Skip to main content
Trust Center

Security Is Not a Feature.
It Is the Foundation.

How Herbst Group protects client data, governs AI use, and builds toward internationally recognised security standards.

Our Commitment Security Inquiries
42
Critical Controls
CEO-enforced
24/7
Vanta Monitoring
Continuous compliance
IO
POPIA Registered
IO + Deputy IO
A+
Email Security
PowerDMARC rating
A+
SSL/TLS Rating
TLS 1.3 + HSTS

Security Commitment

Herbst Group maintains 42 enforced critical controls governing information security, data protection, and AI governance. These controls are locked by CEO authority and cannot be bypassed by any team member, workflow, or automation.

Our security program follows defense-in-depth principles: multiple independent layers of protection ensure that no single failure compromises client data. We conduct continuous monitoring, maintain formal incident response procedures, and integrate lessons learned from every security event into our policies.

12
Information Security
Access control, encryption, incident response, backup
14
Data Protection
POPIA, cross-border, retention, DSAR, privacy
10
AI Governance
Human oversight, data isolation, fabrication prevention

Data Protection

POPIA — Registered with Information Regulator
Information Officer Wimpie du Toit (CTO) and Deputy Zelna Symms (COO) registered with the Information Regulator. Registration No. 2026-001668, issued 8 February 2026.

Our published privacy policy covers five Herbst Group entities and was approved by Board Resolution on 11 November 2025.

Your rights under POPIA

We maintain documented procedures for data subject requests including access, correction, deletion, and objection. Contact our Information Officer at wimpie@herbstteam.com.

Cross-border safeguards

Where client data is processed outside South Africa, we maintain Data Processing Agreements with Standard Contractual Clauses covering EU data flows.

Privacy-first analytics

We use Plausible Analytics, which collects no personal data and sets no cookies. No consent banner is required because no tracking occurs.

Client data isolation

Each client's data is isolated in separate database tenants. No client data may be used to enrich, benchmark, or cross-reference another client's engagement.

Read our full Privacy Policy →

Email Security

A+ herbstgroup.io
Transactional domain. DMARC p=reject, DKIM via Amazon SES, SPF strict.
A+ herbstteam.com
Corporate M365 domain. DMARC p=reject, DKIM dual selectors, SPF strict.

Every email from Herbst Group is authenticated and encrypted. Both domains achieve PowerDMARC A+ (100%) with full DMARC enforcement:

DMARC p=reject
Unauthorized senders are rejected
DKIM Signed
Cryptographic signing on both domains
SPF Strict
Alignment prevents spoofing
MTA-STS Enforce
Prevents TLS downgrade attacks
BIMI Active
Brand logo verification on email
TLS 1.3
All email encrypted in transit

Verify independently by checking herbstgroup.io or herbstteam.com on any DMARC lookup tool.

Responsible AI Use

Abstract neural network visualization representing responsible AI governance

Herbst Group uses Anthropic Claude AI (commercial tier) to enhance our pharmaceutical consulting services, including research synthesis, report generation, and data interpretation.

Controls in place

  • All AI-generated content is reviewed by qualified consultants before client delivery
  • No clinical decision-making is delegated to AI
  • Client data is not shared with Anthropic for model training
  • Monthly verification ensures continued data opt-out
  • Human-in-the-loop oversight on all client deliverables
  • Strict data fabrication prevention controls (CEO-enforced)

Legal framework

  • Data Processing Agreement with Anthropic (effective 24 February 2025)
  • Copyright indemnity for AI-generated outputs
  • Full ownership of all Claude-generated content retained by Herbst Group

Pharmaceutical AI standards

  • Aligned with NIST AI RMF principles
  • Implementing GAMP 5 principles for AI/ML in regulated environments
  • AI contribution documented in every report methodology section

Clients are informed when AI assists in analysis. We document the role of AI in our deliverables and welcome questions about our AI governance practices.

Training & Awareness

Ethics of AI — Mandatory Training Programme

All Herbst Group staff are enrolled in the University of Helsinki Ethics of AI course. This internationally recognised programme covers AI bias, fairness, transparency, accountability, and the societal impact of artificial intelligence.

9 staff enrolled Deadline: 31 March 2026 CEO participating

AI Data Classification — Team Briefing Complete

All Herbst Group staff completed the mandatory AI Data Classification briefing covering the 5-level classification framework, consumer vs commercial API tiers, and the 4-question decision tree for data handling. Attestations signed via DocuSign.

9/9 completed 9 February 2026 DocuSign attested

Our AI for Good Commitment

Most industry discourse focuses on AI risks and limitations. That matters. But informed by the University of Helsinki Ethics of AI framework, we also believe in the obligation to use AI for genuine good: better healthcare decisions, stronger compliance, and more accessible intelligence for governed environments.

  • Benefit to healthcare outcomes. We direct AI capability toward pharmaceutical market intelligence, training quality, and commercial execution that ultimately serves patients.
  • Transparency by default. Every deliverable discloses where AI contributed. Clients always know what was human-led and what was AI-assisted.
  • Human oversight, always. AI augments our consultants. It does not replace clinical judgement, strategic thinking, or the accountability that comes with both.
  • Compliant value for governed environments. We maintain a formal commercial agreement with Anthropic because responsible AI adoption in pharma requires contractual, not just technical, safeguards.

"Very few companies in South Africa take this specific step. It is part of our commercial advantage and also bringing compliant value to governed environments."  – Dieter Herbst, CEO

Security awareness is not a one-time exercise. Herbst Group maintains an ongoing training programme covering information security, data protection, and responsible AI use.

