Trust & Security
Veriqua is built to protect the most sensitive regulatory data of Australian financial institutions. We operate on a principle of absolute transparency regarding our security posture.
Platform Architecture
Five architectural decisions that set Veriqua apart from generic GRC software.
AI Regulatory Assistant
A RAG-powered (Retrieval-Augmented Generation) assistant that queries 15 Australian regulatory source documents in plain English. Responses are grounded in retrieved source text — not model memory — which eliminates the risk of fabricated regulatory references.
Data Sovereignty by Architecture
Compute, database, and AI inference are all hosted in Australia East. Not a contractual promise — a technical fact. Designed to comply with Australian Privacy Principle (APP) 8 cross-border disclosure obligations.
Digital Sign-Off
Content-hashed certificates issued at the moment of sign-off, recording the signer's name, role, and capacity. Each certificate carries an independent verification URL — tamper-evident by design.
Multi-Tenant Architecture
Per-firm data isolation with five-level Role-Based Access Control (RBAC) (Owner, Admin, Compliance Manager, Staff, Auditor). Stripe billing is automated per tenant. Daily backups are scoped per firm.
Audit-Ready by Default
Every write, update, and deletion creates an immutable, timestamped entry in the central audit log. Evidence chains link each action to its source document. Source documents are version-controlled — regulators see exactly what was in force at the time of each decision.
Data Residency & Sovereignty
All compute, database storage, and AI inference are hosted within Australia East. Application servers run in the AU region; the PostgreSQL database is hosted in AU East; AI inference runs on Azure OpenAI AU East. We do not transfer your data offshore. This architecture is designed to support compliance with Australian Privacy Principle (APP) 8 (Cross-border disclosure of personal information).
Security Architecture
The platform enforces strict Role-Based Access Control (RBAC) to ensure segregation of duties. Protections include strict session management, anti-CSRF tokens, and aggressive rate limiting on authentication endpoints.
Every write, update, and delete action creates an immutable, timestamped record in the central audit log.
Authentication
Veriqua uses OpenID Connect with PKCE (a modern secure login standard that protects against credential interception) for all authentication flows. Enterprise single sign-on — allowing staff to log in with existing Microsoft 365, Google Workspace, or Okta credentials — is on our product roadmap.
Backups & Disaster Recovery
Your compliance data is backed up daily and recoverable for up to 30 days — so if you ever need to restore a previous state, a month of history is available. In a worst-case scenario, our targets are: no more than 24 hours of data loss (Recovery Point Objective) and the platform restored within 4 hours (Recovery Time Objective). In plain terms: at most one day of entries, and back up within a working morning.
Compliance Posture
- • Fully aligned with the Privacy Act 1988 and Australian Privacy Principles (APPs).
- • Architecture aligns with APRA CPS 234 information security standards.
- • Controls mapped to ISO 27001 requirements (formal certification pending).
- • AI implementation complies with the ASIC AI Information Sheet, strictly avoiding generative hallucination on statute.
Independent Testing
A CREST-accredited independent penetration test is scheduled for Q3 2026. Executive summaries of the report will be made available to Enterprise clients under NDA.