Trust & Security

How we protect your data

Ask Arthur's security posture, compliance certifications, infrastructure overview, and data-handling practices for individuals, businesses, and governments.

Compliance & certifications

Australian Privacy Act 1988

13 APPs covered

Compliant

ASD Essential Eight ML1

Self-assessed

Compliant

SOC 2 Type I

Target Q3 2026

In Progress

ISO 27001

Target 2027

Planned

Encryption & data protection

At rest

AES-256 encryption via Supabase (PostgreSQL in Sydney ap-southeast-2)

In transit

TLS 1.3 on all connections via Vercel edge + Cloudflare

Access control

Row Level Security (RLS) on all database tables. SHA-256 hashed API keys — plaintext never stored.

Admin sessions

HttpOnly, Secure, SameSite=Strict cookies. Session expiry enforced.

Data residency

All primary data is processed and stored within Australia.

Component	Region
Database (PostgreSQL)	Sydney (ap-southeast-2)
Application hosting	Sydney (syd1)
Object storage	Oceania (Cloudflare R2)
Rate limiting	Singapore (Upstash Redis)
AI processing	USA (Anthropic Claude — query data, no storage)

Sub-processors

Third-party services used to deliver Ask Arthur. Each holds security certifications.

Provider	Purpose	Certifications
Supabase, Inc.	Database hosting	SOC 2 Type II
Vercel, Inc.	Application hosting	SOC 2 + ISO 27001
Cloudflare, Inc.	CDN + storage	SOC 2 + ISO 27001
Resend, Inc.	Email delivery	SOC 2
Anthropic, PBC	AI analysis	Enterprise DPA
Twilio Inc.	Phone intelligence	SOC 2 Type II
Upstash, Inc.	Rate limiting	SOC 2

Security incident?

Report suspected vulnerabilities or security incidents to brendan@askarthur.au. We aim to respond within 24 hours and will notify affected clients within 72 hours of confirming a breach.

Trust documents

Direct downloads for vendor due-diligence and procurement reviews.

Security Overview

Architecture, controls, data residency · PDF · v1.0

Data Processing Agreement · Draft

APP 1988 + GDPR-aligned sample · subject to legal review · PDF · v1.0

Sub-Processor List

All third parties processing customer data · CSV

Security Changelog

Append-only log of security and compliance updates

View →

Need a SIG Lite, MSA, SLA, pen-test report, or signed DPA? Email brendan@askarthur.au. Pen-test report and SOC 2 attestation available on completion (target Q3 2026).

What people are saying

How we protect your data

Ask Arthur's security posture, compliance certifications, infrastructure overview, and data-handling practices for individuals, businesses, and governments.

Compliance & certifications

Australian Privacy Act 1988

13 APPs covered

Compliant

ASD Essential Eight ML1

Self-assessed

Compliant

SOC 2 Type I

Target Q3 2026

In Progress

ISO 27001

Target 2027

Planned

Encryption & data protection

At rest

AES-256 encryption via Supabase (PostgreSQL in Sydney ap-southeast-2)

In transit

TLS 1.3 on all connections via Vercel edge + Cloudflare

Access control

Row Level Security (RLS) on all database tables. SHA-256 hashed API keys — plaintext never stored.

Admin sessions

HttpOnly, Secure, SameSite=Strict cookies. Session expiry enforced.

Data residency

All primary data is processed and stored within Australia.

Component	Region
Database (PostgreSQL)	Sydney (ap-southeast-2)
Application hosting	Sydney (syd1)
Object storage	Oceania (Cloudflare R2)
Rate limiting	Singapore (Upstash Redis)
AI processing	USA (Anthropic Claude — query data, no storage)

Sub-processors

Third-party services used to deliver Ask Arthur. Each holds security certifications.

Provider	Purpose	Certifications
Supabase, Inc.	Database hosting	SOC 2 Type II
Vercel, Inc.	Application hosting	SOC 2 + ISO 27001
Cloudflare, Inc.	CDN + storage	SOC 2 + ISO 27001
Resend, Inc.	Email delivery	SOC 2
Anthropic, PBC	AI analysis	Enterprise DPA
Twilio Inc.	Phone intelligence	SOC 2 Type II
Upstash, Inc.	Rate limiting	SOC 2

Security incident?

Report suspected vulnerabilities or security incidents to brendan@askarthur.au. We aim to respond within 24 hours and will notify affected clients within 72 hours of confirming a breach.

Trust documents

Direct downloads for vendor due-diligence and procurement reviews.

Security Overview

Architecture, controls, data residency · PDF · v1.0

Data Processing Agreement · Draft

APP 1988 + GDPR-aligned sample · subject to legal review · PDF · v1.0

Sub-Processor List

All third parties processing customer data · CSV

Security Changelog

Append-only log of security and compliance updates

View →

Need a SIG Lite, MSA, SLA, pen-test report, or signed DPA? Email brendan@askarthur.au. Pen-test report and SOC 2 attestation available on completion (target Q3 2026).

What people are saying