Trust & Security

Our Commitment to Security

At Neighbourhood, we take the security of your data seriously. As a Diamond HubSpot Solutions Partner working with businesses across Australia and New Zealand, we understand that trust is the foundation of every engagement. This page outlines how we handle data, use technology, and protect your information.

Data Handling

We don't host or store your data.

All client data lives within your own platforms — HubSpot, Salesforce, Xero, or whichever systems you use. We access these platforms as authorised users during an engagement and operate under the principle of least privilege: team members only have the access they need, and all access is revoked at project completion.

We do not extract, copy, or migrate client data to Neighbourhood-owned servers or infrastructure. Your CRM is your source of truth, and it stays that way.

Data Residency

For Australian and New Zealand clients, HubSpot data is hosted in Sydney, Australia. This ensures your CRM data remains within Australian data centres and is subject to Australian data sovereignty requirements.

Platform Security

The platforms we work within maintain enterprise-grade security certifications:

• HubSpot — SOC 2 Type II, ISO 27001, GDPR compliant
• Salesforce — SOC 2 Type II, ISO 27001, FedRAMP Authorised, IRAP Assessed
• Google Workspace — SOC 2 Type II, ISO 27001, IRAP Assessed
• Xero — SOC 2 Type I, ISO 27001

AI & Technology Usage

We use AI tools internally to improve the quality and efficiency of our work, including complex reasoning, code review, documentation, and solution design. All AI-assisted work is performed locally on secured, encrypted devices in Brisbane, Australia.

Important: In limited cases, minimal client data (such as field names or schema structures) may pass through AI APIs to assist with development. All providers operate under zero data retention and no-training policies — inputs are not stored, logged, or used to improve models.

AI Providers & Their Data Policies

Our AI Principles

• AI providers operate under zero data retention policies — inputs and outputs are not stored or used for model training
• Where client data is involved (e.g. schema structures, field names), exposure is minimised and limited to what is necessary for the task
• All development and code review is performed locally on secured, encrypted devices in Brisbane
• AI is used as a productivity tool for our team — not as a bulk processor of your data
• We do not use client data to train or fine-tune any AI models

If a project involves AI-powered features within your HubSpot portal (such as HubSpot's native AI tools), these operate entirely within HubSpot's own infrastructure and security controls.

Development Workflow

Our development process is designed to minimise exposure of client data while maintaining the ability to deliver high-quality technical solutions.

• Local-first development — All coding and development work is performed locally on secured machines in Brisbane, Australia — never on shared or remote servers
• Sandbox-first approach — When sandbox or staging environments are available, we work there first and promote changes to production only after testing and approval
• CLI and API access — We interact with client platforms through official CLIs and APIs using scoped credentials with minimum required permissions
• Version control — All code is managed through private GitHub repositories with branch protection, mandatory code reviews, and MFA-enforced access
• No client data in repositories — Source code repositories never contain client data, credentials, or API keys

Device Security

All team members work from secured, company-managed Apple devices enrolled in our Mobile Device Management (MDM) platform.

All devices are managed through Mosyle MDM — providing centralised device management, policy enforcement, and compliance monitoring across our fleet.

MDM-Enforced Policies

• Centralised management — All company devices are enrolled in Mosyle MDM with zero-touch deployment and remote configuration
• Full disk encryption — FileVault is enforced via MDM policy on all devices — data at rest is encrypted with AES-256
• Password management — Dashlane enterprise password manager enforced for all team accounts
• Multi-factor authentication — MFA enforced across all team accounts including HubSpot, GitHub, Google Workspace, and all client portals
• Automatic screen lock — MDM-enforced lock after 5 minutes of inactivity
• Automatic security updates — OS and application updates are enforced via MDM policy
• Remote wipe capability — All devices can be remotely locked or wiped through MDM in the event of loss or theft
• Compliance monitoring — Mosyle continuously monitors device compliance status — non-compliant devices are flagged and restricted

Access Management

During Engagements

• Least privilege — Team members are granted only the permissions required for their role
• Access reviews — Permissions are reviewed at project milestones and adjusted as scope changes
• Scoped credentials — API integrations use scoped tokens with minimum required permissions, rotated regularly
• Separation of environments — Development and testing environments are kept separate from production data

Offboarding & Access Revocation

At project completion or team changes, we follow a formal offboarding checklist:

• Revoke all HubSpot portal access (users, seats, and API keys)
• Remove GitHub repository collaborator access
• Revoke Salesforce user access (where applicable)
• Deactivate or rotate all API keys and integration tokens
• Remove access to Slack shared channels and workspaces
• Remove from ClickUp project spaces
• Confirm access revocation with client stakeholder

Source Code Security

• Private repositories — All client project repositories are private by default
• MFA enforced — Multi-factor authentication required for all GitHub organisation members
• Branch protection — Main/production branches are protected — changes require pull requests and code review
• No secrets in code — Credentials and API keys are never committed to repositories
• Audit logging — GitHub provides full audit logs of repository access and changes

Incident Response

In the unlikely event of a security incident, we follow a structured response framework aligned with the Australian Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988.

1. Identify & Contain — Immediately isolate affected systems, revoke compromised credentials, and prevent further exposure.
2. Notify — Notify affected clients within 24 hours of confirmed incident.
3. Investigate — Conduct thorough investigation to determine root cause and extent of breach.
4. Remediate — Implement fixes to prevent recurrence. Rotate all potentially affected credentials.
5. Report — Where required, report to the Office of the Australian Information Commissioner (OAIC) under the NDB scheme.

Communications & Audit Trail

• All client communications are encrypted in transit using TLS
• Email correspondence is logged against CRM records for full audit trails
• We use HubSpot's connected email and meeting tools to maintain a complete history of interactions
• Sensitive documents are shared via encrypted channels and access-controlled platforms

Insurance

Neighbourhood holds comprehensive insurance coverage underwritten by Berkley Insurance Australia:

• Professional Indemnity — Covers errors, omissions, and professional negligence
• IT Liability — Covers technology-specific risks including data breaches and cyber incidents
• Public Liability — General liability coverage for business operations

Policy renewed February 2026. Coverage details and certificates of currency are available on request.

Privacy

Neighbourhood is committed to protecting individual privacy in accordance with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). Our full privacy policy is available at nbh.co/privacy-policy.

• We only collect personal information that is necessary for the services we provide
• Personal information is not sold, rented, or disclosed to third parties except as required by law
• Individuals can request access to or correction of their personal information at any time
• We comply with the Notifiable Data Breaches scheme

Compliance & Agreements

We work within your compliance framework. We are happy to:

• Sign Non-Disclosure Agreements (NDA) prior to any engagement
• Execute Data Processing Agreements (DPA) as required
• Complete your organisation's security questionnaire
• Provide a subprocessor list of tools used during an engagement
• Provide certificates of currency for insurance coverage
• Accommodate specific security requirements for government or enterprise engagements

Subprocessors

Contact

If you have questions about our security practices, need to discuss specific compliance requirements for your organisation, or wish to report a security concern, contact us at hello@nbh.co.

For urgent security matters, please include "SECURITY" in the subject line for priority handling.

Last updated: February 2026