What is in place. What is in progress.
Nothing on this page is aspirational. Controls in place, in-flight, and on the roadmap are each labelled. If a control isn’t ready, we say so.
Four steps from briefing to first audit pack.
Four steps. Four to six weeks. The deliverable is a regulator-ready audit pack exported on day one of week five.
- 01Day 0
Briefing
30 minutes with the Fydis team. We pick a real figure from your firm and trace it through the evidence chain together. No sales layer.
- 02Week 1
Scope meeting
We map your regulator-facing analyses, your integrations, and your audit committee’s preferred export format. DPA in flight.
- 03Weeks 2–4
Workspace setup
Integrations wired, RBAC mapped to your control library, two-eyes approver list configured, audit-pack template tuned to your regulator.
- 04Week 5
First audit pack exported
Regulator-ready PDF + JSON delivered to your audit committee. Hashes resolve. Approvals signed. Clauses mapped.
What you receive on every output.
The trust page below documents the controls. This section is what those controls produce. Three artefacts per analysis. All of them regulator-readable on the day the board reads them.
- 01
The audit pack
Every figure exported as PDF or JSON with the full chain attached: source row, calculation method, captured-at hash, named approver, regulator clause. Reproduces from the same inputs years later.
Maps to ISO 27001 Annex A.5.30 (ICT readiness) + APRA CPS 234 ¶20 (information asset identification and classification).
- 02
The sign-off log
Two-eyes review by named approvers from your control library. Each sign-off written to tamper-evident storage with seven-year retention. The log names the human, the timestamp, and the policy version in effect at the time.
Maps to ISO 27001 A.5.15 (access control) + APRA CPS 234 ¶23 (testing of information security controls) + AASB S2 ¶6 (governance of climate-related risks).
- 03
The compliance export
Each figure pre-formatted for the regulator that will read it: ASIC s912A AFSL obligations, APRA CPS 230 §22, AASB S2 ¶29(a). The export reads as the regulator would read it, not as your team happens to have it.
Maps to ISO 27001 A.5.34 (privacy and PII) + Privacy Act APP 1.7 ADM transparency (commences 10 December 2026).
The controls behind those artefacts
If a control is not yet in place, the trust page says so on the same line as the controls that are. Honesty about the gap is the only durable signal.Fydis team
- STAGE·01Brief
A question in plain language, the way you would brief a junior. You attach the client file, and nothing is re-keyed.
Stage - STAGE·02Retrieve
Fydis reads the systems the practice already runs and pulls the source rows, not summaries of them.
Stage - STAGE·03Verify
Every claim resolves to a source row and figures reconcile to the dollar. Each check states the condition that fails it.
Stage - STAGE·04Evidence
Clause map, sign-off record and replay hash, packed with the answer and ready to sign.
Stage
Trust pages
Security
Cryptography, authentication, authorisation, infrastructure, monitoring, and vulnerability disclosure. One page, no softening.
Read disclosures →Sub-processors
Every third party that touches customer data, what they handle, and what data flows where.
View sub-processors →Data residency
Default AU posture. LLM routing options. What leaves Australia and under what conditions.
Read residency policy →ISO 27001 status
Honest progress: controls in place, controls in-flight, auditor timeline, and adjacent programmes.
See current status →Incident response
Escalation paths, customer notification SLAs, CPS 234 classification, and post-incident transparency commitment.
Read IR plan →What is an honest stub today
DPA. Available on request. Email hello@abrlabs.io and a redlined copy comes back within 48 hours. Not published on the site because procurement teams negotiate from a known starting point, and the DPA is part of that conversation.
Vulnerability disclosure policy. Publishing Q3 2026. Until then, send reports to hello@abrlabs.io. Safe-harbour language and PGP key publish at the same time.
Status page. Manual updates today. Wired to Instatus before the Firm tier publishes broadly.
Questions? Email hello@abrlabs.io. Security-specific questions are routed internally to the security team within 24 hours.