Triskele Labs is an Australian-owned and operated cyber security company. Our customers trust us to detect and respond to threats inside their environments, and that work depends on us handling their data with care and discipline.
In the course of delivering our services, we hold the data required to detect and respond to threats in your environment, to manage our engagement with you, and to produce the reports and records you have engaged us to provide. We do not collect or hold customer data beyond what is required to deliver the services contracted with you.
Customer data is held in Australia. We do not store, replicate, or transfer customer data offshore. The platforms and environments we use are subject to contractual residency commitments, the Triskele Labs Information Security Management System, and recognised industry certifications.
Access to customer data is restricted to Triskele Labs personnel who require it to deliver the contracted service. Specifically:
All personnel with access to customer data are based in Australia.
All personnel are background-checked, with additional vetting where required for specific engagements.
There is no offshore Security Operations Centre and no offshore reach-back into our delivery workflow.
Access is granted on the principles of least privilege and need-to-know, with role-based controls, just-in-time elevation, and full session logging.
Each customer environment is logically segregated, and access is auditable.
Customer data is protected in line with our Information Security Policy and the controls maintained within our certified Information Security Management System. This includes encryption of data at rest and in transit, controlled cryptographic key management, recurring access reviews, and ongoing monitoring of the environments in which customer data resides.
Retention periods for customer data are agreed with you in your contract and recorded in your service schedule. Default retention positions are aligned to common Australian regulatory and sector obligations and are adjustable to your specific requirements.
At the end of your contract, your data is destroyed in line with the terms of our agreement. A certificate of destruction is available on request.
Where we engage third parties to support service delivery, those third parties are bound by contractual obligations consistent with this statement and our Information Security Policy. The current sub-processor list is provided to customers on contract execution and is available on request.
Triskele Labs is a notifiable entity under the Privacy Act 1988 (Cth) and the Notifiable Data Breaches scheme. In the event of a confirmed data breach involving your data, we will notify you in line with the obligations set out in our agreement with you.
As a Triskele Labs customer, you can at any time request:
Further detail beyond what is set out in this statement is available to customers and prospective customers under appropriate non-disclosure terms.
Questions about this statement, or about how we handle customer data, should be directed to your Triskele Labs account contact, or to security@triskelelabs.com.
Reach out to understand why we are the only Cyber Security experts you'll ever need to talk to.
