Trust is built through transparency. This space brings together the standards, practices and safeguards that underpin how Vokke operates. From certifications and infrastructure controls to governance frameworks and responsible AI practices, the Trust Center exists to provide clear evidence of how Vokke protects data, ensures reliability and supports regulated organisations with confidence.
All Controls
40 controls
A complete view of the security, compliance and operational controls Vokke maintains across its organisational and secure development environments.
Organisational Security
2 controls
Employee background checks performed
All employees undergo identity verification and criminal history checks prior to onboarding.
Pass
Security awareness training implemented
Mandatory annual security awareness training covering phishing, data handling and incident reporting.
Pass
Internal Security Procedures
2 controls
Continuity and disaster recovery plans tested
Business continuity and disaster recovery plans are tested at least annually through tabletop exercises.
Pass
Incident response plan tested
Incident response procedures are rehearsed quarterly with defined escalation paths and communication templates.
Pass
Risk Management
3 controls
ISO 31000 risk management framework applied
Vokke applies a risk management framework aligned to ISO 31000, covering risk identification, assessment, treatment and ongoing monitoring across all business operations.
Pass
Risk register maintained and reviewed
A formal risk register is maintained and reviewed regularly by management to track identified risks, treatment plans and residual risk levels.
Infrastructure administration capability is distributed across multiple geographic locations to ensure continuity of operations during regional disruptions or pandemic events.
Pass
AI Security & Compliance
1 controls
AI usage governed by internal policies
AI usage across the organisation is governed by internal policies covering sovereignty, training data usage, bias and data protection.
Pass
Access Control
3 controls
Least privilege access enforced
Access to systems and data is granted on a least privilege basis, limited to what is required for each role.
Pass
Access revoked upon termination
Access to all systems and data is revoked promptly when an employee leaves the organisation or changes role.
Pass
Access rights reviewed periodically
User access rights are reviewed on a regular basis to ensure they remain appropriate and aligned to current responsibilities.
Pass
Credential & Key Management
2 controls
FIPS-compliant password vault maintained
All credentials and secrets are stored in a FIPS-compliant enterprise password management system with role-based access control and audit logging.
Pass
Cryptographic key management policy enforced
A formal cryptographic key management policy governs the generation, storage, rotation and destruction of cryptographic keys across the organisation.
Pass
Supplier Management
2 controls
Supplier security assessments conducted
Third-party suppliers are assessed for security posture and compliance status before onboarding and on an ongoing basis.
Pass
Contractual security obligations defined
Security and confidentiality obligations are defined in all supplier agreements, covering data handling, incident notification and compliance requirements.
Pass
Asset Management
2 controls
Information asset register maintained
A register of information assets is maintained with assigned ownership and classification to support effective protection and governance.
Pass
Acceptable use policies enforced
Acceptable use policies are in place governing the use of information assets, systems and networks across the organisation.
Pass
Change Management
1 controls
Formal change management process applied
All changes to systems and infrastructure follow a formal change management process covering assessment, approval, implementation and review.
Pass
Information Classification
2 controls
Data classification scheme implemented
A data classification scheme is in place to categorise information based on sensitivity and value to the organisation.
Pass
Handling procedures defined per classification
Information handling, storage and transmission procedures are defined and enforced according to classification level.
Pass
Policy & Governance
2 controls
Security policies reviewed annually
Information security policies are reviewed at least annually to ensure they remain current and effective.
Pass
Management commitment and sign-off obtained
Senior management formally review and sign off on the information security program to demonstrate commitment and accountability.
Pass
Secure Development
2 controls
Secure development lifecycle followed
Software development follows a secure SDLC incorporating threat modelling, secure coding practices and release management.
Pass
Code review practices established
Code changes undergo peer review as part of the development process to identify defects, security issues and maintain quality standards.
Pass
Secure Development Facility
A dedicated, physically isolated business unit purpose-built for sensitive and classified software development engagements.
Facility Security
4 controls
PSPF-aligned physical security zones
Physical security zones are configured in alignment with the Protective Security Policy Framework (PSPF) with layered access controls and monitoring.
Pass
Biometric or card-controlled access
Entry to secure zones requires biometric or proximity card verification with full audit logging.
Pass
24/7 CCTV and intrusion detection
Continuous CCTV coverage and intrusion detection across all facility perimeters and internal zones.
Pass
Visual shielding of work areas maintained
Work areas are shielded from external line of sight to prevent visual surveillance or shoulder surfing of sensitive material.
Pass
Personnel Clearances
3 controls
Security cleared development staff
Development staff hold active security clearances managed through AGSVA, matched to engagement requirements.
Pass
AGSVA-managed vetting process
All personnel clearances are processed and maintained through the Australian Government Security Vetting Agency.
Pass
AS 4811 workforce screening performed
All personnel undergo workforce screening compliant with the AS 4811 standard prior to being granted access to the secure development environment.
Pass
Infrastructure Facilities
4 controls
24/7 CCTV surveillance maintained
Infrastructure facilities are monitored around the clock by CCTV with continuous recording across all access points and perimeters.
Pass
Biometric access controls enforced
Access to infrastructure facilities requires biometric verification in addition to proximity card authentication.
Pass
Mantrap entry systems installed
Physical entry to secure infrastructure areas is controlled through mantrap systems that prevent tailgating and unauthorised access.
Pass
Dual-person access requirement enforced
Access to the secure infrastructure cage requires two authorised personnel to be present simultaneously before entry is granted.
Pass
Technical Security Controls
5 controls
Phishing-resistant MFA enforced
All users authenticate using hardware-backed, phishing-resistant multi-factor authentication before accessing any system or service.
Pass
Rapid remediation of critical vulnerabilities
Vulnerabilities assessed as critical or with known exploits are prioritised for immediate remediation upon release.
Pass
Zero Trust access model implemented
All internal services require identity verification and device posture checks before a connection is established.
Pass
Dedicated and isolated networks maintained
Dedicated and isolated networks are maintained for handling sensitive data, separated from corporate and public networks.
Pass
Approved cipher suites, PRNG algorithms and protocols
All cryptographic operations use cipher suites, random number algorithms and key lengths approved under the Protective Security Policy Framework.
