor list is maintained and reviewed. Available on request alongside the ISO 27001 documentation.
- Backups. Daily, geo-redundant within Australia. Restoration tested quarterly.
- Vulnerability management. Dependency scanning runs on every commit. Critical findings are remediated to internal SLAs that match the standards we publish for customers.
- Incident response. Documented playbook, named on-call, named comms owner. Affected customers are notified per contract and the Notifiable Data Breach scheme.
Reporting a security issue
If you've found a vulnerability or suspected security issue, please email security@cybereen.com. We acknowledge within one business day, triage within 72 hours, and credit reporters who follow coordinated disclosure.
Held to the same bar.
We run the platform on the same management system we sell. Certificates available on request.
ISO 27001
Information Security Management System. Current certificate available on request.
ISO 42001
AI Management System. Self-assessed at ML2, audit roadmap in place.
Australia East
Customer data stays in Australia. UK residency available on request.
Coordinated
security@cybereen.com — acknowledged within one business day, triaged within 72 hours.
Need a document we haven't listed?
Email security@cybereen.com and tell us what your review needs. We've answered most enterprise security questionnaires by now.