Veriqua Pty Ltd

Security & Data Residency Statement

Version 1.0Last reviewed: 29 June 2026PUBLIC

This statement describes how Veriqua stores, protects, and isolates client data. It is maintained as a living document and updated whenever the underlying infrastructure changes.

1. Data Residency & Sovereignty

Veriqua is architected to keep all client data onshore in Australia at every layer of the stack.

LayerLocationProvider
Application hostingSydney, AustraliaReplit deployment on Google Cloud (Australian region)
PostgreSQL databaseSydney, AustraliaNeon (AWS ap-southeast-2)
Object storage (files)Sydney, AustraliaGCS-backed object storage
AI inference (GPT-4o)Sydney, AustraliaAzure OpenAI Australia East
Identity verification & screeningSydney (primary), Melbourne (backup)AWS Sydney. ISO 27001 and SOC 2 Type II certified. KYC and AML screening data does not leave Australia.
RAG corpus (pgvector)Sydney, AustraliaStored in AU Sydney PostgreSQL — no external vector DB
Outbound emailSydney, AustraliaAWS SES ap-southeast-2. No email content or metadata transits any overseas relay.
Backup (pg_dump)Sydney, AustraliaObject storage — 30-day retention

Data residency — general principle

All compliance records, KYC data, transaction data, financial information, and audit logs are stored and processed exclusively in Australia. No such data crosses Australian borders.

Privacy Act APP 8 — position

No personal information is disclosed to overseas recipients. All personal information — including KYC records, beneficial ownership data, and transaction records — is stored and processed within Australia. As no personal information is disclosed to an overseas recipient, APP 8 cross-border disclosure obligations are not engaged for client personal information.

AI prompt scope

Only the compliance question text and relevant regulatory context are sent to the AI endpoint. No personally identifiable client data, KYC records, or transaction data is included in AI prompts.

2. Encryption & Data Protection

Data at restAES-256 encryption (platform default — Google Cloud, AWS, and Azure)
Data in transitTLS 1.2+ enforced on all connections; no unencrypted HTTP accepted
Password storagebcrypt, cost factor 12 — no plaintext passwords stored anywhere
Webhook integrityHMAC-SHA256 signature verification on all inbound Stripe webhooks
Session securityHTTP-only secure session cookies; SESSION_SECRET environment variable
Export safetyNo passwords, hashed credentials, or raw session tokens included in data exports
File storagePresigned URL pattern — files are never served directly from the database

3. Immutable Audit Logging

Veriqua implements database-level audit log immutability — not merely application-level protection. The audit_log table is governed by PostgreSQL triggers:

BEFORE DELETE trigger

Raises EXCEPTION — no application code can delete an audit_log row.

BEFORE UPDATE trigger

Raises EXCEPTION — no application code can modify an audit_log row.

Both triggers operate at the PostgreSQL engine level, below the application layer.

Append-onlyNo application user, administrator, or direct database connection (short of a PostgreSQL superuser dropping the trigger) can modify or delete an audit log row.
What is capturedEntity type, entity ID, action, user name, user role, IP address, user agent, old value, new value, severity, and timestamp — on every create, update, and delete across all modules.
Regulatory basisSatisfies AUSTRAC 7-year record-keeping obligations (AML/CTF Act 2006 s.106) and Corporations Act s.286 retention requirements.
Export loggingEvery data export is itself logged to the immutable audit trail with the exporting user's identity, IP address, and timestamp.
RetentionAudit log rows are never purged by scheduled jobs. The full log remains in the database indefinitely.

4. Access Control & Multi-Tenant Isolation

Role-Based Access Control (RBAC)

RolePermissions
read_onlyView all records within own firm. No create, edit, or delete.
compliance_officerFull read + write within own firm. Cannot manage users or billing.
responsible_managerFull read + write + digital sign-off authority within own firm.
adminAll of the above + user management, data export, and firm settings.
super_adminCross-tenant visibility (Veriqua staff only). Separately gated and audit-logged.

Multi-Tenant Isolation

Row-level firmIdEvery table in the database carries a firmId column. No query executes without a WHERE firmId = ? clause enforced by the firmContext middleware.
Middleware enforcementThe firmContext middleware validates the session's firmId on every authenticated route and rejects any attempt to query outside the tenant's scope.
API isolationNo API endpoint returns data from more than one tenant. Cross-tenant data leakage is architecturally impossible through normal API paths.
CSRF protectionCSRF tokens required on all state-changing (POST/PUT/PATCH/DELETE) requests.
Rate limitingPer-IP rate limiting applied to all API routes to mitigate brute-force and enumeration attacks.

5. Backup & Business Continuity

PostgreSQL pg_dumpDaily automated backup to object storage — Sydney, Australia. 30-day retention.
GitHub pushFull codebase pushed to encrypted GitHub repository every 6 hours. Indefinite retention.
Object storage filesPlatform-managed with 30-day lifecycle policy. AU Sydney GCS-backed.
Row count verificationEach backup run verifies the table row count and logs it alongside the backup record, providing an integrity check against silent truncation.
Recovery objectiveDaily pg_dump enables point-in-day recovery. Target RTO: same business day. RPO: 24 hours.

6. Responsible Disclosure & Pending Items

Veriqua does not make security claims it cannot substantiate. The following items are in progress:

Independent penetration test

CREST-certified — scheduled, not yet completed. No 'pen tested' claim is made until complete.

ISO 27001 certification

Not yet pursued. No ISO 27001 claim is made.

SOC 2 Type II audit

Not yet pursued. No SOC 2 claim is made.

Infrastructure migration

Planned migration to dedicated AU hosting. Current: Sydney, Australia — application on Replit/Google Cloud; database on Neon/AWS (ap-southeast-2).

Security disclosures

To report a security vulnerability, contact [email protected] with subject line Security Disclosure. Veriqua commits to acknowledging receipt within 2 business days and a remediation timeline within 10 business days.

7. Regulatory Alignment

ObligationHow Veriqua satisfies it
AML/CTF Act 2006 s.106 — 7-year retentionImmutable audit log + 7-year retention policy. No records are deleted.
Privacy Act 1988 APP 8 — no cross-border disclosureAll personal information is AU-resident and processed exclusively in Australia. No personal data crosses Australian borders.
Privacy Act 1988 APP 11 — security of personal informationAES-256 at rest, TLS in transit, RBAC, multi-tenant isolation, audit logging.
Corporations Act 2001 s.286 — financial record retentionAFSL compliance records retained indefinitely; immutable audit trail.
AUSTRAC ECDD — enhanced CDD record securityKYC and CDD records stored in isolated tenant partition, audit-logged.

Issued by Veriqua Pty Ltd · ABN 92 697 961 023 · Perth, Western Australia

Contact: [email protected]

Version 1.0 · 29 June 2026 · PUBLIC