C-
Conditional · 72/100
Shows significant security gaps that need urgent attention. Positive signals: DMARC / Email Security, MX Records & Mail Provider, and TLS Configuration all passed. 7 action items identified, including 0 critical. The issues point to real architectural gaps, not just configuration tweaks. A focused remediation effort of 1–2 days could address all findings.
Trust Score Trend
→ No change
1 scan · Last scanned February 24, 2026
Score
100
75
50
25
0
C-
72/100
Compliance & Certifications
SOC 2 Type II
3rd party · AICPA
Pro subscribers only
ISO 27001
3rd party · accredited body
Pro subscribers only
GDPR
Self-reported
Pro subscribers only
CCPA
Self-reported
Pro subscribers only
Incident History
None in 12 months
March 2026
ChatGPT data exposure
1 source
Pro subscribers only
April 2023 – Feb 2026
ChatGPT data exposure
1 source
Pro subscribers only
Security Posture
7 items need attention
7 passed
Turn on HSTS (forces browsers to always use HTTPS)
HSTS Header
This puts visitor logins and session data at risk of interception on untrusted networks. ato.gov.au doesn't send the HSTS header, so a browser can still be tricked into connecting over plain, unencrypted HTTP instead of HTTPS — an attacker on the same network (e.g. public wifi) can exploit that gap to intercept traffic. Turning HSTS on tells every browser "always use HTTPS for this site, no exceptions."
PCI-DSS 4.0Req 6.4.1
Required application security controls
NIST 800-53SC-8
Transmission confidentiality and integrity
How to fix this
1Add this response header to your site. If you manage your own server (nginx, Apache, IIS) or a CDN like Cloudflare, add it in that config. If your site is on a managed platform (Wix, Squarespace, Shopify, WordPress.com), search their help center for "custom headers" or ask their support — most support it, though a few don't.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
2Before adding it, make sure every subdomain (not just the main site) also works over HTTPS — HSTS applies site-wide.
3Confirm it's live: search "http header checker" and enter ato.gov.au.
4Once confirmed, submit the domain at hstspreload.org so browsers enforce HTTPS even on a user's very first visit.
Report unlocked.
View all 7 passed checks
DMARC / Email Security
MX Records & Mail Provider
TLS Configuration
Known Breaches
Cookie Security
TLS Protocol Support
CVE Exposure
Company Signals
Claim profile →
Operational risk
Low
11 yrs operating. Well-funded
Lynxradar · Composite signal
Last funding
$40B
Series F · Mar 2025 · SoftBank-led
Crunchbase ↗
Employees
~3,000
+40% YoY growth
LinkedIn ↗
Trust Resources
Claim profile →
Trust Center
trust.ato.gov.au ↗
Security page
ato.gov.au/security ↗
Privacy Policy
ato.gov.au/privacy ↗
DPA (Data Processing Agreement)
ato.gov.au/dpa ↗
Updated recently
Subprocessors List
ato.gov.au/policies/subprocessors ↗
Similar companies
Appears in
Claim profile →
SOC 2 Type II certified vendors
847 companies · Updated weekly by LynxRadar
ISO 27001 certified SaaS
312 companies · Updated weekly by LynxRadar
Top AI vendors by trust score
94 companies · LynxRadar ranking
Enterprise-ready SaaS · Trust score A or above
203 companies · LynxRadar ranking