ato.gov.au

C-
Conditional · 72/100
Shows significant security gaps that need urgent attention. Positive signals: DMARC / Email Security, MX Records & Mail Provider, and TLS Configuration all passed. 7 action items identified, including 0 critical. The issues point to real architectural gaps, not just configuration tweaks. A focused remediation effort of 1–2 days could address all findings.
Trust Score Trend
→ No change 1 scan · Last scanned February 24, 2026
Score
100 75 50 25 0
C-
ato.gov.au
72/100
Compliance & Certifications
Not yet verified
SOC 2 TYPE II
SOC 2 Type II
Audit report not on file
3rd party · AICPA
Pro subscribers only
ISO 27001
ISO 27001
Certificate not on file
3rd party · accredited body
Pro subscribers only
GDPR
GDPR
DPA not on file
Self-reported
Pro subscribers only
CCPA
CCPA
Privacy policy not on file
Self-reported
Pro subscribers only
Incident History
None in 12 months
March 2026
ChatGPT data exposure
1 source
Resolved
Pro subscribers only
April 2023 – Feb 2026
ChatGPT data exposure
1 source
Resolved
Pro subscribers only
Security Posture
7 items need attention
7 passed
Turn on HSTS (forces browsers to always use HTTPS)
HSTS Header
< 1 hour

This puts visitor logins and session data at risk of interception on untrusted networks. ato.gov.au doesn't send the HSTS header, so a browser can still be tricked into connecting over plain, unencrypted HTTP instead of HTTPS — an attacker on the same network (e.g. public wifi) can exploit that gap to intercept traffic. Turning HSTS on tells every browser "always use HTTPS for this site, no exceptions."

PCI-DSS 4.0Req 6.4.1
Required application security controls
NIST 800-53SC-8
Transmission confidentiality and integrity
How to fix this
1Add this response header to your site. If you manage your own server (nginx, Apache, IIS) or a CDN like Cloudflare, add it in that config. If your site is on a managed platform (Wix, Squarespace, Shopify, WordPress.com), search their help center for "custom headers" or ask their support — most support it, though a few don't.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
2Before adding it, make sure every subdomain (not just the main site) also works over HTTPS — HSTS applies site-wide.
3Confirm it's live: search "http header checker" and enter ato.gov.au.
4Once confirmed, submit the domain at hstspreload.org so browsers enforce HTTPS even on a user's very first visit.
Report unlocked.
View all 7 passed checks
DMARC / Email Security
MX Records & Mail Provider
TLS Configuration
Known Breaches
Cookie Security
TLS Protocol Support
CVE Exposure
Company Signals
Claim profile →
Operational risk
Low
11 yrs operating. Well-funded
Lynxradar · Composite signal
Last funding
$40B
Series F · Mar 2025 · SoftBank-led
Crunchbase ↗
Employees
~3,000
+40% YoY growth
LinkedIn ↗
Trust Resources
Claim profile →
Trust Center
trust.ato.gov.au ↗
Security page
ato.gov.au/security ↗
Privacy Policy
ato.gov.au/privacy ↗
DPA (Data Processing Agreement)
ato.gov.au/dpa ↗
Updated recently
Subprocessors List
ato.gov.au/policies/subprocessors ↗
Similar companies
Appears in
Claim profile →
SOC 2 Type II certified vendors
847 companies · Updated weekly by LynxRadar
Track
ISO 27001 certified SaaS
312 companies · Updated weekly by LynxRadar
Track
Top AI vendors by trust score
94 companies · LynxRadar ranking
Track
Enterprise-ready SaaS · Trust score A or above
203 companies · LynxRadar ranking
Track