Unlock open data with CDR access

Achieve Consumer Data Right accreditation or sponsorship to unlock consumer data under the Australian Consumer Data Right


Is this the year you grow with SOC 2?

There’s no better standard to baseline your information security and earn trust with a broad customer base.

AssuranceLab is a registered CPA and CA firm ready to help you earn trust with SOC 2 in the US and globally.

We provide end-to-end readiness and audit services, with a cloud-native and agile approach that enables you to work at your own pace.


You’re in great company. We work with hundreds of fast-growing software companies across 13 countries, ranging in size from 2 to 26,000 employees.


You’re in great company. We work with hundreds of fast-growing software companies across 20+ countries, ranging in size from 2 to 26,000+ employees.


Is this the year you

grow with CDR?

CDR Accreditation unlocks access to economy-wide consumer data under the consumer data right regime.

AssuranceLab is a qualified CA firm, and a partner of leading CDR principal's ready to help you achieve accreditation or sponsorship.

We provide end-to-end readiness and audit services, with a cloud-native and agile approach that enables you to work at your own pace.



Clear reasons to act


Accreditation to unlock CDR access

ASAE 3150 reports recognised by the ACCC to achieve unrestricted accreditation


Customer comfort
and trust

Give your customers peace of mind with secure and reliable CDR data sharing


Minimal business

Agile and flexible audits that help minimise the disruption while fast-tracking your access


Choice of

Choose between unrestricted, sponsored or representative access to fit your goals



Multi-standard options to achieve other global standards without duplicating


Get started with a baseline

The ability to access data with ongoing process improvements to fast-track your access


Four Steps to CDR Access

left arrow right arrow
CDR Readiness Assessment

CDR Readiness Assessment

We built Pillar so you can assess your compliance with 30+ global standards. It helps you get started with a tailored view of your controls and any gaps to prepare for our compliance audits for one or more frameworks. And, Pillar is always free.

Remediation Support

Remediation Support

We guide you as you address any gaps and implement fit-for-purpose processes that align with your company and the CDR requirements. Our flexible and responsive team helps you work through it at your own pace.

CDR Type 1 Audit

CDR Type 1 Report

We conduct the Type 1 audit at your pace to help you minimise disruption and learn through the process. Our iterative reviews and feedback helps you stay on track and achieve real operational benefits for your company. The Type 1 is used for your initial unrestricted accreditation.

CDR Type 2 Audit

CDR Type 2 Report

Type 2 audits are conducted every second year to maintain accreditation. We conduct the Type 2 audits either at your pace within a defined timeline to suit your preference, or increasingly with our continuous audit practices that conduct the audits in the background throughout the year to minimise disruption and increased confidence in your compliance.

Get started your way.
We’re ready when you are!


Your questions answered

Which of the five CDR access models is best for us?

Since the legislative updates in October 2021, there are five access models for the CDR. If you qualify as a 'Trusted Advisor', or only need to use 'CDR Insights', then you do not require any accreditation to access CDR data within that scope. CDR Insights is very limited, however.

There are three models that allow complete data access; Unrestricted, Sponsored, and Representative. Unrestricted provides the most flexibility; you do not need to rely on another third-party for your access and with full accreditation you can provide access to others using the sponsored or representative models.

Representative access is appealing for faster access when you opt to use a third-party to collect the data for you; usually a data intermediary. They can act as your Principal that means they are liable for your compliance and you don't need to be assessed by the ACCC directly. AssuranceLab works with these Principals as a partner to assess compliance and support the onboarding process.

Sponsored access is similar to unrestricted but does not rely on a formal ASAE 3150 report. It still requires assessment by the ACCC so it is slower than representatives but may be lower cost than unrestricted by saving on external audit costs. This model has not been broadly adopted.

We recommend either Unrestricted to have complete flexibility and safeguard your business continuity, or Representatives access if you want to fast-track your access.

What is required to be compliant with the CDR rules?

