Security at Safer
Your data deserves serious protection.
At Safer, security is not an afterthought - it is foundational to everything we build. This document outlines the technical and operational security controls we have in place to protect your data, ensure platform availability, and meet the expectations of enterprise procurement and compliance teams.
1. Data Sovereignty - Stored in Australia
Your data is stored in Australia. Safer is an Australian company, built on Australian infrastructure, for Australian businesses. All customer data is stored at rest within Australia, and we do not transfer customer data outside of Australia for storage unless explicitly requested and agreed to in writing.
Cloud Infrastructure - Amazon Web Services (AWS)
Safer's core platform runs on Amazon Web Services (AWS) in the Asia Pacific (Sydney) — ap-southeast-2 region. Our application backend, file storage, and backups run on AWS Sydney. AWS holds certifications including:
• ISO/IEC 27001,
• ISO/IEC 27017,
• ISO/IEC 27018,
• SOC 1/2/3, and
• IRAP (Protected)
Database — Supabase (Australia)
Customer records are stored in a Supabase Postgres database hosted in an Australian region. Data at rest is encrypted and remains within Australian jurisdiction.
By hosting our platform and storing data in Australia, Safer ensures that your data is subject to Australian law and remains within Australian jurisdiction.
AI Processing - Microsoft Azure (Australia)
AI inference - used to power Elara's document processing and workflow automation - runs on Microsoft Azure OpenAI's enterprise infrastructure. AI requests are primarily processed in Australia (Azure's Australia East region), which is our default. During periods of exceptionally high demand, an individual request may be processed in another Microsoft data centre to maintain performance and availability - but the underlying data always remains stored at rest in Australia. No data is stored overseas.
Critically, your data is never used to train AI models - not Microsoft's, not OpenAI's, nor any third party's. Microsoft processes each request on our behalf purely to generate a response in the moment; request content is not shared with OpenAI or any other party, and is automatically deleted rather than retained for ongoing storage. Your data stays yours.
2. Data Protection & Encryption
• Encryption in Transit: All data transmitted between your users and the Safer platform is protected using TLS 1.2 or higher. All connections are automatically redirected to HTTPS, and HTTP Strict Transport Security (HSTS) is enforced across all Safer domains.
• Encryption at Rest: All data stored within Safer - including database records, uploaded documents, and backups - is encrypted at rest using AES-256 encryption.
• Cryptographic Key Management: Infrastructure-level encryption keys are managed through AWS Key Management Service (KMS). KMS keys are rotated on a defined schedule and are never stored in application code.
3. Identity & Access Management
Safer uses Clerk, a SOC 2 Type II and HIPAA-certified identity provider, as the authentication layer. Clerk processes only name and email - no customer case data or health information is sent to Clerk.
• Multi-Factor Authentication: MFA is mandatory for all Safer team members with access to production systems. MFA is also available to all customer end-users.
• Role-Based Access Control: Access to customer data is governed by Role-Based Access Control (RBAC). Users are granted the minimum permissions required for their role, and access rights are revoked immediately upon offboarding.
• Enterprise SSO: Safer supports SAML 2.0 and OpenID Connect (OIDC) for enterprise Single Sign-On, enabling integration with Microsoft Entra ID, Okta, and Google Workspace.
4. Multi-Tenancy & Data Isolation
Safer is a multi-tenant platform with per-tenant database isolation. Each customer's data resides in a dedicated, isolated database. It is architecturally impossible for one customer to access another customer's data.
5. Application Security
• Secure Development Practices: Security is embedded throughout our software development lifecycle. All code changes require peer review and automated security scanning - including secrets detection, dependency vulnerability scanning, and static code analysis. We follow OWASP Top 10 guidelines.
• Vulnerability Management: Safer engages independent third-party security specialists to conduct annual penetration testing. Findings are available to enterprise customers upon request under NDA.
6. Infrastructure & Operational Security
• Environment Segregation: Safer operates three fully isolated environments: Development, Staging, and Production. Production customer data is never present in non-production environments.
• Backup & Disaster Recovery: Customer data is backed up automatically on a daily basis, encrypted using AES-256, and replicated across multiple availability zones within the AWS Sydney region. Backups are retained for 7 days.
