Back to Security
Trust & transparency

Our sub-processors.

Every third-party vendor Vaulco shares user data with. We list the country of processing, what data they touch, and their security certifications. Updated when sub-processors are added or removed.

Australian data residency:Your core financial data (transactions, invoices, customers, business profile) lives only in Supabase's Sydney region. Vendors marked outside Australia process narrow, transient data only — never your full ledger.

Supabase

Primary database, authentication, file storage

Privacy

Data accessed

All user data: account, business profile, transactions, invoices, bills, customers, documents

Region

AWS Sydney (ap-southeast-2)

Certifications

SOC 2 Type 2, HIPAA, ISO 27001

Vercel

Application hosting, edge network, serverless functions

Privacy

Data accessed

Request metadata (IP, user-agent), no persisted user data — Vaulco is stateless on the edge

Region

Sydney edge region (primary), global CDN

Certifications

SOC 2 Type 2, ISO 27001, GDPR

Stripe

Payment processing for subscriptions

Privacy

Data accessed

Email, name, billing address, payment method (tokenised — Vaulco never sees card numbers)

Region

Australia (Stripe AU entity)

Certifications

PCI DSS Level 1, SOC 2 Type 2, ISO 27001

Twilio

SMS notifications (booking confirmations, alerts)

Privacy

Data accessed

Phone number, message body (no financial data)

Region

Global (configured for AU sender ID)

Certifications

SOC 2 Type 2, ISO 27001, GDPR

Resend

Transactional email (receipts, reminders, invoices)

Privacy

Data accessed

Email address, message body (invoice PDFs included as attachments)

Region

United States (sub-processor: AWS)

Certifications

SOC 2 Type 2, GDPR-compliant

Cloudmailin

Inbound email parsing (forward bills/receipts to Vaulco)

Privacy

Data accessed

Forwarded email content (sender, subject, body, attachments)

Region

United Kingdom

Certifications

GDPR-compliant, ISO 27001

Anthropic

AI features (Aurum assistant, document extraction, transaction categorisation)

Privacy

Data accessed

Only the data injected per request (transaction descriptions, invoice OCR, user questions). No persistent storage at Anthropic — zero retention configured.

Region

United States

Certifications

SOC 2 Type 2, zero-data-retention enterprise tier

Changes to this list

We notify Founding Members and Business+ subscribers via email at least 14 days before adding any new sub-processor that handles financial or personally identifiable data. Removals are notified after the fact.

Questions? Email security@vaulco.com.au.

Last updated: May 2026. ABN 67 154 348 185.