Compliance & certifications
Australian Privacy Act 1988
13 APPs covered
ASD Essential Eight ML1
Self-assessed
SOC 2 Type I
Target Q3 2026
ISO 27001
Target 2027
Encryption & data protection
At rest
AES-256 encryption via Supabase (PostgreSQL in Sydney ap-southeast-2)
In transit
TLS 1.3 on all connections via Vercel edge + Cloudflare
Access control
Row Level Security (RLS) on all database tables. SHA-256 hashed API keys — plaintext never stored.
Admin sessions
HttpOnly, Secure, SameSite=Strict cookies. Session expiry enforced.
Data residency
All primary data is processed and stored within Australia.
| Component | Region |
|---|---|
| Database (PostgreSQL) | Sydney (ap-southeast-2) |
| Application hosting | Sydney (syd1) |
| Object storage | Oceania (Cloudflare R2) |
| Rate limiting | Singapore (Upstash Redis) |
| AI processing | USA (Anthropic Claude — query data, no storage) |
Sub-processors
Third-party services used to deliver Ask Arthur. Each holds security certifications.
| Provider | Certifications |
|---|---|
| Supabase, Inc. | SOC 2 Type II |
| Vercel, Inc. | SOC 2 + ISO 27001 |
| Cloudflare, Inc. | SOC 2 + ISO 27001 |
| Resend, Inc. | SOC 2 |
| Anthropic, PBC | Enterprise DPA |
| Twilio Inc. | SOC 2 Type II |
| Upstash, Inc. | SOC 2 |
Security incident?
Report suspected vulnerabilities or security incidents to brendan@askarthur.au. We aim to respond within 24 hours and will notify affected clients within 72 hours of confirming a breach.
Enterprise documentation
Available on request for enterprise clients and vendors conducting due diligence.
Data Processing Agreement (DPA)Master Service Agreement (MSA)Service Level Agreement (SLA)Security Questionnaire (SIG Lite)Architecture overviewPenetration test report (available Q3 2026)
Email brendan@askarthur.au to request any document.