Information Security Policy — Trust Centre — Compass IoT
Security

Trust Centre

Information Security Policy

Our overarching commitment to information security — the principles, responsibilities, and governance framework that underpins every security control we operate.

Last updated May 2026 · Compass IoT Pty Ltd

Our commitment

Information security is a business requirement, not a compliance exercise.

Compass IoT handles data that organisations depend on to make decisions about roads, infrastructure, and fleets. Protecting that data — and the systems that process it — is a core operational responsibility. This policy sets out the framework within which we do that.

This policy applies to all employees, contractors, and third parties with access to Compass IoT information assets. It is supported by a set of topic-specific policies that address individual areas in detail.

Objectives

What this policy sets out to achieve

Policy in place
  • Protect the confidentiality, integrity, and availability of all information assets held or processed by Compass IoT.
  • Ensure information is accessible to those who need it, and protected from those who do not.
  • Comply with applicable legal, regulatory, and contractual obligations relating to information security.
  • Manage information security risk in a structured, consistent, and proportionate way.
  • Build and maintain the trust of customers, partners, and regulators through demonstrable security practice.
  • Respond effectively to security incidents and learn from them to prevent recurrence.

Scope

What this policy covers

This policy applies to all information assets owned, managed, or processed by Compass IoT, regardless of format or location. This includes:

  • Digital data stored on Compass IoT systems, cloud infrastructure, or third-party platforms.
  • Physical documents and removable media containing company or customer information.
  • Software, applications, and platforms developed or operated by Compass IoT.
  • Network and communication infrastructure used to transmit or process information.
  • Third-party systems where Compass IoT data is held or processed under contract.

Principles

How we approach information security

Our information security programme is built on the following principles, which guide how we design controls, respond to risk, and make decisions.

  • Confidentiality — information is accessible only to those authorised to access it.
  • Integrity — information is accurate, complete, and protected from unauthorised modification.
  • Availability — information and systems are available to authorised users when needed.
  • Least privilege — access is granted only to the extent required to perform a role or function.
  • Defence in depth — multiple layers of control are applied so that no single failure compromises security.
  • Risk-based — controls are proportionate to the sensitivity of the information and the likelihood and impact of threats.
  • Continuous improvement — security is reviewed regularly and updated in response to incidents, changes in risk, and advances in best practice.

Responsibilities

Who is responsible

Information security is a shared responsibility. The following responsibilities apply across the organisation.

Leadership team — accountable for the information security programme; approve this policy and ensure adequate resources are allocated to security.

Engineering leadership — responsible for implementing and maintaining technical security controls across the platform and infrastructure.

All employees and contractors — responsible for understanding and complying with this policy and the topic-specific policies that support it; reporting suspected incidents or weaknesses promptly.

Third parties — required to comply with Compass IoT's security requirements as set out in contractual terms and the Vendor Management Policy.

Supporting policies

Topic-specific policies

This policy is supported by a set of topic-specific policies that provide detailed requirements in each area. All covered persons are expected to be familiar with the policies relevant to their role.

  • Access Control Policy
  • Acceptable Use Policy
  • Remote Work & BYOD Policy
  • Background Check Policy
  • Vulnerability Management Policy
  • Incident Response Plan
  • Change Management Policy
  • Data Classification & Retention Policy
  • Vendor Management Policy

Policy review

Ownership and review

This policy is owned by the Compass IoT leadership team and reviewed annually, or following any significant security incident or material change to our operating environment.

Questions

Get in touch

Questions about this policy or our security programme.