MIBO TRUST CENTER
Security you can see
Mibo is ISO 27001:2022 certified. Our platform is built on Microsoft Azure Australia with enterprise-grade encryption, access controls, and continuous compliance monitoring.
ISO 27001:2022
Certified
Azure Australia
Data Sovereignty
AES-256
Encryption
MFA Enforced
All Users
Min Group 8
Aggregation
01 – Compliance Frameworks
Trusted by design
Our compliance program is built into operational workflows – not bolted on. Evidence is generated automatically as a byproduct of daily operations.
ISO 27001:2022
Certified
SOC 2 Type II
In Progress
GDPR
Readiness
Privacy Act 1988
Complete
02 – Security Controls
Defence in depth
Our security controls span 10 domains aligned to ISO 27001 Annex A and SOC 2 Trust Services Criteria.
Access Security
Role-based access control (RBAC)
Multi-factor authentication (MFA)
Session management and timeout
Principle of least privilege
Access review processes
Encryption
AES-256 encryption at rest
TLS 1.2+ in transit
Key management via Azure Key Vault
Database encryption (TDE)
Network Security
Web Application Firewall (WAF)
DDoS protection (Cloudflare)
Network segmentation
Intrusion detection
Vulnerability Management
Annual penetration testing
Dependency scanning
Patch management process
Vulnerability remediation SLAs
Incident Response
Documented incident response plan
24-hour client notification SLA
72-hour GDPR supervisory authority notification
Post-incident review process
Change Management
Formal change approval process
Impact assessment requirements
Rollback procedures
Release documentation
Business Continuity
Disaster recovery plan
Quarterly DR testing
RTO/RPO defined
Geographic redundancy
Monitoring & Logging
Centralised log management
Security event monitoring
Audit trail retention
Alerting and escalation
Organisational Security
Security awareness training
Background checks
Acceptable use policies
Annual policy review
Vendor Management
Vendor security assessments
DPA requirements
Sub-processor monitoring
Annual vendor reviews
03 – Data Transparency
What we collect
Transparency about the data our platform processes, organised by user type. Mibo acts as a data processor โ our clients are the data controllers.
Portal Users
PERSONAL
Data fields:
First name ยท Last name ยท Email address
Purpose:
Platform authentication and administration
Lawful basis:
Contractual necessity (GDPR Art. 6(1)(b))
Survey Confidential Users
PERSONAL + SENSITIVE
Data fields:
Name ยท Email ยท Job role ยท Department ยท Tenure ยท Manager ยท Location ยท Survey responses (may include psychological and wellbeing data)
Purpose:
Psychosocial risk assessment and wellbeing monitoring
Lawful basis:
Consent + Explicit consent for Art. 9 data
Survey Anonymous Users
NON-PERSONAL
Data fields:
No identifying information collected ยท Aggregated responses only ยท Minimum group size of 8
Purpose:
Anonymous wellbeing assessment
Lawful basis:
Outside GDPR scope – no personal data
04 – Sub-processors
Our trusted partners
We maintain a minimal sub-processor footprint. All data processing occurs on Australian infrastructure by default.
Microsoft Azure
Cloud hosting, compute, storage, database services
๐ Australia East (Sydney)
Cloudflare
CDN, DDoS protection, DNS, WAF
๐ Global (nearest PoP)
Data Sovereignty
The Mibo platform is hosted on Microsoft Azure Australia East (Sydney). All customer data – including survey responses, user records, and analytics – is stored and processed within Australian borders. No customer data is transferred internationally unless explicitly documented in the relevant DPA.
05 – Resources
Security documentation
Access our compliance documentation. Some resources are publicly available; others require NDA acceptance.
ISO 27001:2022 Certificate
Independently audited by Citation ISO Certification.
Data Security Overview
Summary of our security architecture, controls, and compliance posture.
Privacy Policy
How we collect, use, and protect personal information.
Data Processing Agreement
Standard DPA covering GDPR and Privacy Act requirements.
Information Security Policy
Our overarching information security management policy.
Acceptable Use Policy
Defines acceptable user conduct, prohibited activities, and account security responsibilities.
Detailed security documentation available on request. Our full ISMS policy suite, audit evidence, and architecture documentation.