What is CASA Tier 3 certification?

CASA Tier 3 is the highest tier of the Cloud Application Security Assessment, developed by the App Defense Alliance (Google, Meta, Microsoft). It requires independent manual penetration testing across all 14 categories of the OWASP Application Security Verification Standard. Matter holds this certification and is recertified annually.

How does CASA Tier 3 differ from ISO 27001?

ISO 27001 certifies your security processes, how you manage security as an organisation. CASA Tier 3 certifies that the actual application was independently pen-tested for vulnerabilities. They are complementary certifications that cover different aspects of security.

Where is Matter client data stored?

All client data is stored in Australia with encryption at rest and in transit. Each practice is isolated, and role-based access controls ensure only authorised users can access sensitive information.

Security

Your clients' data deserves verified security.

Matter holds CASA Tier 3 certification. An independent, authorised security lab tested the application against every category of the OWASP standard. No other migration case management software in Australia has this.

Migration agents handle the most sensitive data imaginable.

Passports. Financial records. Health examinations. Criminal history checks. Relationship evidence. Every case is a filing cabinet of information that could destroy someone's life if it leaked.

2024: Aussizz Group, one of Australia's largest migration agencies, had 300 gigabytes of client data stolen by ransomware.

2025: OMARA's own portal had a data breach.

Most migration software advertises "SSL encryption" and "cloud hosting" as security features. That is the minimum to have a website. It tells you nothing about whether the application itself was tested for vulnerabilities.

CASA Tier 3

What CASA Tier 3 actually means.

The Cloud Application Security Assessment was developed by the App Defense Alliance, a coalition led by Google, Meta, and Microsoft. It is built on the OWASP Application Security Verification Standard (ASVS), which is the gold standard for application security testing worldwide.

CASA has three tiers. They are not interchangeable.

Tier 1: Self-assessment

The developer fills out a questionnaire about their own security practices.

Tier 2: Automated scanning

An automated tool scans the application for known vulnerabilities. Better than self-assessment, but limited to what scanners can detect.

Tier 3: Independent manual penetration testing

An authorised security lab manually tests the application across all 14 OWASP ASVS categories. Authentication. Session management. Access control. Cryptography. Error handling. Every attack surface examined by a human expert.

Matter holds Tier 3. Recertified annually. Each assessment produces a formal Letter of Validation from the authorised lab.

CASA Tier 3 vs ISO 27001. Different things.

ISO 27001 certifies your security processes. It says your organisation has policies for managing information security: access reviews, incident response plans, risk registers. It does not test whether the application itself has vulnerabilities.

CASA Tier 3 certifies the actual application. A security lab sat down and tried to break it, methodically, across 14 categories of known attack vectors.

They are complementary. One certifies the organisation. The other certifies the code.

Migration Manager has ISO 27001 certification, and credit to them for that. But ISO 27001 does not tell you the application itself was independently tested for security flaws. Matter has CASA Tier 3. The application was verified secure.

Engineering

Built by engineers who take security personally.

The team behind Matter spent decades at Atlassian, building and operating cloud infrastructure trusted by some of the world's largest enterprises. Banks. Government agencies. Fortune 500 companies.

That discipline, threat modelling, secure code review, zero-trust architecture, is baked into every layer of Matter. Security is not a feature we added. It is how the application was built from day one.

Technical details

Under the hood.

Encryption at rest and in transit

All data encrypted with AES-256 at rest. TLS 1.3 for every connection. No exceptions.

Australian data residency

Your clients' data stays in Australia. Hosted on Google Cloud Platform in the australia-southeast1 region.

Practice isolation

Every migration agency gets an isolated practice. Your data is separated from other agencies at the infrastructure level, not just the application level.

Role-based access controls

Staff members see only what they need. Principals control access. Granular permissions per role.

Audit logging

Every action recorded with timestamps and attribution. If OMARA asks who accessed a file and when, you have the answer.

No client data in AI training

Matter uses AI features for automation. Your clients' data is never used to train models. Full stop.

How does Matter compare?

Feature	Matter	Migration Manager	Officio	Ezymigrate
CASA Tier 3	Yes	No	No	No
ISO 27001	Practices followed	Yes	No	No
Australian data residency	Yes	Yes	Unknown	Unknown
Published security details	Yes	Yes	No	No

Security you can verify, not just take our word for.

Start your practice