The Maelstrom AI Trust Centre
We publish our Information Security Management System in full. The policies, the risk register, the Statement of Applicability, the data protection assessments, the privacy notices. No sales call, no NDA, no login. If you want to know how we run security and privacy, read it for yourself.
A management system you can read, not a badge you have to trust
Most companies treat their security documentation as something to be requested, gated behind a sales team and a non-disclosure agreement, and handed over as a PDF if you are important enough. We take the opposite view. Maelstrom AI builds privacy infrastructure for regulated environments, and the only honest way to earn trust in that work is to show how it is governed.
So the same Information Security Management System we operate against internally is the one published here. It is versioned in source control alongside the code it governs, reviewed on a schedule, and open to scrutiny from auditors, customers, regulators, and anyone else who cares to look.
One management system, many regimes
Our ISMS is structured to the ISO/IEC 27001:2022 management-system clauses and Annex A controls. We are pursuing certification when it is commercially justified; until an accredited body has issued a certificate we describe this as alignment, not certification. The standards below are mapped in the compliance section, with the evidence that supports each mapping.
ISO/IEC 27001:2022
Information security management system. Structure, Annex A controls, Statement of Applicability, and risk methodology. Certification pursued when commercially justified.
ISO/IEC 27701
Privacy information management extension. Annex B controls mapped for our role as a processor and controller.
GDPR & UK GDPR
Designed to meet the General Data Protection Regulation. Lawful bases, data subject rights, and records of processing.
UK Children's Code
Age Appropriate Design Code. A dedicated children's data protection impact assessment and age-appropriate privacy notices.
COPPA & CCPA
United States children's privacy and California consumer privacy. Self-assessed mappings and compliance statements.
NIST 800-63 & CSA STAR
Digital identity assurance alignment and a Cloud Security Alliance self-assessment.
Everything we publish
The complete ISMS, ungated. 94 documents across security, compliance, legal, and operations.
Security & ISMS
- Access Control Policy
- Incident Response Policy & Procedure
- Risk Assessment Methodology
- Roles and Responsibilities Matrix
- Security & Compliance Overview
- Statement of Applicability (SOA)
- Acceptable Use Policy
- Asset Register
- Business Continuity Plan
- Gap Analysis
- ISMS Scope Statement
- Risk Register
- Change Management Policy
- Evidence Collection Checklist
- Information Security Policy
- Internal Audit Program
- Asset Management Procedure
- Context Analysis
- Management Review
- Cryptography Policy
- Document Control Procedure
- Security Quick Reference
- Communication Procedure
- Information Security Objectives Register
- Post-Quantum Cryptography Roadmap
- JWKS Rotation Plan, Shared Sandbox Issuer
- Supplier & Vendor Management
- Data Retention & Disposal Policy
- Privacy Complaint Handling Process
- Data Protection Impact Assessment
- Security Awareness Training Program
- Legitimate Interest Assessment
- DPIA: Docs Interactive Sandbox
Compliance frameworks
Standards
- ISO 27701:2019 Privacy Information Management System - Compliance Documentation
- ISO/IEC 27566-1 Age Assurance Systems - Alignment Document
- GDPR Compliance Statement
- CCPA Compliance Statement
- COPPA Safe Harbor - Compliance Enablement Documentation
- UK Age Appropriate Design Code - Compliance Matrix
- DPIA: Children's Code Standard 2 (Docs Sandbox)
- NIST 800-63-3 Digital Identity Alignment
- ISO 27701 Annex B: PII Processor Controls
- Privacy by Design - 7 Foundational Principles Assessment
- CSA STAR Level 1 Self-Assessment
- Provii Transparency Report
- Cryptographic Security in Provii's Privacy-Preserving Age Verification
Requirements
Evidence library
- Age Verification Flow Evidence
- Privacy Architecture Evidence
- Cryptographic Implementation Evidence
- Privacy Policy Evidence - GAP-H003
- Data Lifecycle Evidence
- Infrastructure Evidence
- Age-Appropriate Privacy Notices - Evidence Documentation
- DevOps & Development Practices Evidence
- Business Continuity & Disaster Recovery Evidence
- DPA Templates Evidence
- Backup Worker Evidence
- HR Privacy Notice - Evidence Documentation
- Records of Processing Activities (ROPA)
- Status Page Evidence
- Access Control Evidence
- API Security Evidence
- Logging & Monitoring Evidence
- Third-Party & Supply Chain Evidence
- Mobile Security Evidence
Legal
- Data Processing Agreement (Standard)
- Privacy Policy
- Data Processing Agreement (Enterprise)
- Privacy Notice for Kids
- Privacy Policy (plain English summary)
- Terms of Service
- Cookie Policy
- Privacy Notice for Parents and Guardians
- Standard Contractual Clauses (SCCs) Addendum
- Cookie Policy (plain English summary)
- Privacy Notice for Teens
- Sub-Processors List
- DPA Addendum: Docs Interactive Sandbox
- Employment & HR Privacy Notice
- Developer Privacy Notice (Docs Sandbox)
Operations
Who operates this ISMS
The Information Security Management System published here is owned and operated by Maelstrom AI, the company behind Provii. Provii is our privacy-preserving age verification product; this Trust Centre governs the company that builds and runs it.
Questions about a control, a mapping, or a data processing arrangement are welcome. Reach us through the contact page.
| Entity | Maelstrom AI Pty Ltd ATF Maelstrom AI Holding Trust |
| ABN | 61 633 823 792 |
| Jurisdiction | Victoria, Australia |
| Address | PO Box 169, St Arnaud VIC 3478 |