top of page
Color logo with background.png
Contaminated Land Worksite

at EnviroAutomate

Trust and Security

Trust and security at EnviroAutomate

 

EnviroAutomate is built for environmental consultancies that handle sensitive site, client, and regulatory data. Your data is hosted in Australia, encrypted in transit and at rest, isolated to your tenant, and operated under a documented information security programme designed to meet ISO 27001 standards.

​

This page is the entry point. Use the links below to go deeper, and request the documents your procurement team needs, or contact us directly.

​

Security at a glance

​​

  • Hosting: all client data is hosted in Australia, in AWS Asia Pacific (Sydney), region ap-southeast-2

  • Encryption: traffic is encrypted in transit with TLS 1.2 or higher (HTTP redirects to HTTPS), and data at rest is encrypted with AES-256 across databases, file storage, queues, and backups; keys are managed by AWS KMS

  • Access: multi-factor authentication is mandatory for every platform user; SAML 2.0 SSO is available, including Microsoft Entra ID

  • Tenant isolation: every database query is automatically scoped to the requesting tenant at the application layer, and validated by dedicated automated tests in a suite of over 9,000 that must pass before any deployment

  • Threat detection: continuous threat detection runs across our AWS accounts, with a managed web application firewall in front of the platform

  • Backups and recovery: daily database snapshots and continuous transaction-log backups every 5 minutes, with 35-day retention and point-in-time recovery; target RPO is 5 minutes; target RTO is 60 minutes

  • Availability: we target 99.5% uptime, publish the target, and operate to it. We do not offer service credits today; formal SLA commitments are available on request as part of enterprise engagements

  • Compliance: our controls are designed to ISO 27001 standards; we are aligned, not yet certified, see compliance posture below

​

Go deeper

​​

  • AI safety and risk: how EA utilises AI, data residency, tenant scoping, the "no model training on customer data" guarantee, and the shared-responsibility model

  • AI Assistant safety summary: a two-page summary of EA's human-in-the-loop, approval-gated AI posture (useful for internal AI committees)

  • Technology posture: the tech stack categories, high availability and disaster recovery, backup posture, SLA target, testing posture, and hosting region

  • Subprocessors: the current subprocessor list, what data each handles, region, and how we notify clients of changes.

  • Privacy Policy: the statutory privacy commitment under the Australian Privacy Act 1988

​

Data Processing Agreement

 

EnviroAutomate is finalising its standard Data Processing Agreement with external counsel. The current target for publication is end of June 2026.

​

Until then, prospects and clients who need a DPA for their procurement process can request the current draft by emailing security@enviroautomate.com. We will also accept and review client-issued DPAs through the same channel.

​

Documents available on request

 

The following documents are available on request to evaluators, procurement teams, and security reviewers:

  • The AI Risk Assessment is the full assessment including residual risk register and shared-responsibility decomposition.

  • The Technology FAQ is the detailed technology document covering specific services, configurations, and operational practices.

​

Compliance posture

 

EnviroAutomate's controls are designed to ISO 27001 standards. We rely on AWS's underlying ISO 27001, SOC 2, and PCI DSS certifications for the infrastructure layer. Formal EA certification is a roadmap item, not a current claim.

​

We comply with the Australian Privacy Act 1988, including the Notifiable Data Breaches scheme. GDPR, UK GDPR, CCPA, and HIPAA are not currently in scope.

​

External penetration testing is ongoing as part of our 12-month assurance cycle. Reports are available under NDA via the document request process above.

​

Security contact

 

Report a security concern, vulnerability, or policy question to security@enviroautomate.com. We acknowledge reports within 5 business days. We do not currently operate a paid bug bounty and we commit to not pursuing legal action against good-faith researchers acting within this policy.

​

For privacy matters, contact privacy@enviroautomate.com.

bottom of page