7. Compliance & Privacy
Safer is fully compliant with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). As a handler of health information, Safer is subject to the Notifiable Data Breaches (NDB) scheme. In the event of an eligible data breach, affected customers will be notified within 72 hours of determination.
8. Subprocessors
• Amazon Web Services (AWS) - Primary cloud infrastructure, file storage, backups | Australia (Sydney) | All customer data
• Supabase - Database (Postgres) | Australia | All customer data
• Microsoft Azure (Azure OpenAI) - AI inference | Australia (East) | Document and case content during inference only
• Vercel - Web application hosting | Australia (Sydney) | Transient request data only
• Clerk - User authentication | United States | User account credentials only (name and email address)
• GitHub - Source code management | United States | No customer data
9. Certifications & Standards
Safer aligns its policies, controls, and processes to ISO/IEC 27001, SOC 2, and the Australian Essential Eight maturity model. Formal third-party audit and certification is underway, with completion expected in early 2027. On completion, Safer will be the only injury management solution in Australia to hold all three.
Our infrastructure providers (AWS and Microsoft Azure) hold ISO/IEC 27001, SOC 2 Type II, and IRAP (Protected) certifications.
10. Incident Response
In the event of a security incident: affected systems are contained immediately upon detection; a root cause investigation is conducted; customers are notified within 72 hours of a confirmed breach; a post-incident review is completed and findings acted upon. Our incident response process is aligned with Australian regulatory requirements under the Notifiable Data Breaches scheme.
—
Security information on this page is accurate as of May 2026. For specific compliance or procurement enquiries, contact hello@safer.app.
1. Data Sovereignty - Stored in Australia
Your data is stored in Australia. Safer is an Australian company, built on Australian infrastructure, for Australian businesses. All customer data is stored at rest within Australia, and we do not transfer customer data outside of Australia for storage unless explicitly requested and agreed to in writing.
Cloud Infrastructure - Amazon Web Services (AWS)
Safer's core platform runs on Amazon Web Services (AWS) in the Asia Pacific (Sydney) — ap-southeast-2 region. Our application backend, file storage, and backups run on AWS Sydney. AWS holds certifications including:
• ISO/IEC 27001,
• ISO/IEC 27017,
• ISO/IEC 27018,
• SOC 1/2/3, and
• IRAP (Protected)
Database - Supabase (Australia)
Customer records are stored in a Supabase Postgres database hosted in an Australian region. Data at rest is encrypted and remains within Australian jurisdiction.
By hosting our platform and storing data in Australia, Safer ensures that your data is subject to Australian law and remains within Australian jurisdiction.
AI Processing - Microsoft Azure (Australia)
AI inference - used to power Elara's document processing and workflow automation - runs on Microsoft Azure OpenAI's enterprise infrastructure. AI requests are primarily processed in Australia (Azure's Australia East region), which is our default. During periods of exceptionally high demand, an individual request may be processed in another Microsoft data centre to maintain performance and availability - but the underlying data always remains stored at rest in Australia. No data is stored overseas.
Critically, your data is never used to train AI models - not Microsoft's, not OpenAI's, nor any third party's. Microsoft processes each request on our behalf purely to generate a response in the moment; request content is not shared with OpenAI or any other party, and is automatically deleted rather than retained for ongoing storage. Your data stays yours.
2. Data Protection & Encryption
• Encryption in Transit: All data transmitted between your users and the Safer platform is protected using TLS 1.2 or higher. All connections are automatically redirected to HTTPS, and HTTP Strict Transport Security (HSTS) is enforced across all Safer domains.
• Encryption at Rest: All data stored within Safer - including database records, uploaded documents, and backups - is encrypted at rest using AES-256 encryption.
• Cryptographic Key Management: Infrastructure-level encryption keys are managed through AWS Key Management Service (KMS). KMS keys are rotated on a defined schedule and are never stored in application code.
3. Identity & Access Management
Safer uses Clerk, a SOC 2 Type II and HIPAA-certified identity provider, as the authentication layer. Clerk processes only name and email - no customer case data or health information is sent to Clerk.
• Multi-Factor Authentication: MFA is mandatory for all Safer team members with access to production systems. MFA is also available to all customer end-users.
