Skip to main content
Trust Center

Security Is Not a Feature.
It Is the Foundation.

How Herbst Group protects client data, governs AI use, and builds toward internationally recognised security standards.

Our Commitment Security Inquiries
42
Critical Controls
CEO-enforced
24/7
Vanta Monitoring
Continuous compliance
IO
POPIA Registered
IO + Deputy IO
100%
Email Security
PowerDMARC score
Top 15%
EcoVadis Global
Silver Medal

Security Commitment

Herbst Group maintains 42 enforced critical controls governing information security, data protection, and AI governance. These controls are locked by CEO authority and cannot be bypassed by any team member, workflow, or automation.

Our security program follows defense-in-depth principles: multiple independent layers of protection ensure that no single failure compromises client data. We conduct continuous monitoring, maintain formal incident response procedures, and integrate lessons learned from every security event into our policies.

Data Protection

POPIA: Registered with Information Regulator
Information Officer Willem Dieter Herbst (CEO) and Deputy Information Officer Tiaan Keyser (CAO) registered with the Information Regulator. Registration No. 2026-001668, issued 8 February 2026.

Our published privacy policy covers five Herbst Group entities and was approved by Board Resolution on 11 November 2025.

Your rights under POPIA

We maintain documented procedures for data subject requests including access, correction, deletion, and objection. Contact our Deputy Information Officer at tiaan@herbstteam.com.

Cross-border safeguards

Where client data is processed outside South Africa, we maintain Data Processing Agreements with Standard Contractual Clauses covering EU data flows. We have an option for SA-resident data stewardship: client data can be hosted on encrypted infrastructure in Johannesburg, POPIA-bound by design, as we continue pursuing ISO 27001.

Privacy-first analytics

We use Plausible Analytics, which collects no personal data and sets no cookies. No consent banner is required because no tracking occurs.

Client data isolation

Each client's data is isolated in separate database tenants. No client data may be used to enrich, benchmark, or cross-reference another client's engagement.

Read our full Privacy Policy →

Email Security

A+ herbstgroup.io
Transactional domain. DMARC p=reject, DKIM via Resend, SPF strict.
A+ herbstteam.com
Corporate M365 domain. DMARC p=reject, DKIM dual selectors, SPF strict.

Every email from Herbst Group is authenticated and encrypted. Both domains achieve PowerDMARC A+ (100%) with full DMARC enforcement:

  • DMARC p=reject
    Unauthorized senders are rejected
  • DKIM Signed
    Cryptographic signing on both domains
  • SPF Strict
    Alignment prevents spoofing
  • MTA-STS Enforce
    Prevents TLS downgrade attacks
  • BIMI Active
    Brand logo verification on email
  • TLS 1.3
    All email encrypted in transit

Verify independently by checking herbstgroup.io or herbstteam.com on any DMARC lookup tool.

Responsible AI Use

Abstract neural network visualization representing responsible AI governance

Herbst Group uses Anthropic Claude AI via the commercial API to enhance pharmaceutical consulting services, including research synthesis, report generation, and data interpretation. Licensed third-party data assets that inform this work are governed by controls that ringfence each dataset within the terms of its licence, keeping it isolated from other engagements and never repurposed beyond the scope for which it was licensed.

Controls in place

  • All AI-generated content is reviewed by qualified consultants before client delivery
  • No clinical decision-making is delegated to AI
  • Client data is not used for model training under our commercial API terms with Anthropic
  • Claude is accessed only through the Anthropic API, governed by a signed Data Processing Addendum
  • Human-in-the-loop oversight on all client deliverables
  • Strict data fabrication prevention controls (CEO-enforced)

Legal framework

  • Copyright indemnity for AI-generated outputs
  • Full ownership of all Claude-generated content retained by Herbst Group

Pharmaceutical AI standards

  • Aligned with NIST AI RMF principles
  • Implementing GAMP 5 principles for AI/ML in regulated environments
  • AI contribution documented in every report methodology section

Clients are informed when AI assists in analysis. We document the role of AI in our deliverables and welcome questions about our AI governance practices.

Infrastructure & Encryption

Data in transit

TLS 1.3 with HSTS at 1-year max-age. HSTS preload submitted. Comprehensive CSP, X-Frame-Options DENY, Permissions-Policy restricting camera, microphone, and geolocation.

Data at rest

All endpoint devices encrypted with FileVault (AES-256). Backups are encrypted and stored on a daily schedule with formally defined Recovery Time and Recovery Point Objectives.

Data residency

Our data infrastructure is located in South Africa. On a client-elected basis, Herbst Group houses client data and our intelligence frameworks on our own South African server, under our control and built around POPIA principles, so that data remains resident within South Africa. Any remaining cross-border data flows are documented and covered by Data Processing Agreements.

Security headers (all verified)

Content-Security-Policy
Strict-Transport-Security
X-Content-Type-Options
X-Frame-Options
Permissions-Policy
Cross-Origin-Opener-Policy

Compliance Journey

Continuous Security Monitoring via Vanta

February 2026

Herbst Group has partnered with Vanta, a leading trust management platform, to maintain continuous security monitoring as we pursue ISO 27001:2022 certification. Vanta provides automated compliance monitoring, real-time control validation, and transparent evidence collection across our technology stack.

