How we protect trainee data
Encryption at rest, Australian data residency, tenant isolation, and a complete audit trail. Built for the obligations MARA agents carry.
Last updated: 25/05/2026
The controlsSix commitments, mapped to the obligation
Every control answers to a specific Australian Privacy Principle, not a marketing checkbox. Each row names the obligation it satisfies.
- APP 11.1Encryption at rest
Every PII field is encrypted AES-256-GCM at the application layer before it is written to the database.
- APP 8Australian data residency
The primary Postgres database runs in Sydney (ap-southeast-2) and compute runs on syd1. Trainee PII never leaves Australia for storage or query. The only cross-border flow is described under Data flow below.
- APP 11.1Tenant isolation
Every query is scoped to the authenticated organisation via the application-layer tenant guard. One organisation can never read or modify another organisation's records.
- APP 11.1Authentication and MFA
Authentication uses short-lived sessions verified on every request. MFA available for all accounts. Organisation invites are issued by organisation admins.
- APP 11.2PII redaction from logs
Logs, error reports, and traces are scrubbed of PII before ingestion. Names, passport numbers, dates of birth, and contact details never appear in logs.
- APP 1.2Audit trail
An append-only audit log is scoped to each plan and organisation. It records the actor, timestamp, action type, and a before/after summary. Visible to organisation admins; it cannot be edited or deleted.
Data flowWhere trainee data lives, simplified
Storage and query stay inside Australia. The only cross-border step carries a redacted, token-protected payload, with every identifying field replaced by a non-reversible placeholder.
- ClientAgent browserTLS session
Clerk authenticated - ComputeLodgeable APIsyd1
Australia - StorageNeon Postgresap-southeast-2
AES-256-GCM
Redacted, token-protected payload only. Every identifying field is replaced with a non-reversible placeholder before it leaves Australia. No trainee PII is transmitted, stored, or recoverable at this step.
Diagram is simplified. Trainee PII is encrypted at the application layer before it reaches the database, and the database itself runs in the Sydney region. The dashed node is the sole cross-border flow.
Privacy principlesThe obligations behind the controls
Three Australian Privacy Principles frame how trainee information is collected, used, and secured.
- APP 5
Collection notice
The verbatim APP 5 consent template is read to, and acknowledged by, the registered migration agent on behalf of every trainee at intake. The notice names the purpose, the processor, and the cross-border disclosure.
- APP 6
Use and disclosure
Personal information is used solely to draft the training plan and to maintain the audit record. It is never sold, never used for advertising, and never used for profiling.
- APP 11
Security of personal information
AES-256-GCM encryption at rest, MFA available, PII redacted from logs, audit trail captured for every access. Tenant isolation is enforced at the application layer via the tenant guard.
Sub-processorsThird-party processors
The external service providers below may process customer data in the course of operating Lodgeable. Each is named with its purpose and the jurisdiction it operates from, as APP 5 cross-border disclosure obligations require.
Identifying fields are redacted from the payload that crosses a border for draft generation. The redaction posture is described in detail on the privacy policy.
| Sub-processor | Purpose | Jurisdiction |
|---|---|---|
| Anthropic, Inc. | Draft-generation processing | United States |
| Clerk Inc. | Identity, sessions, MFA | United States |
| Neon | Postgres data plane | United States parent; AWS ap-southeast-2 (Sydney) |
| Vercel Inc. | Compute and Blob storage | United States parent; compute pinned to syd1 (Sydney) |
| Resend | Transactional email delivery | United States |