Back to Security
Vaulco

Vaulco

Security & Trust Pack

Your business, in the vault.

vaulco.com.au

ABN 67 154 348 185

Melbourne, VIC, Australia

Last updated: May 2026

01 · Executive Summary

Vaulco is a mobile-first finance application built for Australian sole traders and small businesses. We are an AU-incorporated business (ABN 67 154 348 185) operated from Melbourne. Our infrastructure is hosted entirely in AWS Sydney (ap-southeast-2), runs on SOC 2 Type 2-certified platforms (Supabase, Vercel), and follows the Australian Privacy Principles under the Privacy Act 1988. We do not sell user data, do not share financial records with third parties, and give every user one-click export and one-click deletion at any time.

02 · Six layers of protection

Bank-level encryption

TLS 1.3 in transit. AES-256 at rest. Same standard used by major Australian banks. Keys rotated automatically by Supabase.

Australian hosting

All infrastructure runs in AWS Sydney (ap-southeast-2) via Supabase. Your financial data never leaves Australia without your explicit export.

Row-level security (RLS)

Every database query is constrained by user_id at the database level. Even if someone bypassed the application, they couldn't query another user's data.

Authentication that doesn't leak

Password hashes use bcrypt with per-user salts. Session tokens are HTTP-only, Secure, SameSite-Strict. Failed login attempts rate-limited.

We don't read your data

Aggregated, anonymised usage metrics help us improve the product — but we never view individual transactions, invoices, or balances. Support staff can't access your financial data without your permission.

Your data, your rights

Export everything as CSV or JSON at any time. Delete your account and all associated data — actual deletion within 30 days, not 'hidden'.

03 · Compliance & standards

  • Inherited SOC 2 Type 2: Hosting (Vercel), database/auth (Supabase), payment processing (Stripe), email (Resend), AI (Anthropic) all hold current SOC 2 Type 2 attestations.
  • Australian Privacy Principles (APP): Aligned with the Privacy Act 1988 — collection, use, disclosure, access, correction, and complaint handling.
  • PCI DSS Level 1: Payments handled by Stripe. Vaulco never sees or stores card numbers — they're tokenised by Stripe's PCI DSS Level 1 vault.
  • GDPR-ready: Architecture supports right-to-access, right-to- erasure, and data portability for any user request.
  • Vaulco SOC 2 Type 2: Direct certification on Vaulco-the-application is a Year 2 commitment, scheduled once we exceed the customer threshold that justifies the engagement.

04 · Architecture & sub-processors

Data flow: User device → Vercel Edge (Sydney) → Supabase Postgres (AWS Sydney). All financial data stays in AU.

Core sub-processors:

  • Supabase — primary DB, auth, file storage (AWS Sydney)
  • Vercel — application hosting, edge network (Sydney edge)
  • Stripe — subscription payments (Stripe AU entity, PCI DSS L1)
  • Twilio — SMS notifications
  • Resend — transactional email (US, encrypted in transit)
  • Cloudmailin — inbound email parsing (UK)
  • Anthropic — AI inference (US, zero-retention enterprise tier)

Full vendor table with country, data accessed, and certifications: vaulco.com.au/security/subprocessors

05 · Backup & recovery

  • • Supabase daily snapshots, retained 7 days minimum
  • • Point-in-time recovery enabled (5-minute granularity)
  • • Geographically distributed replicas within AWS Sydney
  • • Recovery SLO: 4 hours from confirmed-data-loss incident

06 · Audit trail

  • • Every login + sensitive action logged per user
  • • Append-only at the database level (no UPDATE/DELETE)
  • • Visible to the account owner at Settings → Audit log
  • • Includes timestamp, action, device fingerprint

07 · Incident response

Acknowledge

Within 24 hours of report to security@vaulco.com.au

Investigate & contain

Within 72 hours. Customer notification if their data is materially affected.

Notify OAIC

Within 30 days for any eligible data breach under the Notifiable Data Breaches scheme.

08 · Data deletion & portability

One-click full export (CSV + JSON) from Settings — every transaction, invoice, customer, document. One-click full account deletion — actual deletion within 30 days. No retention-as-leverage. We never hold your data hostage.

For users in the European Union: this satisfies GDPR Articles 15 (access), 17 (erasure), and 20 (portability).

Vaulco is a finance tool — not a clinical record system.

Allied health, medical, and wellness practitioners: Vaulco handles the business side of your practice (invoices, Medicare/NDIS reconciliation, expenses, tax). Do not upload patient health information, clinical notes, or treatment plans. Use a dedicated practice management system (Cliniko, Halaxy, Nookal, PowerDiary) for those.

09 · Verification

You can independently verify:

  • • TLS configuration: ssllabs.com/ssltest/analyze.html?d=vaulco.com.au
  • • HTTP security headers: securityheaders.com/?q=vaulco.com.au
  • • Sub-processor list (live): vaulco.com.au/security/subprocessors
  • • Privacy Policy (live): vaulco.com.au/privacy
  • • Public security overview (live): vaulco.com.au/security

10 · Contact & support

Security disclosures

security@vaulco.com.au

Responsible disclosure — we won't sue researchers acting in good faith.

General & partnerships

hello@vaulco.com.au

DPA & mutual NDA available on request.

Generated by Vaulco · ABN 67 154 348 185 · vaulco.com.au · May 2026

This document is informational. It is not a contract or warranty. For binding terms, see the Vaulco Terms of Service and Privacy Policy.