Skip to main content

Prexiam Trust Center

Security, Sovereignty, and Compliance Evidence

Prexiam publishes this Trust Center so Melbourne businesses can complete vendor due diligence quickly. Everything here reflects our actual operating posture — not aspirational marketing.

ACSC Essential Eight (ML1–ML2)ISO 27001 AlignedAU Data ResidencyZero Trust ArchitectureNo Offshore Support Access

ACSC Essential Eight Alignment

Current maturity levels across all eight controls. Updated February 2026.

ML1 = Maturity Level 1 (partly aligned). ML2 = Maturity Level 2 (mostly aligned). Target: ML2 across all controls by Q4 2026.

ML1 Application Control

Allow-listing enforced on managed endpoints via Microsoft Intune and Defender for Endpoint policies.

ML2 Patch Applications

Automated patching within 48 hours for critical CVEs. Monthly cycles for standard patches. Exceptions tracked and risk-accepted.

ML1 Configure Office Macros

Macros disabled by default. Signed macros from trusted publishers only. User override blocked.

ML1 User Application Hardening

Browser hardening applied. Flash and Java disabled. Microsoft Defender Attack Surface Reduction rules enforced.

ML2 Restrict Admin Privileges

No standing human admin rights in production. Privileged actions are just-in-time and time-bound via Microsoft Entra PIM where licensed.

ML2 Patch Operating Systems

ASD-approved OS only. Critical OS patches deployed within 48 hours via automated pipeline. Legacy OS exceptions documented.

ML2 Multi-Factor Authentication

Phishing-resistant MFA (FIDO2 / Microsoft Authenticator) enforced for all privileged accounts and internet-facing services.

ML1 Regular Backups

Immutable backup retention using WORM-capable storage (Azure immutable vault / equivalent). Restoration tested. RTO target: 2 hours for Sovereign Enterprise tier.

Data Sovereignty Policy

How Prexiam treats data residency, access jurisdiction, and offshore disclosure risk.

Data Residency

Primary, backup, and disaster recovery data is hosted in Australian data centres and cloud regions (Melbourne and Sydney). Prexiam uses NextDC M2 (Tullamarine) and NextDC M3 (West Footscray) as colocation anchors.

Data Sovereignty

Data residency is not identical to data sovereignty. Prexiam treats sovereignty as a first-order design constraint — addressing legal and operational control over who can access your data and under which jurisdictional rules, not only where it is stored.

Shadow Residency Removal

System metadata, support access logs, identity tokens, and operational telemetry are designed to remain in Australian regions. This reduces cross-border disclosure risk under Australian Privacy Principle 8 (APP 8) and aligns with your organisation's regulatory obligations.

CLOUD Act Awareness

Prexiam does not migrate customer data to jurisdictions subject to the US CLOUD Act without implementing customer-controlled encryption keys (BYOK) and documented client consent. This policy applies to third-party SaaS tools used within managed environments.

Support Residency

All Prexiam engineers are Australia-based. There are no offshore helpdesk queues. Privileged access to your environment is just-in-time, time-bound, and logged via Microsoft Entra PIM (where licensed). No offshore support access to your environment — by policy and by access controls.

Incident Response Process

What happens when you declare a security incident. SLA-backed targets — severity definitions and workload prerequisites apply.

1
0 min

Declare

You call the incident line. A 30-minute virtual bridge target is activated. Severity is classified immediately.

2
< 30 min

Contain

Affected endpoints and accounts are isolated. Lateral movement is blocked. Forensic preservation begins.

3
RTO target

Recover

Recovery from immutable backups (WORM-capable storage). RTO: 2 hr Sovereign Enterprise. 4 hr standard.

4
5 business days

Review

Post-incident report: root cause, timeline, remediation actions, and control improvement recommendations.

Service Status

Current operational status. For real-time incidents contact support@prexiam.com.au

Service Desk
Operational
Monitoring Platform
Operational
Client Portal
Operational
Backup & Recovery
Operational

Last updated: February 2026.

ISO 27001 & SOC 2 Alignment

Prexiam's current certification status and control alignment posture. We state "aligned to" — not "certified" — until formal certification is completed.

ISO 27001:2022

Prexiam operates controls aligned with ISO 27001:2022 requirements including information security policies, access control, cryptography, physical security, incident management, and supplier relationships. ISO 27001 defines requirements for an Information Security Management System (ISMS). Formal certification is on the 2026 roadmap.

Controls Aligned — Certification Q4 2026

SOC 2 Type II

Prexiam's operational controls address the SOC 2 Trust Services Criteria: Security, Availability, and Confidentiality. SOC 2 is an examination and report on controls against Trust Services Criteria — not a certification. We provide control alignment statements and evidence packages on request for enterprise procurement processes.

Alignment Statement Available on Request

To request a control alignment statement, security questionnaire response, or evidence package: trust@prexiam.com.au

Security Questions

What is the Sovereign-Sync Framework?

Sovereign-Sync is Prexiam's compliance-first operating model that keeps production data, backups, and operational logs in Australia while continuously enforcing your target ACSC Essential Eight maturity. It's built to prevent security drift between audits and to shorten recovery time when incidents happen.

Where does our data live — Melbourne, Sydney, or both?

Primary workloads are designed for Australian residency. Systems can run in Melbourne with disaster recovery in Sydney when you need geographic resilience — both staying within Australia. Hosting anchors include NextDC M2 (Tullamarine) and M3 (West Footscray, ~10km from Melbourne CBD).

How do you implement ACSC Essential Eight maturity (ML1–ML2)?

Prexiam implements Essential Eight controls as a baseline and targets maturity uplift based on risk and business criticality. We document control status, remediate gaps, and maintain evidence so your posture doesn't fall back after the initial project ends.

What happens when we declare a security incident?

Once you declare an incident, a virtual response bridge is opened within 30 minutes (SLA-backed targets — severity definitions and prerequisites apply). We start containment, preserve forensic evidence, and execute recovery steps aligned to safe-restore procedures. A post-incident report is delivered within 5 business days.

Do you use offshore support?

No. All engineers are Australia-based. Privileged access is just-in-time, time-bound, and fully logged via Microsoft Entra PIM where licensed. There are no offshore helpdesk queues and no standing access to your production environment — by policy and by access controls.

Need a security questionnaire completed?

Email trust@prexiam.com.au with your questionnaire and we will respond within 2 business days.

Email Trust Team Book Free Assessment