• Welcome to Creative Force Trust Centre
At Creative Force, safeguarding the security, confidentiality and availability of your data is fundamental to everything we do. We hold ourselves to internationally recognised frameworks and industry standards, and put our practices to the test through independent third-party assessments and regular security testing.
  • Announcements

Safeguarding student data in regulated environments

Creative Force has achieved approval under Australia’s ST4S government assurance framework for use within state education systems. The framework evaluates vendors against defined requirements for security, privacy and governance in regulated school environments. While geographically specific, this approval reflects our ability to operate as secure infrastructure supporting organisations managing student data and other sensitive information.

Published on Feb 24, 2026

  • Compliance

Documentation of our compliance against global standards including certifications, attestations, and audit reports.

GDPR

SOC2

ISO27001

PCI DSS
Microsoft
SSPA
Cyber
Essentials
  • Controls
  • Data security
  • Infrastructure security
  • Network security
  • Organization security
  • Product security
  • Topics and common questions

Creative Force encrypts all data at rest (AES-256bit) and in transit (minimum TLS 1.3) using secure ciphers.

Client data is stored within Creative Force’s approved Cloud Service Provider: Amazon Web Services. Data resides in a client approved region.
We offer a choice of data residency in the following regions: Australia, Canada, European Union, Hong Kong, United Arab Emirates, United States.

Creative Force maintains a list of authorised sub-processors whose appropriate technical and organisation measures have been established and maintained. Please see: https://creativeforce.team/privacy-policy/ and https://creativeforce.team/sub-processors/ for more information.

All Creative Force personnel receive security and privacy awareness training both during onboarding and throughout the year thereafter. Such training covers topics such as good password management, information security, phishing awareness, and compliance topics with regards to privacy and data protection.
A full database backup is taken every 24 hours. Database snapshots are taken every 5 minutes. All database backups and snapshots are retained for 30 days. Our current recovery time is around 90 mins from the latest available snapshot, but Our goals for 2026 is to maintain and average RTO (Recovery Time Objective) under 1.5 hours.
  • Privacy details

We are committed to providing you with the best possible experience, which includes the security, privacy and integrity of your personal data. For more details, see the links below.

Compliance

GDPR

Creative Force is committed to assisting its clients with meeting applicable GDPR requirements, and has set out Data Processing Agreements that outlines the appropriate technical and organisational measures to help protect personal data. Please refer to our data processing agreement for more details: https://creativeforce.team/data-processing-agreement/

SOC2

“As of December 2024, Creative Force successfully completed the SOC 2 Type 1 examination, demonstrating our commitment to the security, availability, and confidentiality of client data. We subsequently completed the SOC 2 Type 2 observation period from January to March 2025, with the final report issued in June 2025 by Insight Assurance, achieving full compliance across the Trust Services Criteria for Security. Please see the Security section to download the latest report.

We are also currently undertaking our second SOC 2 Type 2 audit, covering the observation period from October 2025 through March 2026, as part of our ongoing commitment to continuous security and compliance assurance”

ISO27001

As of 12 April 2024, Creative Force successfully met the requirements for ISO/IEC 27001:2022 with no outstanding nonconformities. The certificate was issued on 16 May 2024. A first surveillance audit and re-issue of the certificate was completed in March 2025 with no outstanding nonconformities, followed by a second successful surveillance audit completed in March 2026, also with no outstanding nonconformities. Please see the Security section to download the latest certificate.

PCI DSS

As of May 2026, Creative Force completed the self-assessment PCI-DSS v4.0.1 SAQ-A controls. This achievement underscores our commitment to maintaining the highest standards of security for our clients’ payment card data, ensuring compliance with industry best practices and regulations. Please see the Security section to download the latest certificate.

Microsoft SSPA

Creative Force is fully compliant with Microsoft’s Supplier Security and Privacy Assurance (SSPA) program. Our organisation exceeds the stringent requirements set out by Microsoft covering topics such as data protection, privacy assurance and risk management. We also maintain clear and open communication about our security and privacy practices, ensuring accountability and fostering trust with our clients.

Cyber Essentials

As of July 2025, Creative Force successfully completed the Cyber Essentials programme, a UK government-backed scheme that helps organisations protect themselves against common online threats. Please see the Security section to download the latest certificate.
Control
  • App security

Creative Force prioritises regular penetration testing conducted by skilled third-party experts. This proactive approach identifies and mitigates vulnerabilities before they can be exploited. Pen testing effectively strengthens our defences, safeguarding sensitive data and validates our secure coding practices. Penetration tests are conducted at least annually.