• Role-Based Access Control: Access to customer data is governed by Role-Based Access Control (RBAC). Users are granted the minimum permissions required for their role, and access rights are revoked immediately upon offboarding.
• Enterprise SSO: Safer supports SAML 2.0 and OpenID Connect (OIDC) for enterprise Single Sign-On, enabling integration with Microsoft Entra ID, Okta, and Google Workspace.
4. Multi-Tenancy & Data Isolation
Safer is a multi-tenant platform with per-tenant database isolation. Each customer's data resides in a dedicated, isolated database. It is architecturally impossible for one customer to access another customer's data.
5. Application Security
• Secure Development Practices: Security is embedded throughout our software development lifecycle. All code changes require peer review and automated security scanning - including secrets detection, dependency vulnerability scanning, and static code analysis. We follow OWASP Top 10 guidelines.
• Vulnerability Management: Safer engages independent third-party security specialists to conduct annual penetration testing. Findings are available to enterprise customers upon request under NDA.
6. Infrastructure & Operational Security
• Environment Segregation: Safer operates three fully isolated environments: Development, Staging, and Production. Production customer data is never present in non-production environments.
• Backup & Disaster Recovery: Customer data is backed up automatically on a daily basis, encrypted using AES-256, and replicated across multiple availability zones within the AWS Sydney region. Backups are retained for 7 days.
7. Compliance & Privacy
Safer is fully compliant with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). As a handler of health information, Safer is subject to the Notifiable Data Breaches (NDB) scheme. In the event of an eligible data breach, affected customers will be notified within 72 hours of determination.
8. Subprocessors
• Amazon Web Services (AWS) - Primary cloud infrastructure, file storage, backups | Australia (Sydney) | All customer data
• Supabase - Database (Postgres) | Australia | All customer data
• Microsoft Azure (Azure OpenAI) - AI inference | Australia (East) | Document and case content during inference only
• Vercel - Web application hosting | Australia (Sydney) | Transient request data only
• Clerk - User authentication | United States | User account credentials only (name and email address)
• GitHub - Source code management | United States | No customer data
9. Certifications & Standards
Safer aligns its policies, controls, and processes to ISO/IEC 27001, SOC 2, and the Australian Essential Eight maturity model. Formal third-party audit and certification is underway, with completion expected in early 2027. On completion, Safer will be the only injury management solution in Australia to hold all three.
Our infrastructure providers (AWS and Microsoft Azure) hold ISO/IEC 27001, SOC 2 Type II, and IRAP (Protected) certifications.
10. Incident Response
In the event of a security incident: affected systems are contained immediately upon detection; a root cause investigation is conducted; customers are notified within 72 hours of a confirmed breach; a post-incident review is completed and findings acted upon. Our incident response process is aligned with Australian regulatory requirements under the Notifiable Data Breaches scheme.
—
Security information on this page is accurate as of May 2026. For specific compliance or procurement enquiries, contact hello@safer.app.
1. Data Sovereignty - Stored in Australia
Your data is stored in Australia. Safer is an Australian company, built on Australian infrastructure, for Australian businesses. All customer data is stored at rest within Australia, and we do not transfer customer data outside of Australia for storage unless explicitly requested and agreed to in writing.
Cloud Infrastructure - Amazon Web Services (AWS)
Safer's core platform runs on Amazon Web Services (AWS) in the Asia Pacific (Sydney) — ap-southeast-2 region. Our application backend, file storage, and backups run on AWS Sydney. AWS holds certifications including:
• ISO/IEC 27001,
• ISO/IEC 27017,
• ISO/IEC 27018,
• SOC 1/2/3, and
• IRAP (Protected)
Database — Supabase (Australia)
Customer records are stored in a Supabase Postgres database hosted in an Australian region. Data at rest is encrypted and remains within Australian jurisdiction.
By hosting our platform and storing data in Australia, Safer ensures that your data is subject to Australian law and remains within Australian jurisdiction.
AI Processing - Microsoft Azure (Australia)
AI inference - used to power Elara's document processing and workflow automation - runs on Microsoft Azure OpenAI's enterprise infrastructure. AI requests are primarily processed in Australia (Azure's Australia East region), which is our default. During periods of exceptionally high demand, an individual request may be processed in another Microsoft data centre to maintain performance and availability - but the underlying data always remains stored at rest in Australia. No data is stored overseas.
