Security

Security is the work we do — it would be inconsistent to bring less rigour to our own systems than we recommend to clients. Outpace AI runs on a small, opinionated stack with clear ownership, defined controls, and documented incident response.

We align to NIST Cybersecurity Framework and ISO 27001 control families. Where the framework asks for evidence, we keep it.

Client and prospect information is encrypted in transit (TLS 1.2+) and at rest. We classify information into three tiers — public, internal, and confidential — with handling rules for each.

Information shared with us under engagement is held for the period agreed in our Master Services Agreement and destroyed on completion unless retention is required by law.

Access to internal systems is least-privilege, MFA-enforced, and reviewed quarterly. SSO is the default for any system that supports it.

Access to client systems during engagements is time-bounded, role-scoped, and audit-logged. We do not retain credentials beyond the engagement window.

Where we use AI internally — for research, drafting, or analysis — model interactions are routed through a gateway with policy enforcement, trace capture, and cost attribution. Sensitive client information is not sent to third-party model providers.

We use the Lastmile control plane on our own AI workflows. We will not ask a client to operate a control posture we do not run ourselves.

We maintain a documented incident response plan covering detection, triage, containment, eradication, recovery, and post-incident review. Roles are named and the plan is tested.

Where an incident may have affected client information, we will notify the impacted client without delay and consistent with the obligations in our Master Services Agreement.

We assess each vendor against a standard set of criteria — security posture, sub-processor list, data residency, incident history, and renewal terms. Assessments are recorded and refreshed annually.

Outpace AI handles personal information in accordance with the Australian Privacy Act 1988 and the Australian Privacy Principles. We can support clients with their own NIST AI RMF, ISO 42001, and APRA CPS 234 obligations.

If you have identified a security vulnerability in this website or in a system we operate, please email security@outpaceai.com.au with details. We acknowledge reports within two business days and provide a substantive update within ten.

We do not currently run a paid bug bounty. Researchers acting in good faith and within the scope of standard responsible-disclosure conduct will not face legal action from us.

Security questions or assurance requests: security@outpaceai.com.au. General enquiries: hello@outpaceai.com.au.