Security

Your compliance data, protected.

We’re transparent about how we protect your data — what we do, who handles it, and what we will never do.

Data Residency

All compliance data stored in Sydney, Australia

Every CDD record, every screening result, every document you generate — it all lives in Sydney, Australia (ap-southeast-2). We do not transfer your compliance data offshore. It stays in Australia, encrypted at rest and in transit, for the full seven years required by law.

Infrastructure

Built on certified infrastructure.

Our infrastructure providers hold SOC 2 Type II and ISO 27001 certifications. These certifications belong to our infrastructure providers. We chose them specifically for their security credentials.

Supabase

Database hosting (Sydney, Australia)

SOC 2 Type II

Cloudflare

Application hosting and CDN

ISO 27001SOC 2 Type II

Didit

Identity verification via ISO 27001 certified provider

ISO 27001ISO 27017ISO 27018

Paddle

Payment processing (Merchant of Record)

PCI-compliant MoR

Protection

How we protect your data.

Encryption at rest (AES-256)

All data stored in our database is encrypted at rest using AES-256 encryption.

Encryption in transit (TLS 1.2+)

All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.

Row Level Security

Row Level Security ensures each agency can only access their own data — database-enforced, not just application logic.

Role-based access control

Access to features and data is controlled by role. Users only see what they need to do their job.

7-year immutable audit trail

Records cannot be modified or deleted — meeting your AML/CTF Act record-keeping obligations automatically.

Regular security updates and dependency scanning

We apply security patches and run dependency scanning on a regular basis to keep your data protected.

Our Commitments

What we will never do.

Some things are non-negotiable. These are not policies we may change — they are commitments built into how the product works.

We never sell your data

Your compliance data is yours. We do not sell it, rent it, or share it with third parties for commercial purposes.

We never train AI on your data

We do not use your client records, compliance documents, or any customer data to train AI models.

No tracking cookies

We use essential cookies only — for authentication and security. No advertising cookies. No third-party trackers.

Breach Notification

We notify you promptly.

Data breach notification is handled in line with the Australian Privacy Act 1988 (Notifiable Data Breaches scheme). If we become aware of an eligible data breach, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required by law.

We will also notify you directly so you can meet your own obligations as a reporting entity. We will describe what happened, what data was involved, and what steps we are taking.

If a breach occurs, we will:

  • Assess the breach within 30 days of becoming aware
  • Notify the OAIC and affected individuals if serious harm is likely
  • Notify you directly so you can meet your own obligations
  • Describe the breach, data involved, and remediation steps
  • Take immediate steps to contain the breach

Security Questions

Questions about our security?

If you have questions about our security practices, data handling, or want to report a concern, contact us directly.

[email protected]

Start for free. No credit card required.

Build your AML/CTF program and verify your first client — your data stays in Sydney the whole time.

Start for free

We use cookies from LinkedIn and Facebook to measure our ad performance. Your account data is never shared with advertisers.