“Because one copy is never enough. Control-C safeguards your Xero and QuickBooks ledgers, Cin7 inventory, and XPM workflows, captured, searchable, and recoverable when the cloud isn’t.”

Trust Center

Security, privacy, and compliance

Aggregate links to policies, attestations, and updates.

Visit legal center View status page

The Control-C Trust Center provides real-time visibility into our security, privacy, and compliance posture. Use this page to access independent attestations, review policies, and subscribe to updates affecting your business continuity programs.

Platform Security

  • Architecture: Multi-tenant platform operated across New Zealand dual-region infrastructure, with Wellington as the primary environment and Auckland as the secondary failover environment. Encryption at rest (AES-256) and in transit (TLS 1.2+) is enforced by default.
  • Identity & Access: Single sign-on (SAML, OIDC), SCIM provisioning, and mandatory MFA for privileged roles. Role-based access control enables least-privilege assignments.
  • Secure Development: Integrated secure SDLC, static analysis, dependency scanning, and peer-reviewed pull requests. Production deployments require automated and manual approvals.

Compliance and Security Alignment

  • SMB1001 Cyber Security Framework: controls aligned with Silver maturity practices; certification has not yet been applied for or awarded.
  • Control mappings maintained against Essential Eight, UK Cyber Essentials, CMMC, ISO 27001, and Right Fit for Risk to simplify evidence crosswalks.
  • HIPAA Business Associate Agreement requests can be reviewed for applicable workloads.
  • SMB1001-aligned control mapping is available for NIST CSF, CIS Critical Security Controls, and FFIEC due diligence discussions.

Request compliance documentation or complete due diligence questionnaires by emailing compliance@control-c.com.

Data Protection and Privacy

  • Privacy Policy and GDPR Statement outline lawful bases, rights management, and supervisory contacts.
  • Customer backup data stored in Control-C’s managed platform remains in New Zealand across Wellington and Auckland infrastructure. The Auckland failover environment is hosted within facility-level ISO 27001-certified data centre infrastructure.
  • Annual third-party penetration tests, quarterly tabletop exercises, and simulated phishing campaigns strengthen incident readiness.

Incident Response

  • 24/7 security operations with defined playbooks for vulnerability handling, data breaches, and platform outages.
  • Customer notifications delivered via the status page, email, and in-product alerts.
  • Post-incident reviews are shared with impacted customers, including root cause, remediation, and prevention steps.

Business Continuity

  • Primary infrastructure in Wellington with geographically independent failover capability in Auckland.
  • Dual-region replication, downloadable backup exports, optional customer-controlled storage, and In-Control offline access provide multiple independent recovery paths.
  • Disaster recovery tests and continuity exercises are conducted regularly, with executive summaries available under NDA where appropriate.
  • Vendor risk management program evaluates critical suppliers quarterly, aligning with our Subprocessor Registry.

Infrastructure Framework

  • Infrastructure & Business Continuity explains how the Wellington primary environment, Auckland failover environment, NZ data sovereignty controls, exportable datasets, and offline access fit together.

Stay Informed

  • Subscribe to trust bulletins: trust@control-c.com
  • Report a vulnerability: security@control-c.com
  • Media or analyst inquiries: press@control-c.com

View live operational metrics and maintenance updates on the Control-C Status Page.

Last updated: May 18, 2026

Xero Certified App badge
Xero Certified App
Built to Xero’s technical and security standards.
30-day money-back guarantee badge
30-Day Money-Back Guarantee
If Control-C isn’t the right fit within your first 30 days, we’ll fully refund your subscription and initial backup fees.