Skip to content
Modica Group website banner-1

Trust Centre

Protecting What Matters


Modica has been providing trustworthy, secure and reliable messaging services to large enterprise and government customers for over 20 years. Our customers trust us to deliver critical messages to their users safely and securely every time and we take that responsibility seriously. It’s why we continue to invest in our commitment to protect our customers’ data and have made the security of our platform our highest strategic priority.

Our Trust Centre provides you with an overview of how we protect our customer’s critical information. Our team is always happy to answer any further questions you have after you have read through the material. You can contact us via


Modica Group prioritises robust security measures, including advanced encryption, continuous monitoring, and strict access controls, ensuring SOC 2 and GDPR compliance. These practices protect client data, fostering trust and reliability in their communication solutions.


Security and Privacy Controls

We have developed a comprehensive set of policies and standards to ensure we have robust security and privacy controls in place to protect our customers’ data.

Asset Management Effective asset management is required to ensure Modica Group maintains adequate control over its organisational resources. For other areas to be effective, such as vulnerability management, access control etc, Modica requires a detailed understanding of both the resources we have, along with who is responsible for them. The asset management standard details the requirements for effective asset management across the organisation. 
Audit and Assurance

Modica Group shall carry out due care and due diligence activities throughout an asset’s lifecycle by conducting periodic assessments of Modica Group assets to evaluate the effectiveness of applicable security controls. 

The purpose of this standard is to ensure controls are in place and that Modica Group comply with applicable statutory, regulatory and contractual compliance obligations.

Business Continuity

Modica Group shall establish and manage the capability for maintaining the Continuity of Operations (COOP) to ensure the availability of critical technology resources during adverse conditions.

The purpose of the Business Continuity and Disaster Recovery (BCDR) standard is to establish processes that will help Modica Group recover from adverse situations with minimal impact on business operations.

Change Enablement To ensure Modica Group doesn’t introduce unnecessary risks into the environment, change enablement needs to be effectively designed and communicated across the organisation. This ensures continued, and uninterrupted service to our customers.
Data Management To ensure Modica Group is managing data in accordance with applicable statutory, regulatory and contractual compliance obligations, secure data management practices must be followed. For this to be achieved, Modica Group is required to identify and implement appropriate safeguards, commensurate with the sensitivity of the information.
Human Resources To ensure Modica Group manages the lifecycle of human capital appropriately, specific requirements must be followed. The human resource standard details the requirements for managing personnel who interact with Modica Group resources, throughout their lifecycle. 
Identity and Access Management (IAM) The Identity and access management (IAM) standard details the requirements for access to all Modica Group resources (both digital and physical). For Modica Group to meet regulatory, statutory and contractual requirements, sound IAM processes and procedures must be followed, ensuring that access is limited to those who require it.
Incident Management

Modica Group shall maintain a security incident handling capability that includes adequate preparation, detection, analysis, containment, recovery and reporting activities as part of its ITSM capabilities and practices.

The purpose of this standard is to establish and maintain a capability to inform Modica Group’s response when security-related incidents occur.

Information Security Risk Management

The management of risk is critical to ensure Modica Group’s long-term success. Therefore, Modica Group must regularly assess information security risk to its business operations, assets and data.

The purpose of the Information Security Risk Management Standard is to ensure that risks are visible to, understood and managed by the relevant stakeholders, business owners and business functions that are accountable and responsible for protecting information systems and ensuring there are  practices, standards, processes and procedures in place which are commensurate to the relevant security risk. 

Logging and Monitoring For Modica Group to gain situational awareness of cybersecurity events, technology assets must adhere to configuration management requirements. This involves logging security events and forwarding these to allow the centralised monitoring and review of logs. This aids Modica Group in identifying anomalous behaviour so that appropriate steps can be taken to remediate potential cybersecurity incidents.
Mobile Device Management (MDM)

As mobile devices such as laptops, tablets and phones pose an evolving risk to Modica Group, security controls governing the use of such assets and the methods of connectivity shall be implemented.

The purpose of the Mobile Device Management (MDM) standard is to identify security measures that must be adopted to manage the risks introduced by using mobile devices, regardless of whether the device is owned by Modica Group, its users or trusted third parties.

Operating Environment (SOE) To ensure Modica Group has a controlled and secured environment, the configuration of assets must be done following approved secured baselines. This ensures Modica Group maintains control over organisational assets, whilst also reducing the likelihood of introducing vulnerabilities into the environment.
Physical Security The purpose of the physical security standard is to minimise risk to Modica Group systems and data by addressing applicable physical security and environmental concerns. Noting Modica operates a cloud native model, with zero trust architecture principles, most of the requirements noted in this document will be the responsibility of a service provider. 
Secure Software Development Lifecycle Risk must be managed throughout the Secure Development Life Cycle (SDLC). Therefore, all technology initiatives shall implement and maintain appropriate security controls through the life cycle of the asset(s) or service(s).

Modica Group shall implement the principles of “least privilege” and “least functionality” in the development and implementation of technology, regardless of whether it is internally developed or acquired from a third party.

Technology development and acquisition must employ adequate security measures during all phases of the Secure Development Life Cycle (SDLC) to ensure security and privacy-related risks are identified and appropriately remediated.
Security Awareness and Training

In order to mitigate risks introduced by employees use of digital resources, Modica Group requires its employees to undergo security awareness and training across their tenure with Modica Group.  