Automated monitoring 7 tool integrations Penetration testing ISO 27001:2022 target: H2 2026
Modern glass office building representing transparency and trust
ISO 27001 Implementation In Progress
Feb 2026: Vanta continuous monitoring active Certification target: H2 2026

We are actively pursuing ISO 27001:2022 certification with continuous security monitoring through Vanta. Our security programme maintains a signed set of ISMS policies and 42 enforced critical controls governing information security, data protection, and AI governance, with automated compliance testing across our integrated technology stack.

We maintain a formal incident management process with documented resolution for every security event. Each incident is investigated and resolved with corrective controls that prevent recurrence.

Complete
Foundation
42 critical controls, signed ISMS policies, trust page, IO registered, incident response
In Progress
Vanta & Audit Preparation
Tool integrations, risk assessment, penetration test, Statement of Applicability, internal audit
Planned
Certification
Stage 1 documentation review, Stage 2 certification audit, target H2 2026

Framework alignment

ISO 27001:2022 NIST CSF 2.0 SOC 2 Trust Criteria POPIA NIST AI RMF GAMP 5

Vendor Risk Management

We conduct formal due diligence on all service providers and maintain a structured vendor assessment framework covering eight areas: data handling, encryption, access controls, incident response, compliance certifications, business continuity, subprocessor management, and contractual protections.

Available on Request

We believe in transparency. Ask and we will share.

Privacy Policy
Terms of Service
Data Processing Agreement template
Business Continuity Plan summary

Contact us to request any of the above documents.

Environmental Commitment

As a digital-first professional services firm, our environmental footprint is primarily cloud infrastructure and business travel. We measure what matters and set honest targets.

20
tCO2e offset (133% of travel emissions)
71%
Cloud providers on renewable energy
~0
Paper consumption (digital-first)
20kg
E-waste destroyed by certified recycler (Desco, Feb 2026)

Carbon Offset Programme

Herbst Group retired 20 tCO2e of verified carbon credits in February 2026 via the Sun Exchange solar project in South Africa, registered with Credible Carbon (RRE_ZLVYE9YA). This offsets 133% of our estimated annual business travel emissions. We follow an Avoid-Reduce-Offset hierarchy aligned with the GHG Protocol (Scope 3, Category 6) and target a 10% year-on-year reduction in travel emissions.

Credible Carbon Verified Sun Exchange Solar: South Africa GHG Protocol Scope 3

Community Reforestation Partnership

Herbst Group is a monthly donor to the Greenpop Foundation NPC (NPO 151-411, PBO 930050622), supporting the Forests For Life programme. We fund the planting of 16 indigenous trees per month in community-centred forest restoration sites across South Africa. Each tree is GPS-tracked and verified quarterly. Partnership MOU signed 5 March 2026. First donation made the same day.

Greenpop Foundation: Forests For Life 16 Indigenous Trees / Month: GPS Tracked Signed MOU: 5 March 2026

2026 Baselines & Targets

Cloud renewable energy 71% → 75% by 2027
Domestic flights per year ~20 returns → 10% YoY reduction
E-waste certified recycling Target: 100%
Paper usage Near-zero maintained
AI compute carbon awareness Monitoring annually

Policy Foundation

10 ESG policies signed by leadership and distributed to all staff. Environmental Policy (POL-ESG-001 v1.1) establishes quantified baselines and annual targets. ESG compliance training completed February 2026 with 100% staff attendance.

Environmental Policy (PDF) Sustainable Procurement Policy (PDF) Supplier Code of Conduct (PDF)

Environmental Metrics Baseline established February 2026. Carbon offset programme active per POL-ESG-001 v1.1. Reviewed annually per POL-ESG-001. Herbst Group is pursuing ISO 27001 certification.

ESG Performance

EcoVadis Silver Medal 2026

EcoVadis Silver Medal: Top 15% Globally

March 2026

Herbst Group has been awarded a Silver Medal by EcoVadis, scoring 74/100 and placing in the top 15% of companies assessed globally. Our Ethics score of 85/100 places us in the top 6% of our industry. EcoVadis is the world's largest provider of business sustainability ratings, used by companies including Schneider Electric, Toyota, BASF, and AXA.

Silver Medal Ethics: Top 6% in Industry Valid through March 2027
View our Recognition Page
Awarded
EcoVadis Silver: Top 15%

74/100. Independent sustainability rating. Valid through March 2027.

Active
Carbon Offset Programme

20 tCO2e offsets retired via Credible Carbon (Sun Exchange solar, SA). Exceeds estimated travel emissions. Not carbon neutral.

In Progress
ISO 27001:2022

Vanta platform active. ISMS policies signed and enforced. Stage 1 audit: October 2026.

Registered
POPIA IO

Certificate 2026-001668.

2026 ESG Commitment

Performance level: Advanced (EcoVadis, March 2026). Industry ranking: Overall top 15%, Environment top 10%, Ethics top 6%, Labor & Human Rights above average.

Signed ESG and ISMS policies, CEO-approved and distributed
2 mandatory training sessions, 100% staff attendance
Grievance and whistleblowing channel active (info@herbstgroup.io)

ESG performance is reviewed annually by the CEO. Full sustainability reporting is available in our Sustainability Snapshot 2026 (PDF) . Working toward ISO 27001:2022 certification. Stage 1 audit scheduled October 2026.

Security Inquiries

For security inquiries, data protection requests, or to report a vulnerability:

Security
dieter@herbstteam.com
Information Officer
dieter@herbstteam.com
Vulnerability Disclosure
security.txt

This page is reviewed quarterly and updated when our compliance posture changes. Last reviewed: 4 March 2026.