3.8. ISO 27001, SOC 2, GDPR

XSTRA
Compliance Alignment Statement
ISO 27001, SOC 2 & GDPR — practical alignment through operational controls.
Alignment with ISO 27001, SOC 2, and GDPR
While XSTRA has not yet attained formal certification under ISO 27001, SOC 2, or GDPR, our operational and security frameworks are designed to align with the core requirements of these standards. Our commitment to robust information security and data protection is reflected in the controls, processes, and technologies used across our environments.
Client assurance: If formal certification becomes necessary for a client engagement, we are well-positioned to complete the required certification processes within a short, realistic timeframe (subject to scope).
ISO 27001
Security governance, access control, change management, backups, incident response.
SOC 2
Security, availability and confidentiality controls supported by monitoring and operational processes.
GDPR
Data handling discipline, jurisdiction controls, incident readiness and privacy-aware operations.
ISO 27001
Information Security Management alignment
Governance & Controls
Policy & Governance
  • Information Security Policy reviewed at the executive level
  • Annual internal reviews to drive continuous improvement
  • Defined incident response approach with escalation pathways
Access & Auditability
  • Role-based permissions and Multi-Factor Authentication (MFA)
  • Documented user access control through the lifecycle
  • Access review practices aligned to client service scope
Data Protection & Recoverability
  • Secure data disposal principles
  • Off-site encrypted backups with restoration testing
  • Data residency and jurisdiction controls where required
Infrastructure & Change Control
  • Network segmentation and firewall enforcement
  • Formal change management patterns for platform changes
  • Staff training to support consistent execution
SOC 2
Trust Services Principles alignment
Security • Availability • Confidentiality
Operational Controls
  • Systems architected for security, availability, and confidentiality
  • Structured change control processes
  • Security awareness practices for staff
  • Confidentiality agreements for personnel
Monitoring & Maintenance
  • Continuous monitoring for events and anomalies (scope-dependent)
  • Endpoint protection controls and baselines
  • Active patch management and maintenance cadence
  • Risk assessments for third-party vendors (as required)
XDESK platform controls (where supported components are in place): Session-level protections may be utilised to reduce common risks such as credential capture and visual data leakage (for example, controls designed to help mitigate keylogging and screen capture in supported scenarios).
GDPR
Privacy and data protection alignment
Data Handling Discipline
Data Processing Principles
  • Transparent data handling practices (scope-dependent)
  • Data minimisation and purpose limitation patterns
  • Processing of personal data on valid legal bases (client-defined)
  • Jurisdiction and residency controls where required
Incident Readiness
  • Incident response processes and escalation pathways
  • Breach notification readiness aligned to regulatory timelines (as applicable)
  • Ongoing staff training supporting privacy awareness
XACCESS — location-aware authentication (where implemented): XACCESS can support “safe zone” access patterns using the XACCESS Site Key, enabling organisations to restrict sensitive access to authorised personnel at approved physical locations.
Innovative Security Solutions
XSTRA develops practical security solutions shaped by frontline delivery — designed to close gaps that standard vendor roadmaps often miss.
XACCESS
Combines MFA with location-based controls to create secure access environments for sensitive systems and cloud resources (where deployed).
XPC / XDESK integration
A protected virtual desktop experience designed for consistent access and operational control, integrated into our managed workspace platform.
Summary: Even where formal certifications are not currently held, XSTRA’s frameworks and operational practices are designed to align with ISO 27001, SOC 2, and GDPR requirements in substance and execution — with clear pathways available if certification becomes necessary.

Need more help with this?
© 2021–2026 XSTRA Group Pty Ltd (Australia). All rights reserved.

Thanks for your feedback.