Your data lives in Australia.
All client data is encrypted at rest in Sydney. Documents on AU-pinned storage. Every organisation gets its own encryption key. Your data is sealed off from every other tenant.
Last updated: May 2026
Where your data physically lives
Every layer of the hot path runs in Australia.
Database, application servers and object storage are pinned to Sydney. Edge protection runs through a global network with TLS terminated at the closest Australian point of presence.
Defence in depth
Six layers between an attacker and your client data.
A breach has to defeat every one of these in sequence. We build assuming the layer above will eventually fail.
Layer 1
Edge & Transport
Cloudflare/Global, AU PoPs primary
- TLS 1.3 enforced (no downgrade)
- Always-on DDoS mitigation
- Web Application Firewall (OWASP rules)
- Bot management, automated rate limiting
- DNSSEC and HSTS preload
- TLS terminated at closest AU PoP
Layer 2
Application Runtime
Vercel/syd1 (Sydney)
- Serverless functions pinned to Sydney
- Encrypted environment secrets
- Per-deployment immutable hashes
- Auto-scaled, no shared instances
- HTTPS-only enforcement
- Integrated audit log
Layer 3
Database
AWS/ap-southeast-2 (Sydney)
- AES-256 encryption at rest
- Point-in-time recovery (PITR)
- Automated daily snapshots
- All queries parameterised (no string SQL)
- Per-organisation row-level isolation
- TLS 1.3 channel-bound connections
Layer 4
Application Authentication
ImmiIQ/Application layer
- Passwordless magic-link sign-in
- Sessions expire after 24 hours
- One active session per user
- Brute-force protection on every account
- Sign-in activity log per user
- IP allowlist for Enterprise teams
- Sign in with Google or Apple
- Strict tenant isolation on every request
Layer 5
Per-Member Access Control
ImmiIQ/Application layer
- Three data scopes per member: all clients / their team / assigned only
- Ten module switches per member to lock specific surfaces
- Named role templates with bulk apply across the team
- Sub-team grouping with optional default role + sync
- Restrictions enforced at the database, not the UI
- Direct API calls return the same restricted set the user sees
- AI assistant honours the same scope on every tool call
Layer 6
Per-Organisation Encryption
ImmiIQ/Application layer
- Industry-standard authenticated encryption
- Unique encryption key derived per organisation
- Sensitive client data encrypted at rest
- Search remains fast on encrypted records
- Integration credentials and session tokens sealed
- Key rotation invalidates every prior ciphertext
Document access
No public document URLs. Ever.
Every uploaded passport, visa letter and financial record is stored behind a server-side authorisation check. Direct URLs to documents do not exist. When an authenticated agent opens a document, ImmiIQ mints a signed URL that expires in one hour. After expiry the link is permanently invalid.
Signed URLs only
Every download generates a unique, time-limited URL. Sharing the link does not share access beyond one hour.
Cross-organisation isolation
Even at the database level, no agent in one organisation can request a document URL belonging to another.
Australian primary placement
Documents on Cloudflare / AWS object storage with Oceania (Australia / New Zealand) primary placement.
Audit trail
Every document open, download and share is logged. Admins can review the full history.
Compliance
What we comply with.
Every claim on this page is implemented in code. Procurement teams who check the detail will find what we publish is exactly what we run.
- Australian Privacy Act 1988 / Australian Privacy Principles
- MARA Code of Conduct (privacy and confidentiality)
- GDPR principles for any EU clients you serve
- OWASP Top 10 aligned (parameterised SQL, input sanitisation, output encoding)
- Cross-organisation data isolation at the request boundary
- Role-based permissions (Admin / Member)
Frequently asked
Common questions about your data
The things procurement teams, Registered Migration Agents (still widely known as MARA agents) and law-firm partners ask before signing.
All client records and documents live in Australia. Our database and application servers run in Sydney; document storage is pinned to Australian-only locations. Edge protection runs across a global network with TLS terminated at the closest Australian point of presence.
