Veriqua Pty Ltd
Security & Data Residency Statement
This statement describes how Veriqua stores, protects, and isolates client data. It is maintained as a living document and updated whenever the underlying infrastructure changes.
1. Data Residency & Sovereignty
Veriqua is architected to keep all client data onshore in Australia at every layer of the stack.
| Layer | Location | Provider |
|---|---|---|
| Application hosting | Sydney, Australia | Replit deployment on Google Cloud (Australian region) |
| PostgreSQL database | Sydney, Australia | Neon (AWS ap-southeast-2) |
| Object storage (files) | Sydney, Australia | GCS-backed object storage |
| AI inference (GPT-4o) | Sydney, Australia | Azure OpenAI Australia East |
| Identity verification & screening | Sydney (primary), Melbourne (backup) | AWS Sydney. ISO 27001 and SOC 2 Type II certified. KYC and AML screening data does not leave Australia. |
| RAG corpus (pgvector) | Sydney, Australia | Stored in AU Sydney PostgreSQL — no external vector DB |
| Outbound email | Sydney, Australia | AWS SES ap-southeast-2. No email content or metadata transits any overseas relay. |
| Backup (pg_dump) | Sydney, Australia | Object storage — 30-day retention |
Data residency — general principle
All compliance records, KYC data, transaction data, financial information, and audit logs are stored and processed exclusively in Australia. No such data crosses Australian borders.
Privacy Act APP 8 — position
No personal information is disclosed to overseas recipients. All personal information — including KYC records, beneficial ownership data, and transaction records — is stored and processed within Australia. As no personal information is disclosed to an overseas recipient, APP 8 cross-border disclosure obligations are not engaged for client personal information.
AI prompt scope
Only the compliance question text and relevant regulatory context are sent to the AI endpoint. No personally identifiable client data, KYC records, or transaction data is included in AI prompts.
2. Encryption & Data Protection
3. Immutable Audit Logging
Veriqua implements database-level audit log immutability — not merely application-level protection. The audit_log table is governed by PostgreSQL triggers:
BEFORE DELETE trigger
Raises EXCEPTION — no application code can delete an audit_log row.
BEFORE UPDATE trigger
Raises EXCEPTION — no application code can modify an audit_log row.
Both triggers operate at the PostgreSQL engine level, below the application layer.
4. Access Control & Multi-Tenant Isolation
Role-Based Access Control (RBAC)
| Role | Permissions |
|---|---|
| read_only | View all records within own firm. No create, edit, or delete. |
| compliance_officer | Full read + write within own firm. Cannot manage users or billing. |
| responsible_manager | Full read + write + digital sign-off authority within own firm. |
| admin | All of the above + user management, data export, and firm settings. |
| super_admin | Cross-tenant visibility (Veriqua staff only). Separately gated and audit-logged. |
Multi-Tenant Isolation
5. Backup & Business Continuity
6. Responsible Disclosure & Pending Items
Veriqua does not make security claims it cannot substantiate. The following items are in progress:
Independent penetration test
CREST-certified — scheduled, not yet completed. No 'pen tested' claim is made until complete.
ISO 27001 certification
Not yet pursued. No ISO 27001 claim is made.
SOC 2 Type II audit
Not yet pursued. No SOC 2 claim is made.
Infrastructure migration
Planned migration to dedicated AU hosting. Current: Sydney, Australia — application on Replit/Google Cloud; database on Neon/AWS (ap-southeast-2).
Security disclosures
To report a security vulnerability, contact [email protected] with subject line Security Disclosure. Veriqua commits to acknowledging receipt within 2 business days and a remediation timeline within 10 business days.
7. Regulatory Alignment
| Obligation | How Veriqua satisfies it |
|---|---|
| AML/CTF Act 2006 s.106 — 7-year retention | Immutable audit log + 7-year retention policy. No records are deleted. |
| Privacy Act 1988 APP 8 — no cross-border disclosure | All personal information is AU-resident and processed exclusively in Australia. No personal data crosses Australian borders. |
| Privacy Act 1988 APP 11 — security of personal information | AES-256 at rest, TLS in transit, RBAC, multi-tenant isolation, audit logging. |
| Corporations Act 2001 s.286 — financial record retention | AFSL compliance records retained indefinitely; immutable audit trail. |
| AUSTRAC ECDD — enhanced CDD record security | KYC and CDD records stored in isolated tenant partition, audit-logged. |
Issued by Veriqua Pty Ltd · ABN 92 697 961 023 · Perth, Western Australia
Contact: [email protected]
Version 1.0 · 29 June 2026 · PUBLIC