System Security
Explore the encryption, access controls, and platform protections that safeguard sensitive data across all DekkoSecure services.
IRAP PROTECTED Level Secure File Sharing and Collaboration
Summary
DekkoSecure has been independently assessed at the IRAP PROTECTED level against the Australian Government ISM, validating its end-to-end encryption, zero-knowledge architecture, access controls, and operational security. The assessment covers the full Australian-hosted DekkoCORE environment across cryptography, IAM, audit, hosting, vulnerability management, and incident response. While not a government certification, the IRAP assessment informs agencies’ PSPF-aligned, risk-based accreditation for handling PROTECTED information. This enables secure, sovereign, end-to-end encrypted file sharing and collaboration for government and regulated sectors.
Scope of Assessment
What does DekkoSecure's IRAP assessment cover?
The assessment applies to DekkoSecure's full Australian-hosted environment, covering DekkoCORE end-to-end encrypted file sharing, collaboration, messaging, eSignatures, public submissions, and video meetings.
An ASD-endorsed independent assessor evaluated the platform against ISM controls applicable to systems processing, storing, and communicating information classified up to and including PROTECTED. The scope includes DekkoSecure's end-to-end encryption model, zero-knowledge encryption architecture, identity and access management, audit logging, hosting infrastructure, and operational security procedures.
This means the assessment covers DekkoSecure at the application, encryption, and underlying cloud infrastructure layers where it is hosted.
Definitions
What is IRAP and what does PROTECTED classification mean?
IRAP is administered by the Australian Signals Directorate (ASD) and provides a standardised framework for independent security assessments of ICT systems against the ISM. IRAP assessors hold ASD endorsement, maintain security clearances, and are qualified across multiple cybersecurity disciplines. An IRAP assessment is not a government certification or endorsement. It is an independent evaluation that agencies use as input to their own risk-based accreditation decisions under the Protective Security Policy Framework (PSPF).
Under the PSPF, information is classified as PROTECTED when its compromise could cause damage to national security, government operations, commercial interests, or personal safety. PROTECTED sits above OFFICIAL: Sensitive and below SECRET in the classification hierarchy. Systems assessed at this level must demonstrate controls across cryptographic protection, access management, system hardening, vulnerability management, incident response, and audit accountability.
Acronym
IRAP
Infosec Registered Assessors Program. Administered by the Australian Signals Directorate. Provides independent assessment of ICT systems against the Information Security Manual.
Classification
PROTECTED
The classification level above OFFICIAL: Sensitive and below SECRET. Applied to information whose compromise could damage national security, government operations, or personal safety.
ISM Requirements
How does DekkoSecure meet ISM requirements at PROTECTED level?
DekkoSecure addresses the PROTECTED level across six core domains. Rather than relying on infrastructure-level safeguards alone, the platform is built with a security-first mindset that enforces these requirements through its architecture. Cryptographic, access, and audit controls are embedded directly into the application layer, alongside data sovereignty, vulnerability management, and incident response.
Cryptographic protection
All content is end-to-end encrypted using AES-256 for symmetric file and message keys and ECC-384 for user key pairs. Encryption and decryption occur on the user's device. DekkoSecure operates a zero-knowledge encryption model, meaning that even as the service provider DekkoSecure cannot access or decrypt any customer data, across files, messages, and video traffic.
Access control
Hub-based permissions control who can view, download, share, or manage content. The platform supports SSO integration, multi-factor authentication, and session controls, enforced through a zero-trust model.
Audit and accountability
All actions generate immutable, tamper-evident audit logs that cannot be modified or deleted by any user, including administrators. This supports compliance, investigations, and digital chain of custody without exposing file contents.
Data sovereignty
The Australian environment hosts all data exclusively within Australian territory on Microsoft Azure and Oracle Cloud Infrastructure (OCI). Zero-knowledge encryption ensures that infrastructure-level access cannot expose customer content.
Vulnerability management
DekkoSecure undergoes regular independent penetration testing and applies continuous patching and configuration hardening aligned with ISM guidelines.
Incident response
Documented procedures align with ISM requirements for detecting, managing, and reporting security incidents. Monitoring and alerting systems operate continuously.
Who Benefits
Who benefits from DekkoSecure's IRAP assessment?
DekkoSecure's IRAP PROTECTED level assessment supports organisations that need to share, manage, or collaborate on PROTECTED-level information, and can use the assessment as a direct input to their own accreditation process.
Australian government agencies sharing PROTECTED files across agencies or with external partners.
Defence supply chain organisations exchanging classified designs and technical documents.
Law enforcement agencies collecting and sharing digital evidence across organisational boundaries.
National security teams requiring end-to-end encrypted file sharing and inter-agency collaboration.
Judicial departments exchanging case files and evidence with confidentiality protections.