Legal

Security at Accreta

The controls, infrastructure, and processes behind every Accreta workspace - built for the data discipline institutional clients require.

Effective 1 May 2026
01

Security overview

Accreta is built for institutional environments handling sensitive deal data. We apply security controls equivalent to those used by the largest investment banks - encryption everywhere, role-based access on every action, continuous monitoring, and full audit trails.

02

Infrastructure

The platform runs on AWS in Sydney (ap-southeast-2) with optional regional deployment for enterprise customers.

  • Multi-AZ redundancy for high availability
  • Automated backups with point-in-time recovery
  • Network isolation via VPC and private subnets
  • WAF and DDoS protection at the edge
03

Encryption

  • AES-256 encryption at rest for all customer data
  • TLS 1.3 in transit between client, services, and storage
  • KMS-managed keys with automatic rotation
  • Customer-managed keys available on Enterprise plans
04

Access control

  • Role-based access control across every workspace action
  • Deal team isolation: mandate access scoped per user
  • SSO support: SAML 2.0, OIDC, with major identity providers
  • Multi-factor authentication required for all administrative roles
  • Session management with configurable timeout
05

Audit & logging

Every privileged action is logged with timestamp, actor, and immutable hash:

  • Access to mandate data, documents, and database queries
  • Permission changes and user invitations
  • Data exports and downloads
  • Administrative actions across all workspaces

Logs are exportable to your SIEM on Enterprise plans.

06

Vulnerability management

  • Continuous security scanning of dependencies and infrastructure
  • Annual penetration testing by independent third parties
  • Public security disclosure programme - see contact below
  • Critical CVEs patched within 72 hours of disclosure
07

Compliance

Accreta operates in line with:

  • Australian Privacy Principles and Privacy Act 1988
  • EU GDPR (for European data subjects)
  • SOC 2 Type II controls (audit in progress)
  • ISO 27001 framework alignment

Compliance reports available to Enterprise customers under NDA.

08

Incident response

Documented incident response procedures with on-call coverage 24/7. In the event of a security incident affecting customer data:

  • Affected customers notified within 72 hours
  • Detailed post-incident report shared
  • Regulatory notification where required
09

Data residency

Customer data is stored in Australia by default. Enterprise customers can elect specific regions (US, EU, Singapore) under custom data residency agreements.

10

Report a vulnerability

If you believe you've found a security issue, email security@cavari.com.au. We acknowledge all reports within 24 hours and aim to triage and resolve within 30 days. Coordinated disclosure is our default.

Questions about this document? Email legal@cavari.com.au.