.png)
Cybersecurity compliance for critical infrastructure.
© Copyright Overcyte 2026
Last updated: 30 April 2026
At Overcyte, we recognise that the adoption of cloud-native solutions brings both enhanced capabilities and new security challenges. Our mission is to deliver a cyber resilience platform that our customers can trust implicitly. Security is not an afterthought it's a foundational element woven into every aspect of our operations, from product design to daily practices.
We employ a risk-based approach to our Information Security Management System (ISMS), focusing on identifying, assessing, and mitigating vulnerabilities and threats to our information assets. This proactive stance ensures the confidentiality, integrity, and availability of data entrusted to us.
Security is embedded into every layer of our platform:
• Application Architecture: Our applications are designed with multi-tenancy isolation, ensuring that customer data is segregated and protected.
• Infrastructure: We utilise containerised environments and serverless functions to minimise attack surfaces and enhance scalability.
• Data Storage: All data is encrypted at rest and in transit using industry-standard encryption protocols. Every customer has a dedicated database.
• Access Controls: Role-based access controls (RBAC) and multi-factor authentication (MFA) are enforced across all systems.
We are committed to safeguarding customer data:
• Data Minimisation: We collect only the data necessary to provide our services, adhering to the principle of least privilege.
• Data Retention: Data is retained in accordance with defined lifecycle policies and is securely deleted upon request or at the end of its retention period.
• Privacy Compliance: Our practices align with global privacy regulations, ensuring transparency and control over personal data.
• Data Storage Location: During our onboarding process, customers can choose to store their data in one of the following locations: AU, UK, and USA.
Access to systems and data is tightly controlled:
• Provisioning: Access is granted based on job responsibilities, following a strict approval process.
• Monitoring: All access is logged and monitored for anomalous activities.
• Review: Regular reviews are conducted to verify appropriate access levels and to revoke unnecessary permissions.
Our proactive monitoring and incident response capabilities include:
• Real-Time Monitoring: Our cloud hosting partners provide continuous surveillance of systems to detect and respond to threats promptly.
• Incident Response Plan: A well-defined plan that outlines procedures for containment, eradication, and recovery from security incidents.
• Post-Incident Analysis: Thorough investigations are conducted to understand root causes and to implement improvements.
Our development lifecycle incorporates security at every stage:
• Code Reviews: All code undergoes rigorous peer reviews to identify potential security issues.
• Automated Testing: Security testing is integrated into our CI/CD pipelines to detect vulnerabilities early.
• Dependency Management: We monitor and update third-party libraries to mitigate risks from known vulnerabilities.
We ensure service resilience through:
• Redundancy: Our cloud providers utilise systems that are designed with redundancy to prevent single points of failure.
• Backups: Point-in-time backups of customer data are performed as transactions are committed, and the restoration of these backups is tested to ensure data integrity and availability.
• Disaster Recovery Plan: Our cloud service providers maintain a comprehensive plan to restore services promptly in the event of a disruption.
AI capabilities within Overcyte are designed to assist users in analysis, prioritisation, automation, and decision support. AI-generated outputs are intended to augment human judgement, not replace it.
• Human Oversight: Customers retain full control over decisions and actions derived from AI-generated insights or recommendations.
• Risk-Based Approach: AI features are assessed for security, privacy, operational, and ethical risks before implementation.
• Transparency: Where AI-assisted functionality is used within the platform, Overcyte aims to provide clear context regarding the nature and purpose of the AI-generated output.
We apply strict controls to protect customer information used in connection with AI-enabled functionality.
• No Training on Customer Data: Customer data is not used to train public or shared AI models.
• Data Isolation: Customer data processed through AI-enabled features maintains the same tenancy isolation and security protections applied throughout the Overcyte platform.
• Data Minimisation: Only the minimum necessary information required to deliver the AI-enabled capability is processed.
• Encryption: Data transmitted to approved AI service providers is encrypted in transit using industry-standard encryption protocols.
Where third-party AI providers are utilised, Overcyte performs security and privacy due diligence prior to adoption.
• Vendor Assessment: AI providers are evaluated against Overcyte's supplier risk management and security assessment processes.
• Restricted Use: Only approved AI tools and services may be used.
• Privacy and Retention Controls: Overcyte through its AI API provider technical enforces zero-retention and no-training commitments.
AI-assisted development practices are governed by Overcyte's secure software development lifecycle.
• Code Review Requirements: AI-generated code or recommendations are subject to the same peer review and security validation processes as manually developed code.
• Security Testing: AI-assisted functionality undergoes testing to identify vulnerabilities, misuse scenarios, and unintended behaviour.
• Prompt and Output Security: Measures are implemented to reduce risks associated with prompt injection, data leakage, and unauthorised disclosure of sensitive information.
Overcyte adheres to industry standards and undergoes regular audits, including penetration testing, to validate its security posture. We are committed to maintaining compliance with relevant regulations and frameworks to provide assurance to our customers.
We value the security community's contributions to identifying potential vulnerabilities. If you discover a security issue, please report it to us via our Contact Us page.
We are committed to investigating and addressing reported issues promptly.
After signing a non-disclosure agreement, a complete Data Processing Agreement and Penetration Testing report can be made available upon request.