Creative Force uses a detailed manual and automated code review approach to ensure our platform is as secure and as of the highest possible quality possible. Code is committed to staging environments for quality assurance prior to deployment on production systems.
All personnel have signed confidentiality clauses within their contracts prior to commencement of employment. Creative Force also has a Whistleblower policy for personnel to report concerns.
Creative Force performs monthly and continuous vulnerability scans of the platform. The latest scans are made available upon request or through the Security Details section.
Creative Force runs an internal bug bounty program. If you wish to disclose a security bug then please reach out to security (at) creativeforce (dot) team.
The iterative model (Agile) used by Creative Force is mainly opted for when all system requirements are not clear at the initial stage. It allows a project to develop the software in iterative stages where each stage adds additional functionality. This model allows you to put a functional system into the hands of the client much earlier than the waterfall method.
Creative Fore maintains a vulnerability management policy that determines how known security bugs are prioritised and remediated.
Creative Force has implemented a WAF solution solution that protects mission critical services and underlying APIs from online fraud, including bot attacks and scraping, ensuring the integrity and security of client data is maintained.
  • Data security
Full database backup is taken every 24 hours. Snapshot are taken every 5 minutes. Full backups and snapshots are retained for 30 days.
All client data is encrypted at rest using AES-256bit encryption standards.
Creative Force maintains a security policy that sets out requirements for information security across Creative Force, with the aim of: Protecting client and team data. Safeguarding Creative Force systems and reputation. Providing assurance to prospective clients in a transparent manner.
All data is transit is encrypted using secure ciphers over TLS 1.3 (at a minimum).
Creative Force maintains an access control policy that outlines guidance for creating, modifying, or removing access to approved systems and data.
  • Infrastructure security
Only personnel with a business justification are permitted access to client data, stored in an approved Cloud Service Provider.
Creative Force is configured in a high availability configuration, utilising availability zones hosted within the Cloud Service Provider.
Creative Force maintains a strong password policy that all personnel that have access to Creative Force computer systems, servers and devices, must adhere to.
Security patches are applied based on the vulnerability management policy. All such patches are installed within 30 days of being available.
  • Network security
Creative Force restricts access to SSH (Secure Shell) services, preventing public or unauthorised connections to interact with production services.
All laptop endpoints are configured with firewalls enabled. All production services are managed and protected by Security Groups within AWS. By default the behaviour is to deny-all and permit of exception (as required).
All production systems maintain logs and monitoring services which are centrally stored and tamperproof.
All Creative Force laptop endpoints maintain malware detection software, which is active and kept up to date.
All Creative Force personnel use unique accounts to access mission critical systems, tools and services.
  • Organization security

Creative Force has established and formalised an acceptable use policy that ensures the secure use of Creative Force hardware and software assets, and the appropriate behaviours or activities while using them.

Creative Force maintains a BCDR plan to ensure compliance with data retention policies and procedures, and to ensure that a standard procedure is followed in the event of a disaster.
The Creative Force Code of Conduct (“Code”) is built around our belief that everything we do will be measured against the highest possible standards of ethical business conduct. Our commitment to high standards helps us hire great people, build great products, and attract loyal customers.
Creative Force has prepared a disaster recovery plan in the event of an incident that may render services unavailable. As a fully remote team, in the event of localised outages, the remaining team are available to support the business.

Creative Force has formalised an incident response plan that for handling all incidents that have an impact on resources within the scope of it’s Information Security Management System (ISMS). Please refer to the Creative Force status page for more information.

Creative Force has established an incident response team who will be present and act accordingly in the event of an incident.
All Creative Force personnel receive security and privacy awareness training both during onboarding and throughout the year thereafter. Such training covers topics such as good password management, information security, phishing awareness, and compliance topics with regards to privacy and data protection.
  • Product security
All production data stores are monitored and log all changes, updates or modifications. In the event of a major change e.g. data deletion, this may alert engineering teams to respond and investigate.
All data stores and databases are encrypted at the infrastructure, and application level.
Creative Force enforces MFA for all personnel via it’s identity provider.

Creative Force terms of service can be viewed here: https://creativeforce.team/tos/

Security

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Certificates, reports and audits

Policies
*
If you need assistance, please contact support
Access to Creative Force files is subject to the terms of this confidentiality agreement. Please download and carefully read the terms outlined in the agreement before you accept. You must agree to the terms by checking the box at the end of this form before you can send a request to access the files.*