Trust
Where your data lives and how we protect it
Full transparency. Australian data residency. Real security practices - not just a trust logo.
Australia, properly
Your data is stored in Supabase's Sydney (ap-southeast-2) region. Support staff are in Australian business hours. No offshore processing for participant records.
NDB scheme aligned
We've committed to the Privacy Act's Notifiable Data Breaches scheme. Any eligible breach gets notified to affected individuals and the OAIC within 30 days of assessment.
Health info, handled correctly
The Privacy Act's small-business exemption doesn't apply to us because we handle health information under s.6D(4)(b) - the stricter rules apply regardless of our size.
HOW WE HANDLE YOUR DATA
The practical security story.
At rest
All application data is stored in our Supabase Postgres database with encryption at rest. Backups are encrypted and retained in the same Australian region. Uploaded files (compliance documents, evidence) are stored alongside the database in encrypted object storage.
In transit
All connections to the application and its APIs require TLS 1.2 or higher. We do not accept unencrypted connections. Our HTTPS configuration is regularly reviewed against current recommendations.
Access control
Multi-tenant data is isolated using application-level Row Level Security (RLS) on every table. A row from one provider organisation can never be served to a user in another organisation. Checkbase staff access to production is role-based and least-privilege; we don't routinely access customer data.
Auditing
Every audit-link view and every document access is logged. Where you use the auditor portal, the auditor must verify by 6-digit OTP and we record the full session - what was viewed, when, and from which IP. Logs are retained for the life of your account.
SUBPROCESSORS
Every vendor that touches your data.
Every subprocessor that ever touches your data, listed in full. We pick Australian regions where they're available; where they're not, we tell you exactly where the data goes.
| Name | What they do | Company country | Data region | Scope |
|---|---|---|---|---|
| Supabase | Database + authentication | USA (Supabase Inc.) | Sydney, AU (ap-southeast-2) | All application data |
| Resend | Transactional + marketing email delivery | USA (Resend Inc.) | Tokyo, Japan (ap-northeast-1) | Email content + recipient metadata |
| Stripe | Payment processing | USA (Stripe Inc.) | Global routing | Payment details only (never participant data) |
| Vercel | Application hosting | USA (Vercel Inc.) | Global edge network | Application runtime (no persistent customer data) |
| PostHog | Product analytics (consent-gated) | USA (PostHog Inc.) | United States (us.i.posthog.com) | Page views + feature usage + account-holder email/ID only. Loads only after analytics consent. Never participant or worker data. |
| Sentry | Error monitoring | USA (Functional Software, Inc.) | United States | Error stack traces from the app. Emails, phone numbers, NDIS numbers, API keys and request bodies are scrubbed before transmission. |
| Google (Tag Manager + GA4) | Marketing analytics (consent-gated) | USA (Google LLC) | United States | Marketing pages only. Never inside the authenticated app. Loads only after marketing consent. |
| Meta Pixel | Advertising measurement (consent-gated) | USA (Meta Platforms, Inc.) | United States | Marketing pages only. Never inside the authenticated app. Loads only after marketing consent. |
We'll update this list at least 30 days before adding a new subprocessor. Subscribe to /changelog for notifications.
INCIDENT RESPONSE
What happens if something goes wrong.
We follow the process required by the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act). When we become aware of a suspected breach, we assess it within 30 days. If it is an eligible data breach - a breach likely to result in serious harm to affected individuals - we promptly notify both the affected individuals and the Office of the Australian Information Commissioner (OAIC), and we publish remediation details on our changelog so all customers know what changed and why.
WHAT WE DON'T DO
Hard commitments.
- We don't use your customer data to train AI models - ours or anyone else's.
- We don't use participant data for analytics or marketing.
- We don't transfer health information to countries without adequate protection.
- We don't sell your data. Ever.
This trust page is our good-faith attempt to be plain and correct under Australian law. Checkbase is not a law firm. If you spot something we should fix, .