What we do with your client data.

Jazhi is a Next.js application hosted on Vercel, with Supabase providing PostgreSQL, authentication, and file storage. Both deployment surfaces are pinned to Sydney:

• Application hosting: Vercel, region syd1 (Sydney edge + serverless).
• Database, auth, file storage: Supabase, AWS Sydney ap-southeast-2.
• Outbound email: Resend by default; Gmail / Microsoft Graph / SMTP (BYO) on the multi-provider mail roadmap.
• AI: Anthropic API for Suspense categorisation (Claude Haiku 4.5) and email drafting (Claude Sonnet 4.6).

All client data is stored in Australia. Database content, uploaded bank statements, BAS records, and generated reports are stored in AWS Sydney via Supabase, and are not replicated outside Australia for storage purposes.

• In transit: all connections to and from Jazhi use TLS.
• Database, baseline: Supabase Postgres provides full-database encryption at rest as a managed-service baseline.
• Sensitive secrets, application-layer: OAuth refresh tokens and SMTP passwords are AES-256-GCM encrypted at the application layer before being written to the database, in addition to the baseline above.
• Master key: held in environment configuration, never committed to source. Independent keys per environment so a copied database dump from one environment cannot be decrypted in another.

Your data is never used to train AI models.

• The Anthropic API operates under their no-training-data terms for API customers. Prompts and responses are not used to train Claude.
• Jazhi's “training rules” are deterministic keyword-to-category mappings stored per user. They are not AI model weights and do not move between accounts without explicit consent.
• Before any transaction text is sent to the Anthropic API, a redaction layer strips emails, ABNs, BSBs, account numbers, phone numbers, addresses, postcodes, TFNs, plus the specific client's own business name, contact name, and ABN.

• Authentication: email + password via Supabase Auth. MFA on the roadmap.
• Data isolation: Postgres row-level security (RLS) on every customer-data table. A user can only read or write their own rows; the database refuses cross-user reads even from the application's own server code.
• Service-role key: the elevated database key, used by background jobs, is held only in environment configuration and never exposed to the browser bundle.
• Operator access: support access is limited and logged.

The third-party services that handle data on our behalf. The full list and our DPA are available to enterprise customers on request.

Customer-supplied providers (BYO Gmail, Microsoft, SMTP) become additional sub-processors only for accounts that opt in.

If we become aware of a security incident affecting your data, we will notify affected accounts as soon as practicable and within the timeframes required by the Australian Privacy Act (Notifiable Data Breaches scheme), with the information available at the time and updates as the investigation progresses.

Vulnerability reports go to security@taxtracker.com.au. We follow standard responsible-disclosure practice: acknowledge within one business day, work in good faith on a fix, credit the reporter unless they prefer otherwise.

• Automated daily database backups with point-in-time recovery within the platform's retention window.
• Backup data is encrypted at rest under the same controls as the live database.
• Specific RTO / RPO targets available on request to enterprise customers as part of a DPA.

We're a young company and we will not pretend otherwise. What follows is the dated commitment, not a claim of certifications already held.

Jazhi is operated by Tax Tracker Pty Ltd, a registered tax agent practice (Tax Agent 26321143). The platform is built and operated by Zaki Ahmed Choudhry, holding:

• Tax Agent registration TPB 26298664
• BAS Agent registration TPB 26280921
• Membership of the Institute of Public Accountants (IPA)

All registrations are publicly verifiable on the Tax Practitioners Board register (tpb.gov.au). The TASA Code of Professional Conduct binds the operator regardless of what these terms say. That's a layer of obligation a typical SaaS vendor cannot offer because they aren't one.