Targeting issuance — mid-2026
ISO/IEC 27001
Information Security Management System certification. Scope covers Icarus's IaaS platform, supporting infrastructure, and IDEN as the operating entity.
Security and compliance
Security and compliance for Australian cloud workloads.
Icarus is engineered for regulated workloads. The platform targets ISO 27001 and SOC 2 by mid-2026 — both certified at launch — and runs on Australian sovereign infrastructure with hidden-facility physical security. Security is treated as posture, not feature.
Certifications
Two formal certifications, both targeting issuance at launch.
Until certificates issue, copy on this site uses 'certified at launch' or 'targeting ISO 27001 and SOC 2 by mid-2026' — we don't claim certified status before the auditor signs it.
Targeting issuance — mid-2026
SOC 2 Type II
Type II assurance period running through the network's first reporting window. Trust Services Criteria covered: Security, Availability, and Confidentiality at launch; Processing Integrity and Privacy on the post-launch roadmap.
Customer-facing certificates and scope statements are shared under NDA on request via /contact.
Data residency and sovereignty
Australian-only by default.
Every byte of customer data, every snapshot, every backup, every log entry sits inside an Australian facility. There is no cross-border replication offered at launch.
APRA-regulated workloads
The audit trail is built to satisfy APRA CPS 234 and CPS 230 supervisor review. Hidden-facility posture and locked AU-only residency support both controls.
State and federal government
Procurement-grade evidence available, including data residency attestations, supply-chain attestation, and incident-response posture. Available under formal review.
Healthcare and regulated software
AU-residency, encryption at rest and in transit, role-based access controls, and per-customer audit logging support the compliance perimeters typically required.
Security architecture
The default posture across every account, every VM.
Encryption at rest
All block storage encrypted at rest with platform-managed keys; customer-managed keys on the post-launch roadmap.
Encryption in transit
TLS 1.2+ on every public surface; internal control-plane traffic encrypted across the platform.
Identity and access management
Role-based access controls with granular permissions, MFA mandatory for portal access, API tokens scoped per-purpose, and audit-logged authentication.
Audit logging
Customer-facing audit logs for portal and API actions, retained for the contractual minimum and exportable on request. Platform-internal logs retained per the SOC 2 scope.
Key management
Platform-managed keys with rotation policy at launch; customer-managed key option on the roadmap.
Vulnerability management
Continuous patching at the hypervisor and platform layer; published responsible-disclosure path for external researchers.
Incident response
Documented incident response process with customer notification commitments aligned to SOC 2 and APRA expectations.
Physical security
The hidden-facility posture.
Described in detail on the Infrastructure page. Summary: addresses are not public, access is biometric and audited, and the audit trail is built for ISO 27001 and SOC 2 Type II review. For compliance buyers, this is the difference between a vendor a CISO can sign off and one a CISO has to defend.
For compliance buyers
Need a formal security review pack?
SOC 2 report, ISO 27001 statement of applicability, data-residency attestation, sub-processor list, incident response runbook, regulator-acceptable audit trail — the right next step is to talk to engineering. We share these under NDA, scoped to the workload you're evaluating.
Most teams should just create an account. The security review pack exists for the cases where self-service isn't enough on its own.
Audit posture
Our audit posture is the audit trail.
Continuous internal audit, customer-facing logs on portal and API actions, regulator-aligned incident response. Talk to engineering for the formal pack.