The Level Up Trust Framework

Last updated: October 2025

Introduction

At The Level Up Agency, trust is the foundation of every relationship we build. Our clients and partners rely on us to design, automate, and manage systems that handle sensitive customer and business data. We take this responsibility seriously and have built a security and compliance program that aligns with recognised global standards—including ISO 27001, SOC 2 Type II, GDPR, and the Australian Privacy Principles (APPs).

This page outlines how we protect information across every layer of our operations—from infrastructure and software design to staff practices and vendor management. It complements our Security & Compliance Overview and is intended as a reference for security auditors, compliance officers, and technical partners evaluating The Level Up as a vendor.

1. Our Security Philosophy

We follow three guiding principles:

1. Security by Design - Controls are built into every system, not bolted on later.

2. Privacy by Default - Data collection is minimised and used only for its intended purpose.

3. Transparency by Policy - Our practices are openly documented and available for review.

2. Infrastructure & Platform Security

The Level Up platform — our CRM, marketing-automation, and client-portal environment — is powered by a whitelabel enterprise-grade CRM platform developed by our technology partner whose infrastructure is independently certified for SOC 2 Type II and ISO 27001.

Hosting & Data Centres

• Hosted on Amazon Web Services (AWS) and Google Cloud Platform (GCP), providing world-class physical and network security.

• Data is stored within redundant, geographically separate data centres with 99.9 % availability SLA.

• All servers are hardened, continuously patched, and monitored 24/7.

Encryption

• AES-256 encryption for all data at rest.

• TLS 1.2 or higher for all data in transit.

• Passwords are hashed and salted using industry-standard algorithms.

Network Controls

• Firewalls, load balancers, and intrusion-detection systems protect the environment.

• Continuous vulnerability scanning and routine penetration tests.

• DDoS mitigation via AWS Shield.

Third-Party Validation

• Platform partner maintains SOC 2 Type II attestation and ISO 27001 certification.

• Data-protection obligations are detailed in the GoHighLevel Data Processing Agreement .

• These certifications confirm independent audit of security, availability, processing integrity, confidentiality, and privacy controls.

3. Data Privacy & Regulatory Compliance

Global Frameworks We Align With

• GDPR / UK GDPR: The Level Up acts as data processor; the platform includes Standard Contractual Clauses (EU 2021/914) for cross-border transfers.

• CCPA / CPRA: Users may request disclosure or deletion of data. We do not sell or monetise customer information.

• Australian Privacy Act 1988 (Cth): Full alignment with the 13 Australian Privacy Principles; privacy notices are transparent and easily accessible.

• HIPAA: For healthcare-related clients, data can be processed within HIPAA-compliant environments of our platform partner.

Data Collection & Usage

• Data collected is limited to what is necessary for service delivery and legitimate business purposes.

• We never resell, trade, or use customer data for advertising.

• All data processing activities are logged and auditable.

Cross-Border Transfers

• Data transfers outside Australia or the EEA are governed by Standard Contractual Clauses incorporated into our platform partner’s DPA.

• AWS and GCP provide regional replication and contractual safeguards for international transfers.

4. Access Control & Authentication

Principle of Least Privilege

Only authorised personnel with a legitimate operational need can access client systems or data. Access levels are granular—restricted to the minimum necessary functions.

Multi-Factor Authentication (2FA)

2FA is enforced across all internal accounts, including CRM, cloud storage, and communication platforms.

Client Transparency

Clients are always informed before new team members gain access to their accounts. Permissions can be reviewed or revoked at any time upon request.

Periodic Review

Access lists are reviewed quarterly, and any unnecessary permissions are removed immediately.

5. Device & Endpoint Security

• All staff must secure devices with strong passwords and current operating-system updates.

• Mandatory use of reputable antivirus/anti-malware software.

• Password management through encrypted password managers.

• Automatic screen-lock and inactivity timeouts enabled on all endpoints.

6. Confidentiality & Staff Obligations

Every employee, contractor, and supplier engaged by The Level Up is bound by:

• Non-Disclosure Agreements (NDAs)

• Data-Handling and Confidentiality Clauses in employment or contractor contracts

• Onboarding Training covering data privacy, phishing awareness, and incident reporting procedures

Security awareness refreshers occur at least annually. Disciplinary action may result from any breach of confidentiality or negligence in data handling.

7. Data Retention & Deletion

• Client data is retained only for the duration of active services or contractual requirements.

• Upon termination or written request, data is securely deleted from active systems within 30 days and purged from backups within 90 days.

• Deleted data cannot be recovered.

• Logs of deletion events are kept for compliance verification.

8. Backups & Disaster Recovery

• Daily encrypted backups of all system databases.

• Redundant storage across multiple data centres ensures rapid restoration in the event of failure.

• Disaster-recovery objective: RTO ≤ 24 hours, RPO ≤ 12 hours.

• Periodic restoration tests confirm the integrity of backup procedures.

9. Incident Response & Breach Notification

Detection & Monitoring

Automated systems monitor for unauthorised access, data anomalies, and potential malware activity. Alerts are escalated immediately to our internal security contact.

Response Process

1. Containment and investigation (within 24 hours)

2. Impact assessment and remediation

3. Client notification of any confirmed breach affecting their data (within 72 hours)

4. Post-incident review and preventive updates

External Collaboration

We coordinate with our platform provider’s Security Operations Team (SOC) and, if necessary, regulatory authorities.

