Trust Center

ELMO is ISO/IEC 27001:2022 certified across all business areas, demonstrating our commitment to internationally recognised information security standards. We also align with SOC 2 Trust Service Criteria and the Australian Cyber Security Centre’s Essential Eight requirements, ensuring both global and local compliance expectations are met. Our certification program is supported by regular internal and external audits to validate our controls and drive continuous improvement. If you would like a copy of our certification, please scroll down the page or reach out to [email protected].

• Annual external surveillance audits with independent assessors
• Internal ISMS audits conducted quarterly across all domains
• Certification coverage includes infrastructure, product, and corporate functions

We implement a layered, defense-in-depth security model to safeguard customer data. Our controls include strong access management with multi-factor authentication, network segmentation, vulnerability management, and regular penetration testing. Data is encrypted in transit and at rest, and our security monitoring systems provide continuous oversight to detect and respond to potential threats quickly.

• Multi-factor authentication enforced across all privileged accounts
• Annual penetration testing by independent, CREST-accredited vendors
• Continuous vulnerability scanning and patch management program

We are committed to protecting personal data in line with the Australian Privacy Principles (APPs), the Privacy Act 1988, and international frameworks such as the GDPR. Our practices ensure transparency in how personal information is collected, processed, and stored, with robust measures to support data subject rights, consent management, and secure data deletion. For more details, please visit our dedicated Privacy Page.

• Data Protection Impact Assessments (DPIAs) conducted for new systems and projects
• Data requests can be managed through your account settings
• Regular privacy training for employees handling customer data

ELMO adheres to relevant industry standards and regulations, including ISO, SOC 2, the Essential Eight, and privacy legislation across the jurisdictions in which we operate. Our compliance program is integrated into our governance framework, ensuring that security and privacy controls align with evolving regulatory expectations and customer requirements.

• Ongoing compliance checks against leading ANZ and UK governance frameworks
• Alignment with Australian Cyber Security Centre (ACSC) guidance
• Third-party assurance reports available to customers under NDA

We maintain a documented and tested Incident Response Plan to ensure timely detection, investigation, and resolution of security events. Our process aligns with Australia’s Notifiable Data Breaches (NDB) Scheme, meaning we are prepared to notify customers and regulators in the unlikely event of a data breach. Regular simulations and tabletop exercises ensure our teams are ready to act swiftly and effectively.

• 24/7 monitoring with defined escalation procedures
• Incident response simulations conducted on regular basis
• NDB-aligned breach notification workflow

Our systems are designed for high availability, with a 99.5% uptime commitment supported by redundancy, load balancing, and disaster recovery measures. We regularly test our business continuity and disaster recovery plans to minimise downtime, ensuring that our customers can rely on our platform to be available when they need it most.

• Business Continuity and Disaster Recovery (BCP/DRP) testing conducted annually
• Recovery Time Objective (RTO) and Recovery Point Objective (RPO) defined and tested
• Multi-region redundancy built into core infrastructure

Customer data is hosted in secure, accredited AWS data centers in Australia, with strict controls over access, storage, and handling.We apply principles of data minimisation, retention, and secure deletion, ensuring that data is only kept for as long as it is needed. Our subprocessor management framework ensures that third-party vendors meet the same high standards of data protection as we do.

• Subprocessors undergo annual due diligence and contract reviews
• Data retention schedules aligned with legal obligations
• Encryption key management follows industry best practice standards

We welcome questions from customers, partners, and regulators about our security, privacy, and compliance practices. Our dedicated team is available to provide additional information or respond to due diligence requests.

• Email us at [email protected] for certifications, policies, or audit reports
• Reach our Data Protection Officer for data subject requests via our Privacy Page
• For urgent security issues, contact our helpdesk or the account managers directly at [email protected]