Security is the work.
We are a security company, and we hold ourselves to the standards we advise our clients to meet. This page summarises how we protect our work and our products.
Frameworks we align to
ISO/IEC 27001
Our information security management system is structured around the Annex A control set.
ACSC Essential Eight
Our technical baseline — MFA, patching, application control, and backups.
Privacy Act 1988 / APPs
We apply the Australian Privacy Principles in full, and the Notifiable Data Breaches scheme.
We align to these frameworks as our control baseline. We do not currently claim third-party certification; our full policy set is available to clients under NDA.
Data residency
SecArch is hosted in Australia (Microsoft Azure, Sydney), encrypted at rest and in transit.
My Values is hosted on Supabase. Where personal information is processed outside Australia, this is disclosed in our Privacy Policy and handled consistently with the Australian Privacy Principles.
Breach notification
If a security incident affects a client's data or environment, we notify the affected client within 24 hours of becoming aware. Where personal information is involved, we follow the Notifiable Data Breaches scheme, including assessment and notification to affected individuals and the OAIC where required.
Reporting a vulnerability
We welcome reports of security issues in our website or products. Please email hello@pursec.com.au with enough detail to reproduce the issue. We will acknowledge your report, keep you informed, and address confirmed issues according to their severity.
Please act in good faith: do not access or modify data that is not yours, avoid privacy violations and service disruption, and give us reasonable time to respond before any public disclosure. We will not pursue good-faith researchers who follow these principles.
Machine-readable contact: /.well-known/security.txt