Security & Data

Your money data, properly protected.

Bank-level encryption. Australian hosting. Zero data sharing with third parties. You own your data — we just store it.

Six layers of protection.

Bank-level encryption

Data is encrypted in transit with TLS 1.3 and at rest with AES-256 — the same standard used by major Australian banks. Keys rotate automatically.

Australian hosting

All infrastructure runs in the AWS Sydney (ap-southeast-2) region via Supabase. Your financial data never leaves Australia without your explicit export.

Row-level security (RLS)

Every database query is constrained by your user ID at the database level. Even if someone bypassed the app, they can't query another user's data.

Authentication that doesn't leak

Password hashes use bcrypt with per-user salts. Session tokens are HTTP-only, Secure, SameSite-Strict. Failed login attempts rate-limited.

We never look at your data

Aggregated, anonymised usage metrics help us improve the app — but we never view individual transactions, invoices, or account balances. Support can't access your financial data without your permission.

Your data, your rights

Export everything as CSV or JSON from Settings at any time. Delete your account and all associated data in one click — actual deletion within 30 days (not just 'hidden').

Vaulco is a finance tool — not a clinical record system.

For allied health, medical and wellness practitioners: Vaulco is designed for the business side of your practice — invoices, Medicare/NDIS/DVA reconciliation, expenses, tax, BAS. It is not a clinical record system and you should not upload patient health information, clinical notes, diagnoses, or treatment plans to Vaulco. Keep those in a dedicated practice management system (Cliniko, Halaxy, Nookal, PowerDiary). Per our Terms, uploading regulated health information violates acceptable use.

Compliance & standards.

We follow the rules that protect you — not the loopholes that protect us.

  • Australian Privacy Act 1988 compliant
  • Consumer Data Right (CDR) principles
  • Notifiable Data Breaches (NDB) scheme
  • PCI-DSS compliant payment processing (via Stripe)
  • SOC 2 Type II alignment (hosted infrastructure)
  • GDPR-compatible data handling for international visitors

What you can always do.

Export everything

CSV or JSON. All transactions, invoices, assets — one click in Settings.

Delete everything

Full account + data deletion within 30 days. No retention policy for hostage-holding.

See who accessed your data

Audit log of every login and sensitive action — live. View under Settings → Audit log.

Report a security issue

security@vaulco.com.au — responsible disclosure policy, no gotchas.

Independently verifiable.

Don't take our word for it. Here's the documentation, the vendor list, and the public proofs you can run yourself.

Trust Pack

One-page summary covering encryption, residency, sub-processors, incident response, deletion. Print or save as PDF — share it with your accountant or compliance reviewer.

Open Trust Pack

Sub-processors

Every third-party vendor we share data with — country, purpose, certifications. Updated when sub-processors are added or removed.

View list

Run the tests yourself

Public security scanners — no signup, no auth needed.

SSL Labs (TLS grade)Security Headers

Known scan artefacts

In the SSL Labs report, Certificate #2may show as “no-sni.vercel-infra.com — NOT TRUSTED, MISMATCH.” That's Vercel's fallback certificate served only when a client connects without SNI (Server Name Indication). Every modern browser sends SNI, so real users never see this cert — it's a deep-scan artefact of Vercel's shared infrastructure, not a Vaulco service issue. Certificate #1 is the cert real visitors get and is trusted across all major root stores.

Still have questions about security?

We're happy to go deeper. Ping us and we'll answer in detail.

Ask us