Vendor Scorecard

We have contacted the vendors listed below to confirm the scope of public disclosure. Initial outreach dates are noted for transparency.

Specific incident details are not disclosed; however, we provide independent guidance on compliance, governance, and systemic risk.

OpenAI
Initial Contact
28-10-2025
Days pursuing incident(s)
122 days
Attempts
~27
Status

--------------------------------

Escalated to OAIC on 10-12-2025
  • No response received to date.

    • --------------------------------

    Escalated to ACCC on 29-01-2026
  • Advised Advised to contact OAIC.
  • Advised concerns raised fall outside laws administered by ACCC.
  • Response received on 27/02/26; acknowledges concern and logs report but provides no indication of action, scope, or outcome, with follow-up only if further information is required.

    • --------------------------------

    Linkedin message from Global Startups lead (Marc Manara) on 06-02-2026
  • Responded with summary of issues. No response received.

    • Risk Tiers

    Risk Category Tier
    Technical SecurityCRITICAL
    Privacy & Data ProtectionCRITICAL
    Safety & Human HarmCRITICAL
    Governance & ComplianceCRITICAL
    Enterprise ReputationCRITICAL
    Cross-Vendor EcosystemHIGH
    Systemic / Long-TermCRITICAL

    Regulatory and Public Sector Frameworks

    • Online Safety Act 2021, Part 5
    • Privacy Act 1988 (APP 1, APP 6, APP 11)
    • Protective Security Policy Framework (PSPF)
    • ASD Information Security Manual (ISM)
    • ACSC Essential 8
    • GDPR Art. 5(1), 28, 32
    • UK GDPR / Data Protection Act 2018
    • CCPA / CPRA
    • Digital Services Act (EU)

    Security Certifications and Assurance Signals

    • SOC 2 Type II
    • ISO/IEC 27001
    • ISO/IEC 27017
    • ISO/IEC 27018
    • ISO/IEC 27701
    • CSA STAR

    Implication: The incident indicates a multi-standard compliance alignment failure, increasing regulatory exposure across AU, EU, and US jurisdictions.

    Gemini
    Initial Contact
    11-12-2025, VRP raised on 15/12/2025
    Days pursuing incident(s)
    77 days
    Attempts
    ~18
    Process Status
    Closed and reopened multiple times. Final closure with no action on 26/02/26 ). All issues are active as of 05/04/26.

    Risk Tiers

    Risk Category Tier
    Technical SecurityCRITICAL
    Privacy & Data ProtectionCRITICAL
    Safety & Human HarmCRITICAL
    Governance & ComplianceCRITICAL
    Enterprise ReputationCRITICAL
    Cross-Vendor EcosystemNOT REVIEWED
    Systemic / Long-TermCRTICIAL