Security

How we protect your data.

Last updated 17 April 2026

ShiftReady is small and early. We're not going to oversell what we have. This page is an honest account of what's in place today and what we're building next.

Where your data lives

Customer data is hosted in Sydney, Australia (AWS ap-southeast-2 via Supabase). We do not move customer content outside Australia without your consent.

Encryption

  • In transit: TLS 1.2+ for every request. HTTPS-only. HSTS enabled.
  • At rest: AES-256 encryption on the database volume and on object storage for uploaded files.
  • Backups: Encrypted, stored in the same region, retained 30 days.

Access control

  • Principle of least privilege for all staff and systems.
  • Supabase Row-Level Security on every customer table.
  • Service-role database keys are stored as environment variables, never in the codebase.
  • Admin access to production requires a second factor.
  • Staff access to customer data is logged and only for support cases the customer has raised.

Payments

Card details are handled by Stripe. We never see or store full card numbers. Stripe is PCI DSS Level 1 compliant.

AI model providers

Module drafting goes through an AI foundation model (currently Anthropic). We use zero-retention API terms so content passed for drafting is not stored by the model provider and is never used to train their models. More in our privacy policy.

Software practices

  • Every deploy goes through automated typecheck and linting.
  • Dependencies are kept current — critical CVEs are patched within 7 days.
  • Secrets never land in source control; rotated on staff role change.
  • Production logs are structured and retained 30 days.

Incident response

If we detect a breach of your personal information that is likely to cause serious harm, we'll notify you and the Office of the Australian Information Commissioner in line with the Notifiable Data Breaches scheme.

Status updates during an incident go out by email and on our status page.

What we're building next

  • SOC 2 Type I readiness (late 2026)
  • Single sign-on (SSO) for the Team plan
  • Bring-your-own-storage (encrypted S3 bucket) for larger customers

Responsible disclosure

Found a vulnerability? Email security@shiftready.com.au. We'll acknowledge within 2 business days, keep you updated while we investigate, and won't take legal action against researchers acting in good faith.