Security

Australian data sovereignty, by default.

Every byte of customer data stays in Sydney. Every model provider is configured zero-retention. Every tenant is isolated at the database layer. The stack is designed for regulated Australian industries.

Request DPA About the team

Where data lives

The stack, in four numbers

ResidencySydneyAWS ap-southeast-2

TransitTLS 1.3Every leg, every hop

At restAES-256Supabase + S3

Model retentionZeroClaude, Deepgram, Cartesia

01 · Residency

Australian data residency

All data at rest (transcripts, recordings, configuration, embeddings) lives in Supabase on AWS ap-southeast-2 (Sydney).

Voice compute runs on Fly.io Sydney. TTS resolves to Cartesia's AU endpoint (~8ms RTT). Nothing leaves the continent.

02 · Encryption

Encryption end to end

TLS 1.3 in transit on every leg: caller → Daily.co WebRTC, WebRTC → pipeline, pipeline → LLM/STT/TTS. AES-256 at rest on Supabase and S3.

Secrets managed via Vercel and Fly.io secret stores, never in source.

03 · Isolation

Tenant isolation via RLS

Every row in the database has an org_id and a Supabase Row-Level Security policy that scopes reads and writes to the authenticated organisation.

Cross-tenant leakage is a schema-level impossibility, not a policy.

04 · Training

Zero model training

Customer call content is never used to train models. We use Anthropic's Claude API with the zero-retention flag.

Deepgram and Cartesia are configured the same way. Your calls stay your calls.

05 · Audit

Audit logs and retention controls

Every call produces a full transcript, event trace, and metadata record. Per-org retention windows (30 / 90 / 365 days or custom).

Deletion requests are honoured within seven days.

06 · Compliance

Compliance posture

Designed against APRA CPS 234, the Australian Privacy Principles (APPs), and the upcoming SOC 2 Type II control set.

Custom DPAs and MSAs available for regulated entities: healthcare, super, insurance.

FAQ

The questions procurement always asks

Where exactly does my data live?

Transcripts, call recordings, flow definitions, analytics, and embeddings all live in Supabase Postgres on AWS ap-southeast-2 (Sydney). Voice compute runs on Fly.io Sydney. Static assets are served via Vercel's edge network (static HTML only, no customer data).

Do you train on our call data?

No. The LLM, STT, and TTS providers we use are all configured with zero-retention flags. Call audio and transcripts are never sent to model training pipelines, ours or theirs.

How is caller PII handled?

Transcripts are stored with the same RLS isolation as the rest of the database; only users in your organisation can read them. We support configurable redaction of extracted variables (e.g. credit card numbers) before persistence.

Are you SOC 2 certified?

SOC 2 Type II is on the 2026 roadmap. We already follow the control framework: access review, change management, incident response, vendor review. Current evidence package is available on request under NDA.

Can I sign a custom DPA or MSA?

Yes, for annual agreements above a threshold. Email contact@verticalai.com.au and we'll route you to the right template. Standard terms cover most SMB and mid-market deals.

Need the paperwork?

We ship DPAs, MSAs, and evidence packages to Australian buyers every week. Tell us the shape you need.

Book a demo