Trust Center

Your data is protected through transparent practices, strong controls, and carefully vetted vendors.

Data sources

We collect public market signals and limited customer-submitted content to deliver insights.

Public data we collect

We ingest widely available information such as social posts, news, and ASX announcements. Although these sources are public, we still process them responsibly and in line with applicable laws and our contractual commitments.

Customer-submitted content

Manual Activities like calls, meetings, presentations, events, and files are private within your organisation. Only authorised users in that organisation can view them.

Organisation data boundaries

Each ticker equals one organisation. Users only see organisations they belong to. Manual Activities are visible to users within that organisation by design to support collaboration.

File storage for Manual Activities

Files are stored in Google Cloud Storage. We use short-lived, signed URLs for uploads and downloads to prevent unauthorised access.

Security infrastructure

We layer controls across identity, application, data, and vendors.

Authentication and access

We use Outseta for auth and account gating. Outseta supports cookie-based tokens that can persist auth across domains if configured, and provides signed webhook verification using HMAC-SHA256. 

Application and API safeguards

• Origin protection with CORS for approved domains

• Input validation and structured error handling to avoid leaking sensitive details

• Request timeouts and rate limiting to deter abuse

Database security

Our primary data store is PostgreSQL on Google Cloud SQL. All connections are encrypted in transit. Secrets are kept in secure environment variables. We follow documented retention and deletion processes and invalidate caches to ensure data freshness.

File storage security

Google Cloud Storage with isolated buckets, tight IAM, and automatically generated paths to avoid collisions and enumeration.

Third-party services

We only share the minimum necessary data and use secure APIs.

• Outseta for authentication, subscriptions, CRM and billing workflows. Outseta publishes a Privacy Policy that includes GDPR rights and offers a standard DPA for customers. Outseta notes its servers run on AWS and that Stripe is PCI-DSS compliant for payment processing. 

• Google Cloud Platform for hosting, databases, and storage.

• Pinecone for vector storage of embeddings.

• OpenAI for selected AI processing, with a DPA in place between us and OpenAI.

• Webhooks to and from vendors are validated and signed. Outseta provides webhook signatures you can verify. 

Compliance and privacy

We support GDPR-style rights and offer a DPA for customers that require one. Australian businesses can be subject to GDPR when handling EU personal data — a DPA is the expected instrument. 

Data retention and deletion

We retain customer data for the life of the account unless your contract specifies otherwise. We honour deletion requests and remove data from active systems and backups on a defined schedule.

Incident response

We monitor for anomalies, triage potential incidents, and notify affected customers without undue delay in line with our contractual and legal obligations.

Sub-processor register

We maintain a live list of sub-processors and notify customers before material changes.