Trust & security

What we know about you, where we keep it, and how to get it back.

Trust is not a badge you put on a page. It is the set of operational choices that the badge is meant to certify. This is the ledger of those choices.

Sydney, AU (ap-southeast-2)

AES-256 at rest · TLS 1.3 in transit

SOC 2 Type I in progress

AU data residency

Primary storage runs on Supabase in Sydney, AWS ap-southeast-2. Application compute runs on Fly.io in the syd region. Your data never leaves AU jurisdiction without an explicit DPA modification signed by both parties.

AU-resident components

Supabase (primary DB + auth)Sydney · ap-southeast-2

Fly.io (compute)Region syd

Cloudflare (edge)AU-nearest POP for origin

Encryption and isolation

At rest

AES-256 on all primary and backup stores

In transit

TLS 1.3 on all public and service-to-service traffic

Tenant isolation

Postgres row-level security on every client-bearing table

Secrets

Managed via Doppler; never committed to source

Audit trail

Every mutating API call written to append-only audit_log

Backups

Daily encrypted Postgres PITR; 30-day retention

Priors Bank privacy

How pooled knowledge is de-identified

The Priors Bank is a category-level pool of posteriors. What enters it is a de-identified probability distribution, not your spend numbers. The pipeline is tested before the pool ever surfaces a prior.

k-anonymity floor

k ≥ 5 contributors per aggregate

If a category drops below five contributors, the aggregate falls back to published industry benchmarks (Binet-Field, Nielsen, WARC) rather than a pooled prior.

Differential privacy

epsilon = 1.0 · delta = 1e-6

Gaussian DP noise is added to each posterior before pooling. The budget is tracked per category aggregate and audited quarterly.

Contributor hashing

HMAC-SHA256

Contributor slots are keyed by HMAC with a rotating secret. A pooled prior cannot be traced back to a client identity.

Opt-out

One-click in Settings · Data Sharing

Opting out is effective immediately for future pooling. You retain full read access to the Priors Bank for your own modelling runs. Past contributions can be flagged for removal on request.

Plain-English detail: IP and data ownership.

Audit trail

Every mutating API call is written to an append-only audit_log table with actor, resource, before-hash, after-hash, and request ID. The table is write-once at the Postgres role level; even the Acera API role cannot rewrite history. Enterprise clients can request their audit stream as a signed export.

Data subject rights

Under the Australian Privacy Act 1988 and the GDPR, you may exercise the following rights in respect of personal information we hold about you.

Access

Request a copy of the personal information we hold about you.

Correction

Ask us to correct information that is inaccurate, out of date, incomplete, or misleading.

Erasure

Request deletion of your personal information, subject to legal retention obligations.

Portability

Receive your data in a structured, commonly used, machine-readable format.

How we handle each request is documented in the Privacy Policy. To make a request, email privacy@aceralabs.com.au.

Breach notification

EU / GDPR

72-hour target

Notify the lead supervisory authority within 72 hours of becoming aware, per GDPR Article 33. Affected data subjects notified without undue delay where the risk is high.

AU / OAIC

Within 30 days

Notifiable Data Breaches scheme under the Privacy Act 1988: OAIC and affected individuals notified as soon as practicable and within 30 days where the breach is eligible.

Compliance roadmap

We will not claim certifications we do not hold. This is where we actually are.

SOC 2 Type I

In progress. Target Q2 2026.

In progress

ISO 27001

Roadmap. Target Q4 2026 after SOC 2 Type I is issued.

Roadmap

AU Privacy Act (APP 1-13)

Live. Mapping in internal APP 1-13 register; quarterly review.

Live

GDPR / ePrivacy

Live for EU visitors. Article 30 register maintained; SCCs in place for cross-border subprocessors.

Live

Subprocessor register

Full list with roles, data regions, and transfer bases. The canonical register is maintained at /legal/subprocessors.

Name	Purpose	Region	Transfer basis	Data access
Anthropic	LLM inference (Claude)	United States	Contractual + Anthropic data handling policy; SCCs for GDPR	Prompt context + analytical outputs. Not used to train models.
Supabase	Postgres database + auth	Sydney, AU (ap-southeast-2)	AU-resident. No cross-border transfer for primary storage.	All structured personal data, encrypted at rest.
Fly.io	Compute (region syd)	Sydney, AU	AU-resident application workloads.	Data in transit; compute processing.
Cloudflare	CDN, DNS, Turnstile	Global edge; AU origin	Contractual + Cloudflare DPA; SCCs for GDPR	Request metadata only. No raw uploaded data.
Stripe	Billing	US / Ireland	Stripe DPA + PCI-DSS; SCCs via Stripe Payments Europe	Billing information only. Acera never holds card data.
PostHog	Product analytics	EU Cloud (EU-hosted)	EU hosting avoids SCCs requirement.	Anonymised events + session IDs. Disabled if you decline cookies.
Sentry	Error monitoring	United States	Contractual + Sentry DPA; SCCs for GDPR	Error traces. PII scrubbed at the SDK.
Resend	Transactional email	United States	Contractual + Resend DPA; SCCs for GDPR	Recipient address + transactional content.
Zoho	Operational mail (hello@, privacy@, etc.)	Global	Zoho DPA; SCCs for GDPR	Inbound and outbound mail content.

Contact

Mailbox provisioning is in progress. If a mailbox below bounces, email hello@aceralabs.com.au with the intended subject line and we will route it.

Security disclosure

security@aceralabs.com.au

Data requests

privacy@aceralabs.com.au

Other legal

legal@aceralabs.com.au

Security researchers: see our security.txt