Security

How we protect your data.

Last updated 29 April 2026

ShiftReady is small and early. We're not going to oversell what we have. This page is an honest account of what's in place today and what we're building next.

Where your data lives

Customer data is hosted in Sydney, Australia (AWS ap-southeast-2 via Supabase). We do not move customer content outside Australia without your consent.

Encryption

  • In transit: TLS 1.2+ for every request. HTTPS-only. HSTS enabled.
  • At rest: AES-256 encryption on the database volume and on object storage for uploaded files.
  • Backups: Encrypted, stored in the same region, retained 30 days.

Access control

  • Principle of least privilege for all staff and systems.
  • Supabase Row-Level Security on every customer table.
  • Service-role database keys are stored as environment variables, never in the codebase.
  • Admin access to production requires a second factor.
  • Staff access to customer data is logged and only for support cases the customer has raised.

File storage & credentials

Uploaded documents and staff credential files (certs, licences, photos of cards) are stored in private Supabase Storage buckets in Sydney. They're never public — downloads always go through short-lived signed URLs (1-hour TTL) that the server generates on demand.

Storage paths are scoped by tenant ID at the leading folder level (<tenant_id>/<kind>/...), so even at the storage layer there is no path that crosses tenants.

AI spend caps

Every AI generation (module drafting) is logged with token counts, cost in AUD cents, and latency. There's a hard daily AI spend cap per business (default $20 AUD/day) so a runaway loop can't bleed your account or our infrastructure. You can see your usage per day if you ask — full self-serve usage dashboard is on the roadmap.

Payments

Card details are handled by Stripe. We never see or store full card numbers. Stripe is PCI DSS Level 1 compliant.

AI model providers

Module drafting goes through an AI foundation model (currently Anthropic). We use zero-retention API terms so content passed for drafting is not stored by the model provider and is never used to train their models. More in our privacy policy.

Software practices

  • Every deploy goes through automated typecheck and linting.
  • Dependencies are kept current — critical CVEs are patched within 7 days.
  • Secrets never land in source control; rotated on staff role change.
  • Production logs are structured and retained 30 days.

Incident response

If we detect a breach of your personal information that is likely to cause serious harm, we'll notify you and the Office of the Australian Information Commissioner in line with the Notifiable Data Breaches scheme.

Status updates during an incident go out by email and on our status page.

What we're building next

  • SOC 2 Type I readiness (late 2026)
  • Single sign-on (SSO) for the Team plan
  • Bring-your-own-storage (encrypted S3 bucket) for larger customers
  • Tenant-side AI usage dashboard with per-day spend visibility
  • Sensitive-credential bucket with explicit consent flow (WWCC, police checks, medical)

Responsible disclosure

Found a vulnerability? Email security@shiftready.com.au. We'll acknowledge within 2 business days, keep you updated while we investigate, and won't take legal action against researchers acting in good faith.