Trust is the product.

Hoist Assets gives account-approved tools access to Australian register data for business due-diligence work. Results stay tied to their source, searches stay inside the approved account boundary, and customers can inspect what was checked.

Legal entity

• Trading name: Hoist Assets
• Operating entity: HoistAI Pty Ltd
• ABN: 11 695 718 659
• ACN: 695 718 659
• Registered office: 81–83 Campbell Street, Surry Hills NSW 2010
• Principal place of business: Same.
• GST registered: Yes (effective 2024).

What Hoist can check

Hoist supports PPSR checks for organisations and serial-numbered assets, plus ABN checks. Individual-grantor searches are not supported. Source-access notes and operating limits for PPSR live at /trust/afsa-b2g.

Hard limits

Hoist supports organisation and serial-number checks. It does not offer searches for individual people, driver licences, residential addresses, or personal identity details. That limit applies to every customer, every connected tool, and every support request. For the detailed boundary, see /trust/npii-boundary.

Controls

• Human approval: Connected tools can only use the access an account owner approves.
• Review and revoke: Account users can review connected access and disconnect tools from the account surface.
• Price confirmation: Paid searches require confirmation before spend is triggered.
• No override path: Support cannot turn on person searches or bypass the org-only boundary.

Logs

Every completed search gets a durable log. It records the account, the connected tool if one was used, the type of check, the identifier checked, the source, the time, the outcome, and the evidence reference. It does not store sign-in secrets, prompts, card numbers, or unrelated account data.

What customers can verify

Each search can produce an Evidence Pack with the source, timestamp, result summary, and record reference. The customer-facing evidence format is explained at /evidence-pack. Developers who need exact interface details should use the developer docs.

Data handling

• Service hosting: Cloudflare, with Australian routing preferred where available.
• Account, search, and log records: Encrypted storage with AU/APAC preference where supported.
• Record PDFs and certificates: Encrypted storage with AU/APAC preference where supported.
• Payments: Stripe (merchant of record). We do not store card numbers, expiry, or CVC.
• Email: Postmark.
• Error tracking: Sentry, AU region.

Residency model in detail at /trust/residency. Where Cloudflare or Stripe processes data outside AU, the categories and lawful bases are listed there.

Security

• Disclosure policy: Report security issues through /security.
• Certifications: SOC 2 and ISO 27001 are not certified today. We will not imply certification before it exists.
• Procurement review: Procurement teams can request a security questionnaire and current assurance material.
• Encryption: HTTPS in transit and encryption at rest. Higher-volume accounts can discuss customer-specific key controls.

Support

For account access, billing, setup help, or questions about a record, use /contact/. Security vulnerabilities should use the disclosure path at /security.

Insurance

Professional indemnity (A$5M aggregate), cyber liability (A$2M), public liability (A$10M). Certificates available on request to procurement contacts.

Data retention

Records and certificates stay available for 30 days after subscription ends so customers can export them. Minimal verification receipts are retained so historic records can still be checked. Account and billing metadata is retained for 7 years after closure to satisfy AU tax requirements.

Subprocessors

Connected tools and AI agents

Hoist is designed for account owners who want AI agents, assistants, business applications, or automated workflows to run source-backed checks. The same safety rules apply no matter which tool starts the search.

• No silent spend. Paid searches require an explicit confirmation step. A connected tool cannot trigger a billable PPSR or ABN search unless the account owner has approved that action. See /pricing for the confirmation model.
• Org-only regardless of caller. The individual-grantor boundary applies to humans, AI assistants, business apps, and batch jobs. See /trust/npii-boundary.
• Approved access only. A human approves what a connected tool may do. The tool cannot widen that approval by changing a prompt, field, or request.
• No bypass path. There is no prompt, setup option, or support switch that turns on person searches or bypasses price confirmation.
• Evidence, not advice. Hoist returns source-backed Evidence Packs with timestamps, risk flags, and next steps. It does not make compliance decisions. If a connected tool says "approved" or "cleared", that is the tool's interpretation, not Hoist's conclusion.
• Security details. Connected-tool controls are summarised at /trust/security.

Material changes to this page

Tracked in /changelog with the tag trust. RSS feed: /changelog/feed.xml.

Example Due Diligence Record

Every PPSR search produces a structured record - timestamped, tamper-evident, and human-readable. Here is what one looks like before you connect an agent. View example record.

---

Sub-pages