10. Business Continuity & Availability

• Core systems achieve > 99.9 % uptime through redundant hosting.

• Regular maintenance windows are scheduled and communicated in advance.

• All critical systems are monitored continuously, with automated fail-over capability.

11. Audit Logging & Monitoring

All user actions—logins, permission changes, data exports—are recorded in immutable audit logs. Logs are:

• Timestamped and stored securely;

• Reviewed periodically for anomalies;

• Retained for a minimum of 12 months.

Automated anomaly-detection tools flag unusual behaviour for investigation.

12. Vendor & Sub-Processor Management

The Level Up engages a small number of trusted service providers (sub-processors) to deliver and maintain our platform and business operations. Each vendor is carefully vetted for security posture and contractual compliance before any integration takes place. All sub-processors are required to meet or exceed the security standards described in this Trust Framework, including data-encryption, access-control, and breach-notification obligations.

Our primary sub-processors include:

• GoHighLevel LLC – Provides the CRM and automation platform infrastructure that powers The Level Up Platform. This environment is independently certified for SOC 2 Type II, ISO 27001, GDPR and HIPAA compliance.

• Amazon Web Services (AWS) – Supplies secure global hosting and data-centre operations. AWS maintains certifications such as SOC 1/2/3, ISO 27001, ISO 27017 and ISO 27018.

• Google Cloud Platform (GCP) – Used for cloud storage and compute services within the platform. GCP is SOC 2 and ISO 27001 certified.

• Google Workspace – Supports our internal collaboration, email, and document storage under SOC 2 and ISO 27001 certification.

We review vendor certifications annually and maintain signed Data Processing Agreements or equivalent contractual clauses with each provider. No sub-processor is authorised to access client data beyond the specific functions required for service delivery.

13. Application Security & Development Practices

While our CRM platform is maintained by our technology partner, The Level Up develops add-ons and custom workflows using secure-development principles:

• Version-controlled repositories with restricted access.

• Code review and peer approval before deployment.

• Test environments isolated from production data.

• All custom scripts follow OWASP Top 10 guidelines to mitigate vulnerabilities such as XSS and SQL injection.

14. AI & Automation Governance

Artificial intelligence and automation are core components of our services. We ensure:

• No client data is used for training external AI models.

• AI interactions occur only through encrypted API connections.

• Outputs are reviewed by human staff before publication or delivery.

• Any AI vendor engaged must demonstrate GDPR and SOC 2 alignment.

15. Compliance Documentation & References

The following documents and resources provide evidence of our compliance and security posture. They are available for review by clients and partners conducting vendor-risk or security assessments.

• GoHighLevel Data Processing Agreement – Defines roles and responsibilities for data processing, includes Standard Contractual Clauses for international transfers, and details technical safeguards.

• GoHighLevel Security and Compliance Overview – Summarises SOC 2 Type II and ISO 27001 certifications and outlines infrastructure hosting and encryption standards.

• The Level Up Security and Compliance Overview – Describes our internal data-protection measures, access controls, and privacy practices.

These materials, combined with this Trust Framework, demonstrate that The Level Up operates within an independently audited infrastructure and maintains internal governance aligned with ISO 27001 and SOC 2 principles.

16. Client Rights & Data Requests

Clients may:

• Request a copy of data processed on their behalf.

• Request correction or deletion of data.

• Obtain details of sub-processors involved in their account.

• Receive a log of access and export events.

Requests can be submitted via kevin@thelevelup.ai and are actioned within 30 days.

17. Continuous Improvement & Review

Security is not static. We continually evolve our framework to stay ahead of new risks.

• Quarterly internal audits of access controls and data handling.

• Annual policy review and approval by senior management.

• Ongoing vendor monitoring for updated certifications.

• Employee refreshers in privacy, phishing prevention, and secure data handling.

We also monitor updates from:

• The Australian Cyber Security Centre (ACSC)

• The Office of the Australian Information Commissioner (OAIC)

• The U.S. National Institute of Standards and Technology (NIST)

18. Legal Basis & Jurisdiction

The Level Up Agency Pty Ltd (ABN: 16 670 234 732) is incorporated in New South Wales, Australia. All data-protection practices comply with Australian law and international frameworks as described. Any disputes arising from data-protection or confidentiality matters will be governed by the laws of New South Wales.

19. Future Commitments & Roadmap

We’re expanding our security capabilities to include:

• Periodic independent penetration testing by certified third-party vendors.

• Implementation of formal ISMS (Information Security Management System) aligned with ISO 27001.

• Development of an internal Vendor Trust Portal with downloadable compliance artefacts.

• Ongoing partnership with cyber-security advisors to maintain alignment with evolving legislation such as the EU AI Act and Australia’s Privacy Act reforms.

20. Contact & Reporting Channels

Security Enquiries

• kevin@thelevelup.ai

Please include “Security Enquiry” in the subject line for prioritisation.

Responsible Disclosure
If you believe you’ve identified a vulnerability in any The Level Up system, contact us via the email address above. Please do not publicly disclose details until our team has confirmed and remediated the issue.

21. Summary Statement

At The Level Up, we combine enterprise-grade infrastructure with disciplined internal processes to protect every byte of client data.

We operate within a platform independently certified for SOC 2 Type II and ISO 27001, strengthened by our own access controls, policies, and staff training.

Our goal is not just compliance—but confidence: giving clients and partners complete peace of mind that their information is secure, private, and always under their control.