Trust Center
Hosting and data residency
Last reviewed: 2026-05-25
Compliance Care's default and intent is that customer data — including all participant information, evidence documents, policies, audit trails, and notifications content — is stored and processed inside Australia.
This page lists every region where compute runs, data sits at rest, or content is processed, including the named exceptions to AU-only and how each is handled.
Where customer data is stored and processed
| Layer | Provider | Region | What is processed there |
|---|---|---|---|
| Authenticated application (Next.js custom server) | Fly.io Machines | Sydney (syd) | All requests carrying customer data. Personally identifying information never reaches the marketing edge. |
| Primary database (Postgres, Auth, Storage) | Supabase | Sydney (ap-southeast-2) | Tenant records, participant data, evidence files, audit events, RLS-scoped storage objects. |
| Document ingest — high-volume structured forms (OCR) | AWS Textract | Sydney (ap-southeast-2) | Only documents the customer routes through the high-volume forms ingest path. |
| Audit-log mirror | AWS S3 with Object Lock (compliance mode) | Sydney (ap-southeast-2) | Nightly append-only mirror of audit_events. 7-year retention. |
| Anti-virus scanning on uploads | ClamAV sidecar on Fly Sydney (or AWS GuardDuty Malware Protection for S3 in ap-southeast-2) | Sydney | Scans every upload before it is accepted into Storage. |
| Billing | Stripe AU | Australia | Card last-4, billing metadata, GST invoice records. No participant data. |
| Transactional email | (Provider selection pending — see below) | Australia preferred | Transactional notifications. Content carries no participant PII. |
| SMS notifications | Twilio AU | Australia | Notification content carries no participant PII. |
| E-signature (from Month 8) | DocuSign AU or AdobeSign AU (selection pending) | Australia | Signature workflows on policy and engagement documents. AU residency confirmed before first send. |
Marketing site (no customer data)
The public marketing site at compliancecare.com.au is served by Vercel's edge network. It carries no customer data and no authenticated session. Form submissions on the marketing site (e.g., contact form, wait-list) are written directly into the Sydney Supabase project — they do not persist on Vercel.
Named exception: Anthropic (Claude) API
Inference for AI features runs on Anthropic's Claude API, which is not hosted in Australia. This is the only material exception to AU residency.
Handling rules in force:
- The Anthropic Data Processing Agreement is executed and on file as a condition of any production use of the API. Where the DPA is not yet executed, no AI features are enabled and the affected paths return a clear "AI features not yet enabled" state.
- Inputs to the Claude API are limited to the content needed for the requested task (e.g., the document being mapped, the policy clause being drafted). Identifiers are de-identified or omitted where the task does not require them.
- Anthropic's policy is that API inputs and outputs are not used to train models. We rely on the API's published zero-retention or 30-day-retention settings as documented in our AI handling page.
- Every AI call is logged in our append-only audit trail (timestamp, model and version, prompt cache hit, input token count, output token count, cost). Customers can export this log.
- AI features are gated behind explicit user action. There is no background AI processing of customer data.
See AI handling for full detail.
What we do not do
- We do not replicate customer data into non-AU regions for analytics, reporting, or backup convenience.
- We do not use a third-party CDN to cache authenticated responses.
- We do not allow ad-hoc data exports to staff laptops. Operator access to production data is via short-lived, audited sessions only.
Change log
| Date | Change |
|---|---|
| 2026-05-25 | Initial publication. |
