Trust & compliance.
Where we sit legally, what we can and can't do, where the data lives, and the open-source code that backs every claim. This page is the URL you can paste into a procurement questionnaire.
Legal entity
- Trading name: Hoist Assets
- Operating entity: HoistAI Pty Ltd
- ABN: 11 695 718 659
- ACN: 695 718 659
- Registered office: 81–83 Campbell Street, Surry Hills NSW 2010
- Principal place of business: Same.
- GST registered: Yes (effective 2024).
AFSA B2G Account status
Hoist Assets is not yet authorised under AFSA's B2G Account framework. AFSA Discovery access was requested 2026-05-17; the B2G Production application is prepared and pending submission. Full status, scope, and timeline at /trust/afsa-b2g. The framework — when we are approved — permits org-only searches: organisations and serial-number searches. It does not permit individual-grantor searches under any condition; see /trust/npii-boundary.
Org-only boundary
The API rejects individual-grantor inputs at the boundary with a 400 response before any search runs. There's no search_individual, no lookup_by_licence, no find_person_by_address. The API spec is open at /.well-known/openapi.json; check for yourself. For where the line actually is, see /trust/npii-boundary.
Audit chain
Every search creates an append-only audit-chain entry containing the search type, target identifier (ACN/serial), timestamp, certificate hash, user ID, and the hash of the previous entry. Chain entries are public-hash-published; you can verify any record you generated at /api/v1/records/{id}/verify.
The open-source trust runtime
The OAuth-2.1 + Resource-Indicators code, the consent-receipt schema, the audit-chain implementation, and the price-confirmation flow are open-sourced at github.com/HoistAiorg/hermes (the runtime we share with Quokkafi). It's MIT-licensed; copy it if you need similar primitives.
Infrastructure
- Compute: Cloudflare Workers (Sydney region preferred, edge-routed by default).
- Database: Cloudflare D1 (SQLite) — primary AU.
- Object storage: Cloudflare R2 — AU residency for record PDFs and certificates.
- Payments: Stripe (merchant of record). We do not store card numbers, expiry, or CVC.
- Email: Postmark.
- Error tracking: Sentry, AU region.
Residency model in detail at /trust/residency. Where Cloudflare or Stripe processes data outside AU, the categories and lawful bases are listed there.
Security
- Disclosure policy: /security. RFC-9116
security.txtat /.well-known/security.txt. - Penetration testing: Annual third-party test (next scheduled 2026-09).
- SOC 2 / ISO 27001: Not yet certified. Honest: we will be by 2027 if customers ask for it; today we'll provide a CAIQ-lite questionnaire if you need one.
- Encryption: TLS 1.3 in transit; AES-256 at rest (Cloudflare-managed keys); per-customer encryption keys for record PDFs on Team tier.
Insurance
Professional indemnity (A$5M aggregate), cyber liability (A$2M), public liability (A$10M). Certificates available on request to procurement contacts.
Data retention
Records and certificates: active for 30 days after subscription ends (export window). Audit-chain entries (hashes only, no PII): retained indefinitely so historic verification works. Account metadata: retained for 7 years after closure to satisfy AU tax requirements.
Subprocessors
| Vendor | Purpose | Region |
|---|---|---|
| Cloudflare, Inc. | Compute, storage, CDN | AU (Sydney) + global edge |
| Stripe Payments Australia | Payment processing | AU + US |
| Postmark (ActiveCampaign) | Transactional email | US |
| Sentry | Error monitoring | AU |
| Clerk | Dashboard sign-in (email passcode, password, OAuth, passkey) | US (data minimised) |
| AFSA | Source PPSR register (the whole point) | AU |
| ABR / ATO | Source ABN register | AU |
Material changes to this page
Tracked in /changelog with the tag trust. RSS feed: /changelog/feed.xml.
Sub-pages
- Org-only boundary — what we will and won't search.
- AFSA B2G Account — application status, scope, current pathway.
- Data residency — where every byte sits.
- Security — disclosure, encryption, certifications.