This document aligns Modica with the relevant information security frameworks to ensure we are meeting our information security objectives.

Threat and Vulnerability Management To ensure Modica Group is able to quickly and effectively respond to emerging threats and vulnerabilities, detailed processes and procedures need to be established to address the constantly changing environment. The purpose of this standard is to proactively manage the risks associated with technical vulnerability management.
Privacy Modica’s Privacy Framework and Standard establishes a comprehensive approach to the protecting personal information collected and processed by Modica as part of providing our intelligent messaging services. Our framework is developed taking into account applicable laws and good practice guidelines. Further information on our approach to privacy can be found in our Privacy Statement or by contacting our Privacy Officer at

Sub Processors


Modica engages the following sub-processors in order to provide our intelligent messaging services to our customers.

JumpCloud Inc.
Device and Identity Management Services
Atlassian Pty Ltd
Service Desk software (Jira)
Release Management (Bamboo)
Developer Services (BitBucket)
Slack Technologies Limited
Internal Communication Platform
Amazon Web Services EMEA SARL
Infrastructure Services
ElasticSearch Pty Ltd
Security Services

Software Configuration Management

Hashi Corp Inc (Terraform Cloud)
Infrastructure Tool
Agilebits Inc (1Password)
Password Management
Workplace tools
Confluent Inc (Kafka)
Data Services
Cloud-Based Accounting
Cyber Security Services


Your company creates, collects and communicates valuable data. It holds the trust of customers, staff and vendors and is bound by the law. Here's how we protect that data and maintain your trust.
Why you should trust us? Our cloud based messaging platform is built to offer highly available, scalable and secure cloud services. We are trusted by large, varied organisations across the world, in a range of critical industries, including; finance, IT, Government, health and education. In 2021 we celebrate 20 years of providing trustworthy, secure, reliable service.
What security measures do we take? We start with password hashing and salting, least privilege access, security focussed software development and regular penetration testing.
How do we protect access? Staff access to Modica's platform is limited to authorised personnel, secured with TLS (Transport Layer Security) 1.2, strong passphrases, VPN (Virtual Private Network) and MFA (Multi Factor Authentication). We continually refine these controls to maintain security.
How do we keep our application and your data secure? Our services are primarily written in PHP, Go and Typescript. These follow security best practices from organisations such as the OWASP Foundation. We continually adopt a privacy and security by design approach that includes a regular cadence to scan the platform for vulnerabilities and remediate findings that impact customers.
How do we protect your data when we rollout improvements? Changes to our code base go through a suite of automated tests as well as peer reviews before changes are pushed to the production environments.
How do we respond to privacy and security incidents? We maintain an incident response plan that follows triage, investigation & remediationof incidents. In the event of a breach, affected customers are notified as part of our commitment to security and privacy in accordance with NZ law privacy principles and GDPR.
How secure is our data centre? Our platform is deployed to AWS which has a robust security and compliance program, including controls that are SOC 2 and ISO 27001 certified. For more information on AWS processes, please visit:
What other things do we do to protect your information? Our staff undergo formal security awareness training on hire, complete a criminal and identify check, and are required to report suspicious activity. Our offices are secured via keycard access.
Do we have any certifications or attestations? Security is at the core of everything we do. Achieving and maintaining SOC 2 attestation is a testament to our security practices including our commitment to protect your most valuable asset, your data. SOC 2 is a rigorous standard from the AICPA to ensure that service providers securely manage and protect sensitive data. Achieving this compliance demonstrates our dedication to implementing and maintaining stringent security measures, giving you the confidence that your data is handled with the utmost care and integrity.
How does our product protect your data? We provide native in-product protection and mechanisms that give you greater visibility and control over your data. Product users can securely communicate with the platform with SAML 2.0. All data is secured in-flight using TLS 1.2 or greater.
How do we secure your information? All production data is encrypted at rest with AES 256.
How do we restrict access to your information? Our platform is a multi-tenant web application. User authentication, logical database separation & session management controls are implemented to restrict access to only your Account.
How do we ensure reliability and business continuity? We offer insights into real-time and historical platform status with a 99.9% uptime commitment to all our customers. Our platform is cloud native and is hosted in AWS Australia across multiple availability zones. Our platform is built to automatically and securely backup data daily and across multiple AWS availability zones. This is coupled with DR processes to restore services in the event of catastrophic failures.
How do we help protect the privacy of your information? We’re committed to protecting your data and have a robust privacy program that aligns with all applicable regulations. We provide in-product administrative features such as IP whitelisting, fine grained permissions and more that are designed to give you greater control over your data.
How do we maintain the confidentiality of your information? We treat all customer data as confidential. Access to your data is restricted to only those who require such information as part of their job and only where it is required to provide a specific service to you as a customer.
For how long is your information retained? We retain your information only for the period necessary to provide services to you as a customer.
How do we preserve data sovereignty? Our platform is designed to preserve data sovereignty. Your data resides only in AWS Australia and is only accessible by Modica staff and approved-third parties.
Still have questions?

Please contact your Account Manager. They will work with our Security team to answer your questions.

For general queries, please contact our Support team via or call 0800 77 66 22.

Contact us today to learn more about
our Intelligent Messaging solutions