1300 71 61 41How we hold
your trust.
Neighbourhood works inside the platforms, data and increasingly the software of businesses across Australia and New Zealand. This page is the public record of how we do it, what we host, what our agents are allowed to touch, and where to find the documents your security team will ask for.
Most of it stays in your platforms. Some of it lives with us, on the record.
Your CRM is your source of truth, and it stays that way. We access client platforms as authorised users under least privilege and revoke at project end. Where we operate software of our own, we list it openly below.
We work as an authorised user, not a data extractor
We don't copy or migrate your CRM into Neighbourhood-owned infrastructure. For Australian and New Zealand clients, HubSpot data is hosted in Sydney, inside Australian data centres and under Australian data sovereignty.
- HubSpotSOC 2 Type II · ISO 27001 · GDPR
- SalesforceSOC 2 Type II · ISO 27001 · FedRAMP · IRAP
- Google WorkspaceSOC 2 Type II · ISO 27001 · IRAP
- XeroSOC 2 Type I · ISO 27001
Where we run software in-house
Some services are internal-only (we run our agency on them). Others are client-facing, where you log in or your data flows through them.
- NBHOS PlatformInternal operating system
- NBH BillingClient invoicing portal
- NBH SolutionsBrief & proposal builder
- NBH Auditsaudit.nbh.co
- Client tool instancesPer-tenant deployments
- Hosting
- DigitalOcean, Sydney region
- Edge
- Cloudflare WAF + DDoS, TLS 1.3
- Database
- Managed Postgres, encrypted at rest
- Backups
- Daily, retained 14 days, restore tested quarterly
- Region
- All data Australia-resident
- Isolation
- Per-tenant for client tool instances
We use AI heavily. Here's exactly what it's allowed to do.
Most agencies use AI in private and explain nothing. We use it in production, name the providers, and publish the rules our agents operate under, including the things they're required to ask permission for before doing.
A. AI in our internal work
Code review, documentation, research and drafting, performed locally on encrypted, MDM-managed Apple devices in Brisbane. Providers operate under zero-retention API terms with no training on inputs.
- Anthropic (Claude), primary reasoning, code and agent runtime, SOC 2 Type II, zero retention on API
- Fathom, meeting transcription, SOC 2 Type II, HIPAA, zero retention
B. AI features inside the products we build for you
When a client tool we build for you uses AI, we mint a dedicated API key, scoped to that tenant. Your data is not visible to any other client's instance, and no client's data is used to train or fine-tune any model. Evaluation suites and guardrails are documented per project in the relevant AI-SPEC.
C. Autonomous agents on our staff
Some of our work is performed by autonomous AI agents. They operate under a published action policy. Every action is logged, and a senior team member reviews the Red queue before anything in it proceeds.
Green, routine
Acts autonomously. Logged but not flagged.
- Code edits inside their own services
- Raising pull requests on any repo
- Cloudflare DNS records, read-only queries
- Slack and Drive read operations
Amber, notify first
Alerts the team first, then proceeds unless someone objects.
- Edits to shared environment files
- Restarting or redeploying shared services
- SQL backfills on shared production tables
- Provisioning new infrastructure
- Changing client-facing config
- Rotating shared secrets
Red, wait for approval
Stops and waits for an explicit human go.
- Destructive database operations
- Schema changes on production
- nginx, systemd, system-level cron
- Deploy script or rollback edits
- GitHub org-admin settings
- Adding or removing org members
Four surfaces. Same standard at each.
Mosyle MDM, fleet wide
- FileVault AES-256 disk encryption enforced
- MFA required across all team accounts
- Dashlane enterprise password manager
- 5 min automatic screen lock
- Auto patching for OS and apps
- Remote wipe on loss or theft
Least privilege, formal off-boarding
- Scoped credentials only the minimum needed
- Reviews at every project milestone
- Environment separation dev versus production
- Off-boarding checklist seats, keys, repos, Slack, project tools
- Confirmation revocation reported back to client
GitHub, hardened
- Private by default across the nbh-co org
- MFA enforced on every member
- Branch protection on main, PR + review required
- Copilot review auto-runs on all PRs
- Dependabot security alerts active
- No secrets in code ever, scanned at push
- Audit logs retained for repo activity
Local-first, sandbox-first
- Local builds on encrypted Brisbane devices
- Sandbox first when client provides one
- Scoped API tokens rotated regularly
- No client data in repos code only
- CI gates tests + lint + type check on every PR
A real plan, written down.
Aligned with the Australian Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988. We rehearse it; we don't just publish it.
Identify & contain
Isolate affected systems, revoke compromised credentials, stop further exposure.
Notify
Affected clients informed within 24 hours of confirmed incident.
Investigate
Root cause analysis, scope of exposure, forensic timeline.
Remediate
Patch root cause, rotate all potentially affected credentials, post-mortem.
Report
Where required, notification to the OAIC under the NDB scheme.
To report a suspected vulnerability or security concern, get in touch via our contact page. We acknowledge within one business day.
Safe harbour. We will not pursue or support legal action against security researchers who act in good faith: avoid privacy violations, data destruction and service disruption, only interact with accounts you own or have permission to test, and give us reasonable time to remediate before any public disclosure.
Australian Privacy Act, applied plainly.
Neighbourhood operates under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). Full privacy policy at nbh.co/privacy-policy.
- We only collect personal information necessary for the services we provide
- We don't sell, rent, or disclose personal information to third parties except where required by law
- Individuals can request access to or correction of their personal information at any time
- We comply with the Notifiable Data Breaches scheme
- Client data is deleted or returned within 30 days of engagement end, on written request
The documents your security team is about to ask for.
