Three steps to decide if ReguNav fits Australia.
For CFOs, COOs, Heads of Risk supervised under Australia authority. Skip the architecture diagrams — see the regulator, the deliverable, and the ROI you'll quote to the board.
Sovereign AI ready for Australia.
ReguNav supports AI vendors operating under Australian Privacy Act 1988 + APPs, TGA SaMD pre-market for medical-device AI, APRA CPS 230 operational risk + CPS 234 information security, ASIC AI guidance, and ACSC Essential 8. NDB scheme notification routed automatically to OAIC.
Australia regulator landscape
Every Australia control on the platform is anchored to a named regulator artefact. When the regulator updates their guidance, the framework registry takes the bump and every dependent control inherits it.
Australian Prudential Regulation Authority
CPS 230 operational risk · CPS 234 information securityofficial ↗Frameworks anchored in Australia
Australia Privacy Act
1988 (Cth); amended 2022 (Enforcement & Other Measures)16 clauses · 12 controlsAustralia's federal privacy statute. Applies to APP-entities — Commonwealth agencies and private-sector organisations with annual turnover above AUD 3 million plus the prescribed lower-threshold categories (health-service providers, traders in personal information, related-body-corporates, credit-reporting bodies, contractors to a Commonwealth contract). Establishes the thirteen Australian Privacy Principles (APPs) in Schedule 1 covering open + transparent management of personal information; anonymity and pseudonymity; collection of solicited / unsolicited / sensitive information; notification of collection; use or disclosure; direct marketing; cross-border disclosure; identifiers; quality + security; access + correction. Part IIIC contains the Notifiable Data Breaches scheme. The 2022 amendments substantially increased civil-penalty exposure for serious or repeated interference with privacy.
Connected components for Australia.
Derived from @regunav/taxonomy at request time — add a new regulator / agent / framework to its source registry and it surfaces here automatically, no copy edits required.
What you get in Australia.
Honest status on every capability — live means wired end-to-end in production. Pick the ones your driver requires; we'll quote a date for anything not yet live.
Framework rule packs
- What you get
- 24 framework rule packs ship populated — SOC 2, ISO 27001, PCI DSS, GDPR, HIPAA, EU AI Act, FedRAMP and more — no empty schemas to fill in.
- Problem solved
- Buying a compliance tool and finding the rule library empty. Six weeks lost to copy-pasting control text from PDFs before the platform produces anything useful.
- ROI
- 6 weeks saved on first-control-to-evidence onboarding.Assumes: compared to building one control library per framework in-house.
Evidence ranker
- What you get
- Ranks every artefact you upload against the control it best satisfies — across 24 frameworks at once.
- Problem solved
- GRC manager spends 8h/week mapping evidence to controls by hand. Most artefacts satisfy 4–7 controls; manual mapping captures one.
- ROIinteractive
- 8h/wk of compliance-manager time reclaimedAssumes: team of 50, 3 frameworks in scope, monthly evidence refresh.
Sealed evidence packs
- What you get
- Content-addressed (sha256) evidence bundle the auditor pulls via URL. Replayable byte-for-byte from any timestamp.
- Problem solved
- Auditor email chain: 'send me the December evidence again, this time with the policy header'. Three round-trips per request.
- ROIinteractive
- $120k audit-prep cost avoidedAssumes: 3 framework audit, $250/h loaded GRC rate, baseline ~480h of prep.
WORM hash-chained audit trail
- What you get
- Every action against your tenant logged immutably with a per-row hash chain. Tampering with one row breaks verification of every later row.
- Problem solved
- Regulator asks 'who approved that change on March 4?' and the answer is a Slack search and a memory.
- ROI
- Zero regulator findings on access-control evidence.Assumes: banking-grade auditor sample (typically 25 events) verified against hash chain.
Regulator + auditor report packs
- What you get
- Seven stakeholder-shaped report packs (board, regulator, auditor, customer DPA, internal audit, …) generated from your live D1 records.
- Problem solved
- Four days re-formatting the same data for the board pack, the regulator submission, and the customer security questionnaire.
- ROIinteractive
- $96k of GRC time saved annually on report assemblyAssumes: 48 stakeholder-days/yr of report formatting at $250/h.
Code Constitution™ GitHub App
- What you get
- Compliance checks run inline on every PR (≤90s). Findings appear as line+column annotations in the review UI.
- Problem solved
- Compliance review happens quarterly. By the time the auditor flags a missing model card, it has been in production for 60 days.
- ROIinteractive
- $110k of audit-prep + remediation time saved annuallyAssumes: ~20 engineers × 220 working days × 5% PR finding rate × 2h post-hoc cost at $250/h.
How to decide for Australia.
- 1. Identify your supervisor. Office of the Australian Information Commissioner (+ 4 more on this page).
- 2. Pick the framework that closes your audit. Australia Privacy Act.
- 3. Run the ROI math. Each card above shows the assumption behind the number. Plug in your team size and audit cost — if it doesn't close, neither should the deal.
- 4. Book a 30-min walk-through. We demo against a synthetic Australia tenant — same engine that runs your production tenancy. No slide deck.
Australia SaaS, fintech, healthcare-AI, or essential-service?
We work with organisations supervised by every regulator listed above. The jurisdiction-aware engine routes incident reports, DSARs, and FRIA submissions to the correct authority + timeline automatically.
Talk to Australia team →Jurisdiction codes + regulator data are sourced from @regunav/jurisdictions (Apache-2.0, open-source). Adding a new market is a single registry entry — no copy-paste regulator content. See /uk for the bespoke deep-dive template.