Skip to main content
RAE IQ
Security & trust

Hosted in Australia.
Built for the auditor.

The same defensibility principle that runs through the product runs through the platform. AU-region hosting, row-level data isolation, customer data never used to train AI models.

Compliance

Where we are. Where we're going.

No vanity badges. Here's what's covered today and what's on the roadmap.

Compliant
AU Privacy Act 1988
Australian Privacy Principles applied to every workflow.
Compliant
NZ Privacy Act 2020
Information Privacy Principles for New Zealand workplaces.
Roadmap
ISO 27001
Initial audit targeted once customer base demands it.
Roadmap
SOC 2 Type II
On the path. Aligned to AICPA Trust Services Criteria today.
Controls

The technical detail.

Encryption in transit & at rest
TLS 1.3 in transit; AES-256 at rest via Supabase Postgres encryption.
Multi-tenant data isolation
Postgres Row-Level Security on every table. No customer ever sees another organisation’s data.
RBAC + per-site scopes
Owner / admin / member / viewer / auditor roles. Per-workplace scoping for multi-site customers.
Audit logging
Every controlled-record mutation logged with actor, source IP and timestamp. CSV export on Business.
Australian data residency
Hosted on AWS Sydney (ap-southeast-2) via Supabase. All customer data stays in-region.
Dependency security
Continuous Dependabot + npm audit. Every PR scanned before merge.
Backups & recovery
Daily encrypted backups with 7-day point-in-time recovery on Supabase Pro.
Incident disclosure
Notifiable Data Breach (NDB) scheme honoured. Affected customers notified within 72 hours.
Architecture
Multi-tenant Postgres with row-level security on every table.
Hosted on Supabase (AWS Sydney). Every operational table has an organisation_id column and an RLS policy enforcing tenant isolation at the database level — even if application code has a bug.
  • AWS ap-southeast-2 (Sydney) by default
  • Supabase Postgres with row-level security on every table
  • NZ-region requests served from same region (Trans-Tasman fibre)
  • Stateless Next.js compute on Vercel edge
Privacy
Your data is yours. We don't train models on it.
The AI generator references public regulatory corpora and the content you upload to your own tenancy — never another customer's data. Anthropic Claude is invoked with explicit no-training agreements; prompts are short-lived per request.
  • AU Privacy Act 1988 (APP-compliant)
  • NZ Privacy Act 2020 (IPP-compliant)
  • Customer data never used to train AI models
  • Data export on demand · JSON + PDF · 30 days post-cancellation

Need a DPA or security questionnaire?

We respond to security questionnaires and supply Data Processing Agreements on request — usually inside one business day.

Contact us See pricing