Rather than make procurement chase us, we publish the standard packet here. All documents are kept current and dated.
Mutual NDA
Two-way confidentiality agreement, ready to counter-sign.
Request PDF · v1.4 · Feb 2026Data Processing Agreement
DPA covering processing of personal data under the Privacy Act 1988.
Request PDF · Feb 2026Insurance Certificate of Currency
Berkley Insurance Australia, PI / IT Liability / Public Liability.
Request PDF · 12 pages · Feb 2026Security Overview
Single-document summary for procurement and security review.
RequestFrameworks we align with, and where we're heading
We currently operate against the controls below. Independent certification of NBH-hosted services is on the roadmap. We publish dates rather than vague language.
- AlignedAustralian Privacy Act 1988 & APPsCurrent
- AlignedNotifiable Data Breaches schemeCurrent
- AlignedOWASP Top 10 secure developmentCurrent
- PlannedAnnual external penetration test, NBH-hosted servicesQ4 2026
- PlannedSOC 2 Type I readiness, NBHOS & client tools2027
- PlannedISO 27001 gap assessment2027
The full list. The honest list.
Every tool that may touch a piece of your engagement, grouped by purpose. We notify clients in writing at least 30 days before adding a new subprocessor that could access client data.
| Provider | Purpose | Certification | Data access |
|---|---|---|---|
| Infrastructure (NBH-hosted services) | |||
| DigitalOcean | Compute, Sydney region | SOC 2 Type II · SOC 3 | Application + database |
| Cloudflare | DNS, WAF, DDoS, TLS | SOC 2 Type II · ISO 27001 · ISO 27018 | Traffic in transit |
| Resend | Transactional email | SOC 2 Type II | Email recipients |
| Stripe | Payment processing (NBH Billing) | PCI DSS Level 1 · SOC 2 Type II | Payment + billing data |
| Client platforms (you authorise us) | |||
| HubSpot | CRM, marketing, sales automation | SOC 2 Type II · ISO 27001 | Client-authorised |
| Salesforce | CRM, where applicable | SOC 2 Type II · ISO 27001 · FedRAMP | Client-authorised |
| Xero | Accounting integration | SOC 2 Type I · ISO 27001 | Client-authorised |
| Workplace & collaboration | |||
| Google Workspace | Email, calendar, documents | SOC 2 Type II · ISO 27001 · IRAP | Client correspondence |
| Microsoft 365 | Email & documents | SOC 2 Type II · ISO 27001 | Staff correspondence |
| Google Meet | Client meetings | SOC 2 Type II · ISO 27001 | Meeting content only |
| Aircall | Cloud telephony | SOC 2 Type II | Call recordings + transcripts |
| Bird (MessageBird) | SMS notifications | SOC 2 Type II · ISO 27001 | Phone numbers + message content |
| Fathom | AI meeting transcription | SOC 2 Type II · HIPAA · zero retention | Meeting audio + transcript |
| Slack | Internal & shared channel comms | SOC 2 Type II · ISO 27001 | Conversation only, no CRM data |
| Qwilr | Proposals & quotes | SOC 2 Type II | Prospect & client proposal data |
| AI providers | |||
| Anthropic (Claude) | Reasoning, code, agent runtime | SOC 2 Type II · zero retention on API | Minimised, per-tenant keys for client tools |
| Security & identity | |||
| GitHub | Source code, code review, audit logs | SOC 2 Type II · ISO 27001 | Code only, no client data |
| Dashlane | Enterprise password management | SOC 2 Type II · ISO 27001 | No client data |
| Mosyle | Mobile device management | SOC 2 Type II · ISO 27001 | Device metadata only |
Subprocessor change policy. We give written notice at least 30 days before adding any subprocessor that could process client data. Clients may object in writing, in which case we will work with you to find an alternative.
Covered, current, on file.
Berkley Insurance Australia
Policy renewed February 2026. Certificate of currency available above, or on request via our contact page.
- Professional Indemnity
- Covers errors, omissions, and professional negligence.
- IT Liability
- Technology-specific risks including data breach and cyber incident cover.
- Public Liability
- General liability for business operations.
The questions your team usually asks.
Do you sign NDAs and Data Processing Agreements?
Yes. We counter-sign your mutual NDA and execute a DPA before work begins, or provide ours. Request either via our contact page.
Where is our data hosted?
Your CRM data stays in your own platforms; HubSpot data for Australian and New Zealand clients is hosted in Sydney. Anything we host ourselves runs in DigitalOcean's Sydney region behind Cloudflare, and stays Australia-resident.
Do you use our data to train AI models?
No. No client data is used to train or fine-tune any AI model. Where a tool we build for you uses AI, it runs on a dedicated key scoped to your tenant, and providers operate under zero-retention API terms.
Can we audit you, or send our own security questionnaire?
Yes. We complete your standard security questionnaire and provide our security packet (NDA, DPA, insurance certificate of currency, and a security overview). Request it via our contact page.
What happens to our data and access when an engagement ends?
We follow a formal off-boarding checklist: all access and API keys are revoked or rotated, and client data is deleted or returned within 30 days of engagement end on written request.
Need this as one packet?
Tell us what your team needs and we'll send NDA, DPA, insurance certificate, security overview, and a completed copy of your standard security questionnaire. Most packets land in your inbox within one business day.
.svg){kind=logo}
