Last reviewed: May 2026

What is in place. What is in progress.

Nothing on this page is aspirational. Controls in place, in-flight, and on the roadmap are each labelled. If a control isn’t ready, we say so.

Score your AI outputs against the 12-question audit-readiness checklist →

Four steps from briefing to first audit pack.

Four steps. Four to six weeks. The deliverable is a regulator-ready audit pack exported on day one of week five.

  1. 01Day 0

    Briefing

    30 minutes with the Fydis team. We pick a real figure from your firm and trace it through the evidence chain together. No sales layer.

  2. 02Week 1

    Scope meeting

    We map your regulator-facing analyses, your integrations, and your audit committee’s preferred export format. DPA in flight.

  3. 03Weeks 2–4

    Workspace setup

    Integrations wired, RBAC mapped to your control library, two-eyes approver list configured, audit-pack template tuned to your regulator.

  4. 04Week 5

    First audit pack exported

    Regulator-ready PDF + JSON delivered to your audit committee. Hashes resolve. Approvals signed. Clauses mapped.

What you receive on every output.

The trust page below documents the controls. This section is what those controls produce. Three artefacts per analysis. All of them regulator-readable on the day the board reads them.

  1. 01

    The audit pack

    Every figure exported as PDF or JSON with the full chain attached: source row, calculation method, captured-at hash, named approver, regulator clause. Reproduces from the same inputs years later.

    Maps to ISO 27001 Annex A.5.30 (ICT readiness) + APRA CPS 234 ¶20 (information asset identification and classification).

  2. 02

    The sign-off log

    Two-eyes review by named approvers from your control library. Each sign-off written to tamper-evident storage with seven-year retention. The log names the human, the timestamp, and the policy version in effect at the time.

    Maps to ISO 27001 A.5.15 (access control) + APRA CPS 234 ¶23 (testing of information security controls) + AASB S2 ¶6 (governance of climate-related risks).

  3. 03

    The compliance export

    Each figure pre-formatted for the regulator that will read it: ASIC s912A AFSL obligations, APRA CPS 230 §22, AASB S2 ¶29(a). The export reads as the regulator would read it, not as your team happens to have it.

    Maps to ISO 27001 A.5.34 (privacy and PII) + Privacy Act APP 1.7 ADM transparency (commences 10 December 2026).

The controls behind those artefacts

Data residency
AU · AWS ap-southeast-2
Sydney · default · no data leaves AU without explicit authorisation
ISO 27001
In progress
71 of 93 Annex A controls in place · target H2 2026
Incident notification
24-hour commitment
Privacy Act NDB scheme · initial notice within 24 hours of confirmed breach
CPS 234 alignment
Documented
Incident classification aligned to APRA material security incident definition
Sub-processor list
Current
8 vendors listed · 30-day notice before any change
If a control is not yet in place, the trust page says so on the same line as the controls that are. Honesty about the gap is the only durable signal.Fydis team
  1. STAGE·01
    Brief

    A question in plain language, the way you would brief a junior. You attach the client file, and nothing is re-keyed.

    Stage
  2. STAGE·02
    Retrieve

    Fydis reads the systems the practice already runs and pulls the source rows, not summaries of them.

    Stage
  3. STAGE·03
    Verify

    Every claim resolves to a source row and figures reconcile to the dollar. Each check states the condition that fails it.

    Stage
  4. STAGE·04
    Evidence

    Clause map, sign-off record and replay hash, packed with the answer and ready to sign.

    Stage

Trust pages

What is an honest stub today

DPA. Available on request. Email hello@abrlabs.io and a redlined copy comes back within 48 hours. Not published on the site because procurement teams negotiate from a known starting point, and the DPA is part of that conversation.

Vulnerability disclosure policy. Publishing Q3 2026. Until then, send reports to hello@abrlabs.io. Safe-harbour language and PGP key publish at the same time.

Status page. Manual updates today. Wired to Instatus before the Firm tier publishes broadly.

Questions? Email hello@abrlabs.io. Security-specific questions are routed internally to the security team within 24 hours.