Trust Centre

How we hold ourselves to the standards we help clients achieve.

InCheq is trusted by enterprise organisations to handle sensitive psychosocial risk data. Security, privacy, and independence are embedded in how we design, build, and operate the platform.

Request security documentation Privacy Policy

Our commitment

The data our clients entrust to us is sensitive. We treat it that way.

InCheq provides psychosocial risk intelligence to organisations operating in regulated, high-risk, and complex environments. The data our clients entrust to us is sensitive and consequential. We take that responsibility seriously.

Security, privacy, and independence are not afterthoughts at InCheq. They are embedded in how we design, build, and operate our platform and our business.

Security architecture

Banking-grade infrastructure. Built for regulated enterprise environments.

Data protection

Data encrypted in transit using TLS 1.2 or higher
Data encrypted at rest using industry-standard encryption
Data residency within Australia
Strict access controls with least-privilege principles
Regular access reviews and audit logging

Infrastructure security

Hosted on enterprise-grade cloud infrastructure
Network security controls and continuous monitoring
Vulnerability management and patching
Automated threat detection and alerting
Regular third-party security assessments

Organisational security

Background screening for all personnel with data access
Security awareness training across all roles
Defined incident response procedures
Business continuity and disaster recovery planning
Secure development lifecycle practices

Access and identity

Multi-factor authentication on all platform access
Role-based access controls restricting data visibility
Session management and automatic time-outs
Privileged access management for administrators
Full audit trail of all platform access events

Data privacy

Psychosocial data is sensitive by nature. How we handle it reflects that.

PII detection and de-identification

AI-assisted PII detection scans for personally identifiable information before data enters the analysis pipeline. Identified PII is flagged and de-identified before processing. Individual-level data is never stored in identifiable form.

Data minimisation and purpose limitation

We only process data necessary for the specific intelligence purpose requested. Client data is not used for any purpose beyond the agreed scope of engagement. Retention does not exceed contractual terms.

Australian data residency

All client data is stored and processed within Australia. We do not transfer client data offshore. Data residency within Australia is maintained throughout the data lifecycle.

Privacy Act compliance

InCheq operates in compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles. Data Processing Agreements are available for clients who require them.

No tracking. No profiling. No third-party advertising.

This website does not use analytics cookies, tracking pixels, or third-party advertising scripts. We do not profile visitors or share browsing data with advertising networks. Limited technical data is collected through server logs for security and operational purposes only.

AI and methodology

AI supports defined analytical functions. Not autonomous decision-making.

The Safe Minds Index® is an evidence-based scoring framework. Where AI is used, it is documented, scoped, and reviewed.

How scoring works

Scores are calculated against a defined maturity framework across 10 Pillars. Determined by structured analysis of submitted data against validated criteria, not by opaque algorithmic judgement. Methodology is documented and consistent across all clients.

Where AI is used

AI supports specific analytical functions: PII detection during ingestion, pattern recognition across complex datasets, and identification of material deviations from benchmark profiles. AI outputs are reviewed as inputs to the intelligence process, not final determinations.

Human oversight throughout

Governance outputs (board reports, maturity assessments, intervention roadmaps) are produced with human oversight and expert review. Clients receive intelligence that has been interpreted and contextualised, not raw algorithmic output.

Explainability and transparency

Clients receive documentation explaining how their Safe Minds Index® score was reached, which inputs were used, and how results compare to benchmarks. The framework is auditable: outputs trace back to specific data inputs and criteria.

Independence by design

Independent assessor. Not a vendor with skin in the outcome.

The value of a maturity assessment depends entirely on its independence. An assessment shaped by the intervention provider's commercial interests, whether to inflate scores, downplay risks, or drive particular products, is not defensible governance evidence. It is a liability.

InCheq's design separates the intelligence layer from the delivery layer. InCheq provides the Safe Minds Index® assessment and the maturity evidence. Delivery of interventions and improvement programmes is conducted by accredited partners, not by InCheq itself. This separation means:

InCheq has no financial incentive to recommend specific interventions
Assessment findings are not shaped by delivery relationships
Maturity scores cannot be gamed by selecting favourable inputs
Year-on-year comparisons reflect genuine change, not score management
Regulatory and board engagement is based on independent evidence

Independence is not claimed. It is structural. Built into how InCheq operates.

Certifications and standards

Aligned to recognised Australian and international standards.

Pursuing

ISO 27001

Information security management. Certification actively being pursued. Controls aligned to ISO 27001 standards.

Achieved

Privacy Act 1988 (Cth)

Compliant with Australian Privacy Principles (APPs). Data processing aligned to all 13 APPs.

Achieved

Australian data residency

All data stored and processed in Australia. No offshore transfers. Aligned to government data sovereignty requirements.

Pursuing

SOC 2 Type II

Pursuing SOC 2 Type II attestation for security, availability, and confidentiality trust service criteria.

Achieved

TLS 1.2+ encryption

All data in transit encrypted using current TLS standards. Data at rest encrypted using AES-256 or equivalent.

Pursuing

Essential Eight alignment

Controls progressively aligned to the ACSC Essential Eight mitigation strategies for enterprise environments.

Achieved — live and verified | Pursuing — in progress, timeline available on request

Security documentation

For procurement, vendor risk, and ongoing governance.

The following documentation is available to prospective and current clients to support vendor risk assessments, procurement processes, and ongoing governance requirements.

Security questionnaire responses (SIG, CAIQ, custom)Available on request
Data Processing Agreement (DPA)Available on request
Sub-processor listAvailable on request
Penetration test executive summaryAvailable under NDA
Incident response overviewAvailable on request
Business continuity summaryAvailable under NDA
Platform architecture overviewAvailable on request
AI methodology overviewAvailable on request

InCheq is actively pursuing formal security certification. We welcome questions about our current security posture and certification timeline during evaluation.

Get in touch

Request security documentation.

If you are evaluating InCheq as part of a procurement or vendor risk assessment process, we are happy to provide the documentation you need promptly.

Documentation on request · Within two business days

1300 400 290
hello@incheq.co
Melbourne, Australia