Planned Certifications

  • ISC2 Certified in Cybersecurity (CC) — CEO + CTO
  • NIST Cybersecurity Framework 2.0 self-assessment
  • CIS Controls IG1 self-assessment

Awareness Programme

  • Quarterly security awareness communications
  • Incident-driven policy updates
  • Annual compliance review cycle

Infrastructure & Encryption

Data in transit

TLS 1.3 with HSTS at 1-year max-age. HSTS preload submitted. Comprehensive CSP, X-Frame-Options DENY, Permissions-Policy restricting camera, microphone, and geolocation. Mozilla Observatory: A+ (110/100).

Data at rest

All endpoint devices encrypted with FileVault (AES-256). Backups are encrypted and stored on a daily schedule with formally defined Recovery Time and Recovery Point Objectives.

Data residency

Client databases hosted in EU-West (Ireland) with multi-region replication. Cross-border data flows documented and covered by Data Processing Agreements.

Security headers (all verified)

Content-Security-Policy
Strict-Transport-Security
X-Content-Type-Options
X-Frame-Options
Permissions-Policy
Cross-Origin-Opener-Policy

Compliance Journey

Continuous Security Monitoring via Vanta

February 2026

Herbst Group has partnered with Vanta, a leading trust management platform trusted by over 9,000 companies globally, to maintain continuous security monitoring as we pursue ISO 27001:2022 certification. Vanta provides automated compliance monitoring, real-time control validation, and transparent evidence collection across our technology stack.

Automated monitoring 7 tool integrations Penetration testing ISO 27001:2022 target: Q2 2026
Modern glass office building representing transparency and trust
ISO 27001 Implementation In Progress
Feb 2026 — Vanta continuous monitoring active Certification target: Q2 2026
42
Critical controls
4
ISMS policies signed
4
In signature
9
Total ISMS policies

We are actively pursuing ISO 27001:2022 certification with continuous security monitoring through Vanta. Our security programme maintains 9 ISMS policies and 42 enforced critical controls governing information security, data protection, and AI governance, with automated compliance testing across our integrated technology stack.

We maintain a formal incident management process with documented resolution for every security event. Each incident is investigated and resolved with corrective controls that prevent recurrence.

Complete
Foundation
42 critical controls, 9 ISMS policies, trust page, IO registered, incident response
In Progress
Vanta & Audit Preparation
Tool integrations, risk assessment, penetration test, Statement of Applicability, internal audit
Planned
Certification
Stage 1 documentation review, Stage 2 certification audit, target Q2 2026

Framework alignment

ISO 27001:2022 NIST CSF 2.0 SOC 2 Trust Criteria POPIA NIST AI RMF GAMP 5

Vendor Risk Management

We conduct formal due diligence on all service providers and maintain a structured vendor assessment framework covering eight areas: data handling, encryption, access controls, incident response, compliance certifications, business continuity, subprocessor management, and contractual protections.

Data Processing Agreements 7 of 14 (50%)
Covering Anthropic, Vercel, Turso, GitHub, Microsoft. Target: 100% by Q2 2026.

Available on Request

We believe in transparency. Ask and we will share.

Privacy Policy
Terms of Service
Data Processing Agreement template
Business Continuity Plan summary
Vendor SOC 2/3 reports
Penetration test results (Q1 2026)

Contact us to request any of the above documents.

Environmental Commitment

As a digital-first professional services firm, our environmental footprint is primarily cloud infrastructure and business travel. We measure what matters and set honest targets.

20
tCO2e offset (133% of travel emissions)
71%
Cloud providers on renewable energy
~0
Paper consumption (digital-first)
20kg
E-waste destroyed by certified recycler (Desco, Feb 2026)

Carbon Offset Programme

Herbst Group retired 20 tCO2e of verified carbon credits in February 2026 via the Sun Exchange solar project in South Africa, registered with Credible Carbon (RRE_ZLVYE9YA). This offsets 133% of our estimated annual business travel emissions. We follow an Avoid-Reduce-Offset hierarchy aligned with the GHG Protocol (Scope 3, Category 6) and target a 10% year-on-year reduction in travel emissions.

Credible Carbon Verified Sun Exchange Solar — South Africa GHG Protocol Scope 3

2026 Baselines & Targets

Cloud renewable energy 71% → 75% by 2027
Domestic flights per year ~20 returns → 10% YoY reduction
E-waste certified recycling Target: 100%
Paper usage Near-zero maintained
AI compute carbon awareness Monitoring annually

Policy Foundation

10 ESG policies signed by leadership and distributed to all staff. Environmental Policy (POL-ESG-001 v1.1) establishes quantified baselines and annual targets. ESG compliance training completed February 2026 with 100% staff attendance.

Environmental Policy (PDF) Sustainable Procurement Policy (PDF) Supplier Code of Conduct (PDF)

Environmental Metrics Baseline established February 2026. Carbon offset programme active per POL-ENV-001 v1.1. Reviewed annually per POL-ESG-001. Herbst Group is pursuing ISO 27001 certification.

Security Inquiries

For security inquiries, data protection requests, or to report a vulnerability:

Security
dieter@herbstteam.com
Information Officer
wimpie@herbstteam.com
Vulnerability Disclosure
security.txt

This page is reviewed quarterly and updated when our compliance posture changes. Last reviewed: 10 February 2026.