SECURITY
Our security posture in one place.
Controls, certifications, data handling and the practical things we do to earn your trust.
CONTROLS
Four pillars, layered.
Authentication
Email + password with mandatory complexity rules. SSO via Google and Microsoft on the roadmap.
Encryption
TLS 1.3 in transit. AES-256 at rest. Document storage encrypted at the bucket level with rotating keys.
Access control
Role-based access (principal, broker, viewer). Per-document access logs.
Audit logging
Every action attributable, timestamped and retained for the regulatory window.
CERTIFICATIONS AND STANDARDS
Where we are, and where we're going.
- SOC 2 Type I: attestation in progress, scheduled to complete before October 2026 launch.
- SOC 2 Type II: planned for Q3 2027 following the standard 6 to 12 month observation window.
- ISO 27001: on the 2027 roadmap.
- Australian Privacy Principles (Privacy Act 1988): full compliance is the baseline, not a target.
SUB-PROCESSORS
Who we work with.
- Anthropic (AI inference): under enterprise agreement excluding our inputs from model training.
- AWS Sydney (compute, storage, networking): sole data hosting region.
- Stripe (billing): payment data; no client document data.
- Resend (transactional email): operational email only; no client document data.
Full sub-processor registry available on request. Material changes notified 30 days in advance.
Security is a posture, not a checkbox.
Defaults strict. Audit trail continuous. Trust earned in writing.