QuantGov Cloud
IRAP assessed hosting for Australian government
QuantGov Cloud is IRAP assessed at the OFFICIAL:Sensitive level. Run Drupal, WordPress, Laravel, and custom applications on Australian sovereign infrastructure with immutable audit logging and automated backups.
About IRAP
What IRAP assessment means
The Information Security Registered Assessors Program (IRAP) is administered by the Australian Signals Directorate. Independent, ASD-endorsed assessors evaluate a system’s security controls against the Australian Government Information Security Manual (ISM).
An IRAP assessment is not a certification. It produces an independent report on the design and implementation of security controls, which your agency’s authorising officer uses to make a risk-informed decision. QuantGov Cloud has been assessed at the OFFICIAL:Sensitive level.
- Assessed at OFFICIAL:Sensitive
- Controls mapped to the ISM
- Assessment report available on request
Learn more about QuantGov Cloud
Privileged action logging
Multi-region audit trails with log file validation record every administrative and privileged action across the platform.
Network traffic logging
Flow logs are captured on every network in the platform and retained alongside audit logs for analysis and investigation.
Protective DNS
DNS firewall with managed malware and botnet blocklists prevents workloads from resolving known malicious domains.
What IRAP assessed hosting includes
Every application on QuantGov Cloud inherits the same assessed platform controls.
Immutable audit logging
Multi-region audit trails with log file validation capture every administrative action.
- 7-year (2,555-day) retention
- Object Lock in COMPLIANCE mode
- Network flow logs on every VPC
Automated backups
Daily database backups, plus on-demand database and filesystem backups you control.
- 30-day automated retention
- Restore to any environment
- Multi-AZ database option
Australian data sovereignty
Workloads run in Melbourne with Sydney as the secondary region. Data at rest stays in Australia.
- Melbourne primary region
- Sydney secondary region
- Australian owned and operated
Encryption everywhere
Encryption at rest and in transit for every workload, with managed key infrastructure.
- AES-256 at rest
- TLS 1.2 minimum in transit
- HTTPS-only origins
Access control
Strong authentication and least-privilege access for every account and API client.
- MFA and passkeys
- SAML single sign-on
- Role-based access and scoped API tokens
Network security
Defence in depth from the edge to the container.
- WAF with OWASP paranoia levels
- DDoS protection and rate limiting
- Protective DNS and per-tenant isolation
Run your stack on assessed infrastructure
The same platform controls apply to every application type.
Drupal
Managed hosting with one-click deploy and optional static edge delivery.
- Managed hosting
- One-click deploy
- Optional edge sync
WordPress
Managed hosting with one-click deploy and optional static edge delivery.
- Managed hosting
- One-click deploy
- Optional edge sync
Laravel
Containerised Laravel with managed MySQL or PostgreSQL.
- Managed database
- Queue workers
- Autoscaling
Symfony
Containerised Symfony with managed databases and Messenger workers.
- Managed database
- Messenger workers
- Autoscaling
Node.js
Next.js, Nuxt, SvelteKit, Remix, and Astro on managed containers.
- SSR and API
- Managed database
- Autoscaling
Craft CMS
Managed Craft CMS hosting with managed database, CDN, and WAF.
- Managed hosting
- One-click deploy
- Control panel
Custom applications
Bring any application as a Docker Compose definition.
- Docker Compose
- Private registries
- Autoscaling
IRAP assessed hosting FAQs
Is QuantCDN IRAP assessed?
Yes. QuantGov Cloud, our government hosting platform, has been IRAP assessed at the OFFICIAL:Sensitive level. The assessment covers the hosting platform, edge delivery, and supporting infrastructure in the Melbourne and Sydney regions.
What does IRAP assessed mean?
IRAP is the Information Security Registered Assessors Program, administered by the Australian Signals Directorate. An ASD-endorsed assessor independently evaluates a system against the Information Security Manual (ISM) and produces an assessment report agencies use to make authorisation decisions.
Is an IRAP assessment the same as certification?
No. IRAP assessments are not certifications or accreditations. The assessment report describes how security controls are designed and implemented; your authorising officer uses it to make a risk-informed decision for your agency.
Where is my data hosted?
Workloads run in the Melbourne region with Sydney as the secondary region. Data at rest stays in Australia, and QuantCDN is Australian owned and operated.
How long are audit logs retained?
Infrastructure audit logs and network flow logs are retained for 7 years (2,555 days), with immutable storage using Object Lock in COMPLIANCE mode. Dashboard activity logs are retained for 12 months.
Which applications can run on IRAP assessed infrastructure?
Drupal, WordPress, and Craft CMS via one-click templates; Laravel, Symfony, and Node.js frameworks such as Next.js and Nuxt; and any custom application packaged as a Docker Compose definition. Every application inherits the same platform controls.
Ready to host on assessed infrastructure?
Join federal, state, and local government organisations on QuantGov Cloud.