haumaru.
Trust & security

Security is our foundation

As a cybersecurity company, we hold ourselves to the highest standards. Here's how we protect your data and maintain operational excellence.

Defence in depth

Multiple layers of security controls protect every system — from network perimeter to application layer to endpoint. No single point of failure.

Encryption everywhere

All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Client engagement data is additionally encrypted with per-customer keys.

Continuous monitoring

Our own SOC monitors our infrastructure 24/7 using the same detection capabilities we deploy for clients.

NZ data sovereignty

All client data is stored and processed within New Zealand. No offshore replication unless explicitly agreed in writing.

Security-cleared team

All analysts and engineers hold New Zealand security clearances. Background checks are mandatory and ongoing.

Compliance & standards

Our operations are aligned with NZISM, ISO 27001, and SOC 2 Type II. We undergo regular independent audits.

Access control

We enforce the principle of least privilege across all systems. Multi-factor authentication is mandatory for all staff. Access to client environments requires explicit authorisation and is logged and auditable.

Incident response

We maintain a documented incident response plan that is tested quarterly. In the event of a security incident affecting our systems, we commit to:

  • Notifying affected clients within 72 hours of confirmed impact
  • Providing full transparency on scope, root cause, and remediation
  • Conducting a post-incident review with lessons learned

Vendor & supply chain security

All third-party vendors undergo security assessment before onboarding. We maintain a vendor risk register and conduct annual reviews. Critical suppliers must demonstrate equivalent security standards.

Physical security

Our Auckland SOC facility employs 24/7 physical access controls including biometric entry, CCTV monitoring, and visitor logging. All equipment is secured and decommissioned following NZISM guidelines.

Employee security

All staff undergo security awareness training upon onboarding and quarterly thereafter. We conduct regular phishing simulations and tabletop exercises. Departing staff follow a rigorous offboarding process including immediate access revocation.

Responsible disclosure

If you discover a security vulnerability in our systems, we encourage responsible disclosure. Please report findings to security@haumaru.ltd. We commit to acknowledging reports within 48 hours and will not pursue legal action against researchers acting in good faith.

Questions about our security practices?

We're happy to provide additional detail on our security controls, certifications, or data handling practices.

Talk to our team