Trust where certainty matters most.

The Vokke Trust Center is a centralised resource providing transparent access to our security posture, compliance certifications, infrastructure controls, governance frameworks and responsible AI practices. It exists to give customers, partners and regulators clear evidence of how Vokke protects data and ensures service reliability.

The Trust Center is designed for current and prospective customers, partners, auditors and anyone who needs to evaluate Vokke's security and compliance posture. It provides the documentation and transparency typically requested during procurement, due diligence and ongoing vendor assessments.

The Trust Center is updated whenever there is a material change to our security posture, a new certification is achieved, a policy is revised or a significant infrastructure change is made. News items are published to communicate these updates as they occur.

Data storage location depends on your engagement with Vokke. For Australian customers, we offer sovereign data storage within Australia. Backups are encrypted and replicated within the same region. No customer data is transferred outside of the agreed hosting location unless explicitly agreed in writing.

Vokke applies encryption to data at rest and in transit across all customer-facing environments. The specific encryption standards and key management approach are determined by engagement requirements, including any regulatory or defence mandates that apply. As a baseline, we use AES-256 encryption at rest and TLS 1.2 or higher for external communications. Where engagements require compliance with specific frameworks such as the ISM or PSPF, encryption controls are configured accordingly.

Yes. Vokke complies with the Australian Privacy Principles (APPs) under the Privacy Act 1988. For software we produce on behalf of customers, we can conduct Privacy Impact Assessments (PIAs) alongside you to ensure the product meets your privacy obligations. Our privacy policy is publicly available and reviewed annually.

Vokke holds ISO/IEC 27001:2022 certification for information security management and ISO 9001:2015 for quality management, both independently verified by Compass Assurance Services every year. Our secure development facility is AS 4811:2022 compliant and aligned to Essential Eight Maturity Level 2.

The Essential Eight is a set of baseline mitigation strategies recommended by the Australian Signals Directorate (ASD) to protect against cyber threats. Vokke has implemented controls aligned to Essential Eight Maturity Level 2 within our secure development environment, covering application control, patching, MFA, backups and more.

Certificates, audit reports and policy documents are available through the Resources section of the Trust Center. Some documents are publicly accessible while others may require an access request. Contact our team if you need specific documentation for procurement or audit purposes.

Vokke has published a Responsible AI Policy covering model selection, data handling, human oversight and bias management. All AI-assisted features undergo a risk and impact assessment before deployment. We maintain transparency about where and how AI is used in our products.

No. Customer data is never used to train, fine-tune or improve AI models. Our AI data handling practices are documented in the Responsible AI Policy.

Vokke uses commercially available large language models from established providers. Model selection is governed by our AI policy which evaluates security, data handling, compliance and fitness for purpose. We do not build our own foundation models, however we do host open-source models for specific engagements where required.

The Secure Development Facility is a dedicated, physically isolated business unit purpose-built for sensitive and classified software development engagements. It operates under AS 4811:2022 with physical security zones, cleared personnel and physically isolated networks.

Development staff within the secure facility hold active security clearances managed through the Australian Government Security Vetting Agency (AGSVA). Clearance levels are matched to engagement requirements.

Yes. The facility operates with physical, personnel and ICT controls aligned to the Australian Government's Protective Security Policy Framework (PSPF). Specific classification handling is agreed on a per-engagement basis.

Vokke has experience helping organisations achieve and maintain compliance with standards including ISO 27001, ISO 9001, Essential Eight, the ISM, PSPF and the Privacy Act. We also assist with the implementation of application security standards such as the OWASP Top 10 and the OWASP Application Security Verification Standard (ASVS). We can tailor our approach to align with your specific regulatory and industry requirements.

Yes. Vokke supports penetration testing as part of our delivery process. Where Vokke is performing the development, we have partners who can assist to ensure testing independence. Testing scope and timing are agreed during engagement planning.

Yes. We regularly integrate with customer security frameworks, policies and tooling. Whether you operate under the ISM, PSPF, NIST or your own internal standards, we adapt our delivery practices to meet your requirements.

Intellectual property arrangements are agreed as part of each engagement. Ownership, licensing and usage rights are defined in the engagement contract to ensure both parties have clarity from the outset. Vokke works with customers to structure IP terms that align with the nature and funding model of the engagement.

Vokke follows agile development practices with a secure development lifecycle (SDLC) that includes threat modelling, code review, dependency scanning and release management. Methodology is tailored to each engagement based on customer needs and project requirements.

Yes. Vokke can generate and maintain software bills of materials (SBOMs) for products we deliver, produced in the CycloneDX standard. SBOMs can be integrated into the delivery lifecycle and provided to customers as part of ongoing release documentation.

Vokke maintains a formal incident response plan covering identification, containment, eradication, recovery and post-incident review. The plan is rehearsed regularly with defined escalation paths and communication templates.

Vokke notifies affected customers of confirmed security incidents as soon as practicable. Specific notification timeframes and communication channels are agreed as part of each engagement and documented in the relevant service agreement.

Yes. Every confirmed security incident undergoes a post-incident review to identify root cause, assess impact and implement corrective actions. Findings and remediation steps are documented and shared with affected customers where applicable.

Vokke conducts regular reviews of its suppliers to assess their security posture, compliance status and ongoing suitability. Supplier assessments consider factors including data handling practices, business continuity and alignment with our information security requirements. Vokke's supplier reviews are themselves reviewed by Compass Assurance Services, an independent auditing body, as part of our ISO 9001 compliance program.

Any subcontractors engaged by Vokke are subject to the same security, confidentiality and compliance obligations as our own staff. Subcontractor use is disclosed to customers and approved prior to engagement. Where required, subcontractors hold appropriate security clearances.

Yes. Vokke maintains secure supply chain policies that govern how third-party libraries, tools and services are evaluated, approved and monitored throughout the development lifecycle. For secure development engagements, additional controls are applied to ensure the integrity and provenance of all components used.