Critically, your data is never used to train AI models - not Microsoft's, not OpenAI's, nor any third party's. Microsoft processes each request on our behalf purely to generate a response in the moment; request content is not shared with OpenAI or any other party, and is automatically deleted rather than retained for ongoing storage. Your data stays yours.
2. Data Protection & Encryption
• Encryption in Transit: All data transmitted between your users and the Safer platform is protected using TLS 1.2 or higher. All connections are automatically redirected to HTTPS, and HTTP Strict Transport Security (HSTS) is enforced across all Safer domains.
• Encryption at Rest: All data stored within Safer - including database records, uploaded documents, and backups - is encrypted at rest using AES-256 encryption.
• Cryptographic Key Management: Infrastructure-level encryption keys are managed through AWS Key Management Service (KMS). KMS keys are rotated on a defined schedule and are never stored in application code.
3. Identity & Access Management
Safer uses Clerk, a SOC 2 Type II and HIPAA-certified identity provider, as the authentication layer. Clerk processes only name and email - no customer case data or health information is sent to Clerk.
• Multi-Factor Authentication: MFA is mandatory for all Safer team members with access to production systems. MFA is also available to all customer end-users.
• Role-Based Access Control: Access to customer data is governed by Role-Based Access Control (RBAC). Users are granted the minimum permissions required for their role, and access rights are revoked immediately upon offboarding.
• Enterprise SSO: Safer supports SAML 2.0 and OpenID Connect (OIDC) for enterprise Single Sign-On, enabling integration with Microsoft Entra ID, Okta, and Google Workspace.
4. Multi-Tenancy & Data Isolation
Safer is a multi-tenant platform with per-tenant database isolation. Each customer's data resides in a dedicated, isolated database. It is architecturally impossible for one customer to access another customer's data.
5. Application Security
• Secure Development Practices: Security is embedded throughout our software development lifecycle. All code changes require peer review and automated security scanning - including secrets detection, dependency vulnerability scanning, and static code analysis. We follow OWASP Top 10 guidelines.
• Vulnerability Management: Safer engages independent third-party security specialists to conduct annual penetration testing. Findings are available to enterprise customers upon request under NDA.
6. Infrastructure & Operational Security
• Environment Segregation: Safer operates three fully isolated environments: Development, Staging, and Production. Production customer data is never present in non-production environments.
• Backup & Disaster Recovery: Customer data is backed up automatically on a daily basis, encrypted using AES-256, and replicated across multiple availability zones within the AWS Sydney region. Backups are retained for 7 days.
7. Compliance & Privacy
Safer is fully compliant with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). As a handler of health information, Safer is subject to the Notifiable Data Breaches (NDB) scheme. In the event of an eligible data breach, affected customers will be notified within 72 hours of determination.
8. Subprocessors
• Amazon Web Services (AWS) - Primary cloud infrastructure, file storage, backups | Australia (Sydney) | All customer data
• Supabase - Database (Postgres) | Australia | All customer data
• Microsoft Azure (Azure OpenAI) - AI inference | Australia (East) | Document and case content during inference only
• Vercel - Web application hosting | Australia (Sydney) | Transient request data only
• Clerk - User authentication | United States | User account credentials only (name and email address)
• GitHub - Source code management | United States | No customer data
9. Certifications & Standards
Safer aligns its policies, controls, and processes to ISO/IEC 27001, SOC 2, and the Australian Essential Eight maturity model. Formal third-party audit and certification is underway, with completion expected in early 2027. On completion, Safer will be the only injury management solution in Australia to hold all three.
Our infrastructure providers (AWS and Microsoft Azure) hold ISO/IEC 27001, SOC 2 Type II, and IRAP (Protected) certifications.
10. Incident Response
In the event of a security incident: affected systems are contained immediately upon detection; a root cause investigation is conducted; customers are notified within 72 hours of a confirmed breach; a post-incident review is completed and findings acted upon. Our incident response process is aligned with Australian regulatory requirements under the Notifiable Data Breaches scheme.
—
Security information on this page is accurate as of May 2026. For specific compliance or procurement enquiries, contact hello@safer.app.