The OAIC's Notifiable Data Breaches reports consistently show that compromised credentials and misconfigured access controls cause most Australian breaches. We sit with your platform developer, ask the questions you do not have time to ask, and write down what we find. A clear picture, a risk-rated list, and a plan you can hand to your MSP.
A custom CRM was built years ago. The MSP runs the network and devices but is not across the application layer. The developer of the bespoke platform is the only one who really knows how it works. You are between them.
You do not need a 200 page audit. You need someone independent to ask the right questions, write down the answers, and tell you what to do next in plain language. We sit with the developer or platform owner, work through hosting, encryption, access, backups, supply chain and incident response, and produce a report you can act on.
Hosting, location and data sovereignty. Encryption in storage and in transit. Login, MFA, password policy and SSO. Redundancy and high availability. Backup, recovery and resilience including restore testing. Logging and audit trails. Certifications (SOC 2 Type 2, ISO 27001, IRAP) and when last reviewed. Supply chain and third parties.
The categories of personal and sensitive data being held. How long each type is kept and whether that is configurable. How data is destroyed or archived. Whether copies sit outside the main environment.
Current roles and permissions model. How access is set up, changed and removed when staff start, change roles or leave. How admin and privileged accounts are handled, including any developer or third-party access. How often access is reviewed.
What should happen if there is a data breach. Gaps between current practice and good practice. Escalation paths between you, the platform developer and any sub-processors. Whether the developer has notification commitments in writing.
Short call with the project sponsor to confirm the platform in scope, priorities, stakeholders and timing.
Working sessions with the platform developer or owner. We review documents, policies, sub-processor lists and certification reports where available.
Findings, risks rated low, medium or high, and practical recommendations with the right owner indicated. Issued for your review.
Walkthrough session with the leadership team. Final report incorporating any clarifications. Ready to hand to your MSP or another delivery partner.
We work with one nominated platform per engagement, typically a bespoke CRM or line-of-business system. If you have multiple platforms in scope, we will discuss sequencing on the scoping call.
What we found across each area. Risks rated low, medium or high. Practical recommendations based on good practice. Plain language for leadership.
A documented view of the supply chain behind your core platform: hosting, databases, backups, monitoring, email, SMS, analytics and AI components.
A session to step through the report, answer questions and agree priorities. Ready to hand to your MSP, internal team or a third party.
▸ fixed price quote agreed before any work starts.
We do not certify against ISO 27001, SOC 2 or IRAP. We point at where you sit.
We do not run vulnerability scans. We tell you whether one is the right next step.
We make findings and recommendations. Action sits with your MSP, internal team or a third party.
We are not lawyers. We will tell you when a privacy lawyer is the right call.
We do not negotiate contracts on your behalf. We give you the questions to ask.
A board or funder is asking questions about data handling that the executive cannot confidently answer.
A new privacy obligation is coming, for example the WA Privacy and Responsible Information Sharing (PRIS) reforms.
A grant, tender or contract requires written evidence of data handling practices for a bespoke or third-party platform.
A bespoke platform has been in place for years and no one has recently looked at how it is built or run.
The MSP is doing good work at the infrastructure layer but no one is reviewing the application or data layer.
Disability, aged care, allied health, education, NFP. Sectors where personal and sensitive data is part of day-to-day operations.
Where AI could add value, what has to be in place first across data, governance and tooling.
→ServiceFind out what AI tools your team is actually using, before you write the policy.
→ServiceIf the advisory work surfaces technical issues to fix, the implementation engagement.
→No. We are not your MSP and we do not want to be. The MSP runs the network, devices and infrastructure. We sit at the application and data layer, often the bit no one is reviewing right now. The report is written so your MSP can pick up the actions that are theirs to do.
No. We are not building a replacement and we are not pitching you a different platform. We are independent. Most developers we work with appreciate the engagement once they understand the framing: we are there to make their platform stronger, not to attack it.
Yes. The discovery sessions are with the platform developer or owner. We come prepared with the right questions and we know what good answers look like. You do not need to be in every session, though many sponsors choose to be.
That is common, especially for bespoke platforms built for a single client. The advisory does not require certification. We document where you sit against the relevant standards, what good practice looks like, and what would need to happen if a certification ever became a requirement.
Yes. We do a lot of work with not-for-profits, disability and aged care providers. Personal and sensitive data, board oversight, funder questions and sector-specific obligations make this engagement particularly relevant.
A penetration test looks at whether the platform can be technically broken into. This advisory looks at how the platform is built, run and supported, including the things a pen test does not cover: supply chain, retention, access reviews, breach response. The two are complementary. We will tell you whether a pen test is the right next step.
▸ we will tell you whether this engagement is the right fit. No pitch deck.