Trust, security & governance
You're handing an outside team the keys to your environment. Here's how Frontrow runs its own shop.
An MSP that sells security uplift should be able to evidence its own. This page sets out, plainly, how Frontrow governs privileged access to client tenants, where its certifications and insurance stand, where your data lives, and what happens if there's a breach. No vendor theatre. Where something isn't yet confirmed, it says so.
Privileged access to your tenant
How Frontrow holds the keys.
The biggest risk in any managed-services relationship is the access the provider holds. Frontrow governs that access the same way it asks clients to: least privilege, just-in-time, evidence-backed.
| Control | Why you care | How Frontrow runs it |
|---|---|---|
| No standing admin in your tenant | A consultant who holds permanent Global Admin in your tenant is a permanent risk to it. The access should exist only while the work is happening. | Frontrow operates engineer access to client tenants through Microsoft Entra Privileged Identity Management — just-in-time, time-boxed activation with approval and a reason, not standing roles. |
| Phishing-resistant MFA on every privileged account | Privileged access is the account an attacker most wants. A password and an SMS code is not enough to protect the keys to your environment. | Frontrow engineers authenticate with phishing-resistant MFA (FIDO2 / Windows Hello for Business) and sign in through Conditional Access policies that check device compliance and location. |
| Access reviewed, not assumed | Access that nobody re-checks quietly accumulates. Regulated buyers need evidence that the list of who can touch their environment is current. | Frontrow runs scheduled access reviews across client tenants and its own, removing dormant accounts and re-attesting privileged roles. (TODO — CEO to confirm review cadence: quarterly is the stated intent.) |
| Privileged work from clean devices | Admin work done from the same laptop that reads email and browses the web exposes the highest-value access to everyday threats. | Frontrow performs privileged client work from managed, hardened devices under Microsoft Intune, with Defender for Endpoint reporting health. (TODO — CEO to confirm Privileged Access Workstation posture before publishing as a hard control.) |
| Activity logged and auditable | When something goes wrong, you need to show an assessor exactly who did what, and when. | Privileged activity in client tenants is captured in the Microsoft 365 unified audit log and Entra sign-in logs, retained and available for review. |
Certifications & insurance
Where Frontrow actually stands.
No badges Frontrow hasn't earned. A certification that's in progress is stated as in progress, with a target. A buyer's procurement team can take this list at face value.
Frontrow's own Essential Eight maturity
TODO — CEO to state Frontrow's current Maturity Level (e.g. ML2) and target. An MSP selling Essential Eight uplift that won't publish its own level is a red flag; this must land a real number.
ISO/IEC 27001 (information security management)
TODO — CEO to confirm: not certified / in progress with target date / certified. Honest "in progress, targeting [date]" is acceptable. Do not claim certification that is not held.
SOC 2
TODO — CEO to confirm status and Type (I or II) and target date, or state "not pursued" if that is the position. Do not imply an audit that has not occurred.
Professional indemnity insurance
TODO — CEO to confirm insurer and cover amount Frontrow is comfortable publishing (e.g. "$[X]M professional indemnity").
Cyber insurance
TODO — CEO to confirm cyber liability cover amount Frontrow is comfortable publishing.
Microsoft partner status
Microsoft Partner with Modern Work & AI specialisation. (CEO to confirm exact current designation wording.)
Where your data lives
Australian data residency.
Your tenant stays your tenant
Frontrow works inside your Microsoft 365 tenant. Your data sits in the Microsoft Australia regions where your tenant is provisioned, under your agreement with Microsoft, not copied out to a Frontrow system.
Frontrow's own systems
Frontrow's management, documentation and ticketing tooling is hosted in Australian data regions. (TODO — CEO to confirm the tooling list and hosting locations Frontrow is comfortable naming.)
Sub-processors
A current list of the third parties that may process client data, and where, is available on request. (TODO — CEO to confirm whether to publish the sub-processor list inline or keep it request-only.)
If something goes wrong
Breach notification, in writing.
Under the Notifiable Data Breaches scheme, an eligible breach involving personal information has to be assessed and reported. Frontrow's commitment is to notify an affected client without undue delay once a security incident touching their environment is identified, and to support the assessment and any required notification to the OAIC and affected individuals.
The specifics live in the engagement agreement. (TODO — CEO to confirm the contractual notification window Frontrow commits to, e.g. within [X] hours of identification.)
Identify
Defender XDR + Sentinel surface the incident
Assess
Scope, data involved, eligibility under NDB
Notify
Client first, then OAIC + individuals if required
Remediate
Contain, recover from tested backups, evidence
Take it further
Three ways to put this to the test.
Request the governance pack
Sub-processor list, insurance certificates and the privileged-access policy in writing, for your vendor due-diligence file.
Request the pack→Run your own NDB readiness check
Score whether your tenant could detect, scope and notify a breach inside the 30-day clock — the same standard Frontrow holds itself to.
Run the check→Talk to a senior consultant
Bring your security questionnaire. A senior consultant who does the work will walk through it with you, not a salesperson.
Start a conversation→Prefer to talk it through? Call 1300 012 466 or talk to a senior consultant.
Doing vendor due diligence on Frontrow?
Send the security questionnaire across. Frontrow would rather answer it straight than hand you a glossy trust badge. A senior consultant will work through it with your team.