Trust & security

Security you
can verify.

We sell security, so we hold ourselves to it. Every credential below is independently issued and checkable. Follow any of them straight to the registry, the standard, or the platform that holds it.

What we hold

One certification, independently issued.

SMB1001:2026 Gold is the one certification on this site that is genuinely ours. It is held by the legal entity, Black Shard Pty Ltd, and verifiable on CyberCert’s public registry.

SMB1001:2026 GoldVerify ↗

Standard: SMB1001:2026 Gold (Level 3)
Held by: Black Shard Pty Ltd · ABN 66 696 910 773
Issued by: CyberCert
Active: 16 June 2026 – 17 June 2027
Basis: Formal director attestation against the standard’s 27 controls

Verify on the CyberCert registry ↗

What we align to

Standards we self-assess against.

These are not audited certifications, and we will not present them as such. They are frameworks that genuinely apply to an Australian ICT firm, that we measure ourselves against and design toward.

ASD Essential Eight

Self-assessed · Maturity Level 1

The Australian Signals Directorate’s eight mitigation strategies: patching, application control, multi-factor authentication, restricting administrative privileges, and the rest. We self-assess at Maturity Level 1, and most of these controls overlap directly with the SMB1001 controls we attest to, so the two reinforce one another rather than sitting apart.

Privacy Act 1988 · Australian Privacy Principles

Aligned

As an Australian operator handling personal information, we build to the Australian Privacy Principles under the Privacy Act 1988: collection limits, purpose, access and correction, and breach handling. This is the regime that applies to us, designed in rather than retrofitted.

What we build on

Platforms that hold their own assessments.

We build on Microsoft Azure, in Australian regions. Azure’s infrastructure is independently IRAP-assessed to PROTECTED and holds ISO 27001 and SOC 2, at the platform level, never as Black Shard certifications. Inheriting a platform’s assurance is not the same as holding it ourselves, and we keep that line clear.

Microsoft’s IRAP assessment ↗

Security practices

The posture behind the certificate.

A certificate is a snapshot; these are the working habits that keep it honest between renewals. We describe the posture rather than naming specific tooling.

Least-privilege access.: People and systems get only the access the work requires, and no more. Administrative privilege is restricted and granted deliberately, not by default, and access is reviewed as roles change.
Encryption in transit and at rest.: Data is encrypted on the wire and where it is stored. We rely on the encryption primitives the underlying platforms provide rather than rolling our own.
Backups and recovery.: Production data is backed up so we can recover from loss or corruption. Recovery is treated as something to rehearse, not assume.
Incident handling.: We have a defined path for identifying, containing, and communicating a security incident, including the notification obligations the Privacy Act places on us where a breach is likely to cause serious harm.
Vendor and sub-processor discipline.: We keep the set of third parties that touch data deliberately small, prefer platforms that hold their own independent assessments, and choose Australian regions for the services that host client data.

Questions a trust page can’t answer?

If you need our security posture in more detail for a procurement or due-diligence process, just ask. We will walk you through it.

Start a conversation →Our services Verify our certification ↗

Security youcan verify.