Trust Center
Security built in, not bolted on.
We store sensitive security assessment data. We take that seriously. This page explains how we protect your data and what our compliance posture looks like.
Security practices
How we protect your data.
Your organisation's risk assessments, control scores, and evidence are among the most sensitive data you hold. We treat them accordingly.
Encryption everywhere
All data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. Encryption keys are managed through a secure key vault. Your assessment data and evidence never travels or rests unprotected.
Access control and authentication
Role-based access control scopes what each user can see and do. We support SSO integration and enforce strong authentication. Administrative access to production systems uses just-in-time provisioning and is fully logged.
NZ data residency
All customer data is stored in Azure North (Auckland, New Zealand) and is geo-redundant within that region. Your data never leaves New Zealand. We do not transfer it to other regions without explicit agreement, giving you full data sovereignty over your assessment data.
Logging and monitoring
All access to customer data is logged and monitored. We maintain audit trails for administrative actions, data access, and configuration changes. Anomaly detection runs continuously and security events are reviewed by the team.
Secure development
Security is part of our development process, not bolted on afterward. We scan all code for vulnerabilities using static analysis and dependency scanning. Every change goes through peer review. Secrets are never committed to source control.
Incident response
We maintain a documented incident response plan with clear escalation paths and communication commitments. In the event of a breach affecting your data, we will notify you within 72 hours consistent with our obligations under the NZ Privacy Act 2020.
Compliance
Certifications and standards.
We're honest about where we are. Some certifications require scale and time to complete properly. Here's our current position.
NZ Privacy Act 2020
We handle personal information in accordance with the thirteen information privacy principles under the Privacy Act 2020. Our data handling practices, breach notification procedures, and individual rights processes reflect this obligation.
ISO 27001
Speculo is ISO 27001 certified. Request a copy of our certificate using the form below and we will email it to you within one business day.
Request a copy of our certificate
NZISM alignment
Our internal information security management practices are informed by NZISM controls, consistent with our work helping customers assess their own NZISM posture. We practise what we advise.
Data handling
What we collect and what we do with it.
What we store
Control scores, assessment responses, evidence files, remediation plans, and user account information. We do not collect or infer data beyond what you explicitly provide through the platform.
Who can access it
Your data is only accessible to users in your organisation's Speculo account. Speculo staff can access it only with your authorisation, for support purposes, and all such access is logged.
Where it lives
Stored in Azure North (Auckland, New Zealand), geo-redundant within that region. Your data stays in New Zealand. We do not transfer it to other regions without explicit agreement.
Deletion and portability
You can request export of your data at any time. On contract termination, we delete your data within 30 days and can provide written confirmation. No surprises.
Security documentation
Request our security documents.
We share our ISO 27001 certificate, information security policy, and data processing agreement with customers and prospective customers on request. Fill in the form and we'll get back to you within one business day.
- ISO 27001 certificate
- Information Security Policy
- Data Processing Agreement