The CDR legislation includes a broad set of rules that apply to those accessing the CDR data. There are general compliance requirements around obtaining, tracking and updating consent from consumers, making available a public CDR policy for them to understand their rights and the use of data, and who and how the data can be shared with third-parties.

A big part of the rules is the information security requirements that are prescribed in Schedule 2, Part 1 and Part 2. Part 1 requires that you implement an effective information capability and governance, that you define the boundaries of your CDR Data Environment, assess your risks and controls in that environment, and test your incident response capability. Part 2 then goes into greater detail on specific expected information security controls including access control, network security, data loss prevention, managing information assets through their lifecycle, anti-malware protections, and human resources security. These areas very closely relate to many other global standards like SOC 2 and ISO 27001, that can be effectively combined to achieve multiple compliance goals without duplicating all those efforts.

What are Type 1 and Type 2 ASAE 3150 reports?

Unrestricted accreditation requires an ASAE 3150 report, that is similar to the more globally prevalent SOC 2 report. A Type 1 report is sufficient for initial accreditation, and then a Type 2 report is required every two years thereafter to maintain accreditation.

A Type 1 report attests to your compliance by design. It’s a snapshot in time that can be achieved by showing you have the right systems and processes in place to satisfy the CDR criteria.

A Type 2 report attests to your compliance by both design and operation over a period of time. It covers a period 12 months to show your systems and processes have been operated consistently to satisfy the CDR criteria.

How long does it take to get access to CDR data?

The timeframe to access CDR data can vary a lot based on the five access models described above. The two most common access models are Unrestricted and Representatives.

Unrestricted access typically takes 4-9 months. This is made up of a period to implement and achieve compliance with the information security requirements (1-3 months), the ACCC's assessment and granting accreditation (3-5 months), and then a period to test and go live with CDR data (~1 month).

Representatives access can be much faster than Unrestricted, but still relies on achieving a level of compliance that satisfies the CDR Principal's requirements. We see as little as a few weeks to access CDR data under this model when compliance automation is used combined with a well-defined approach from our intermediary partners. 

Can we do it faster by using a compliance automation platform?

Yes. Compliance automation platforms like Drata offer various out-of-the-box policies, controls and automated verifications to fast-track your compliance. We have built two CDR frameworks for use in Drata that automatically maps and verifies the right controls for CDR compliance. One of those is for Representatives access with a scaled down set of requirements, whereas the other is for Unrestricted access with the complete requirements.


Earn trust with other leading standards


Blended Audits

Combine two or more compliance frameworks into a single blended audit process without duplication to scale trust, not costs and effort.



The de facto global and best practice standard for proving secure handling of electronic protected health information (ePHI).


Custom Frameworks

Manage any compliance obligations from customers, regulators or your own internal risk requirements with custom frameworks.


ISO 27001

An international framework to apply a structured and best practice methodology for managing information security.


CSA Star

A comprehensive, best practice standard for cloud security to achieve Level Two accreditation in the security, trust and risk (STAR) register.


Consumer Data Right

Access consumer data in Australia’s economy-wide open data regime with Consumer Data Right accreditation.


ESG Reporting

A flexible and lightweight framework to report up to 500+ positive impact activities supporting environmental, social and governance (ESG) objectives.



The global gold-standard for privacy. GDPR is regulated for personal data collected from EU citizens, and an effective framework to satisfy enterprise customers globally.



Trust services criteria to satisfy a broad customer base globally for security, availability, confidentiality, privacy and processing integrity.



The global gold-standard for privacy. GDPR is regulated for personal data collected from EU citizens, and an effective framework to satisfy enterprise customers globally.


Get started your way

We’re ready when you are

Can’t wait?

Our free products help you get started without any fuss:


The always-free GRC platform that powers trust for hundreds of technology companies.

policytree-tab-button-normal (1)

Our 40-minute policy generator; a better alternative to cookie-cutter templates.