Yes. All data is encrypted in transit with TLS 1.3 and encrypted at rest using industry-standard authenticated encryption. Sensitive personal fields like passport numbers, dates of birth and family details are additionally encrypted using a key unique to your organisation - so even at the database layer, your data is sealed off from every other tenant.
Operationally, the encryption keys for your organisation are derived such that ImmiIQ staff cannot read your sensitive client fields by querying the database. Engineers run on a least-privilege model; production access is logged and audited. We do not use your customer data to train AI models - the AI model that powers Harper runs inside our own AWS Sydney VPC with read-only weights, so there is no training feedback loop, and no third-party AI provider receives your data.
Sign-in is passwordless. We email a one-time magic link to your registered address; the link expires in 10 minutes and can only be used once. Sessions last 24 hours and only one active session per user is allowed - if your laptop is stolen and signed in elsewhere, you can sign out everywhere from any device. We rate-limit aggressive attempts and lock out accounts that look brute-forced. Every sign-in attempt is recorded with device and country in your personal security log.
Yes. Enterprise organisations can configure an IP allowlist - sign-ins from any other address are rejected and logged for audit. Useful for firms operating from a fixed office network or VPN.
Yes. Every Pro plan includes per-member access control across three axes. Data scope limits which client records a member can read - all clients, only their team's clients, or only clients they're personally assigned to. Module access lets you switch off any of ten surfaces per member (clients, cases, communications, AI, documents, invoices, reports, billing, settings, team management). Role templates let admins build a Finance or Client-Service role once and apply across the team. All restrictions are enforced at the database layer, not just the UI - a direct API call returns the same restricted set the user sees in the app, and the AI assistant honours the same scope on every tool call. More on team permissions.
No. Strict tenant isolation is enforced on every Harper request. Harper only ever sees clients that belong to your organisation. Every tool that touches client data verifies ownership before reading; cross-organisation attempts are rejected and recorded. Harper is also instructed to refuse to speculate when its tools return no data, so it cannot 'invent' details about a client it has not been authorised to see.
Harper is opt-in - you only invoke it when you open the AI panel and submit a prompt. When you do, the prompt plus any client or case context you explicitly attach is processed inside ImmiIQ's own AWS Sydney VPC (region ap-southeast-2). Your data does not leave that region and is not sent to any third-party AI provider - no OpenAI, no Anthropic, no Google AI. The model runs on read-only weights inside our VPC, so there is no training feedback loop; your prompts can never influence the model's behaviour for other customers. Our mobile applications do not connect to any AI provider directly - the mobile app talks only to our servers, and AI inference is handled in our backend. Per-organisation AES-256-GCM encryption protects your at-rest data independently of any AI processing. Full breakdown, including what is and is not processed, is in our privacy policy.
ImmiIQ operates under the Australian Privacy Principles (APPs). Personal information is collected only as necessary to provide the service, used only for the disclosed purposes, and stored on infrastructure pinned to Australia. Our full privacy policy covers collection, retention, breach notification, access and correction rights.
Yes - a small set of established cloud providers, all configured to keep your client data in Australia. The full list, their roles and Australian regions is available on request for procurement reviews.
Account owners can export every client record, communication, document and audit log at any time from the in-app export tools. On account closure we honour deletion requests in line with our retention policy and the Australian Privacy Act - typically within 30 days, with explicit confirmation. Backups age out on a defined retention schedule.
We follow the Notifiable Data Breaches scheme under the Privacy Act 1988. If we believe a breach is likely to result in serious harm, we notify affected customers and the Office of the Australian Information Commissioner (OAIC) without undue delay. Internally we run incident-response runbooks for triage, containment, eradication and post-incident review. Our security contact for responsible disclosure is [email protected].
On request after cancellation, we delete your live data within 30 days. Encrypted backups age out within a further 90 days under the standard backup retention schedule. Audit-log entries required for legal/compliance purposes (e.g. who accessed what, when) are retained for 7 years per Australian record-keeping standards, then deleted.
Security contact
Found something? Tell us.
Responsible disclosure welcome. We respond within one business day and credit researchers in our public security log if requested.
For procurement requests, please contact your account manager or [email protected].