Security & data protection

Your clients’ data deserves the same care as your advice

AML/CTF compliance means handling your clients’ most sensitive information. AML Mate is built for Australian professionals — data kept onshore, client identities kept out of AI, and every firm’s records walled off from every other.

Hosted in Australia

Data & documents stored in Sydney (AWS ap-southeast-2)

Encrypted in transit

All traffic over HTTPS / TLS 1.2+

Strict tenant isolation

One firm can never read another firm’s data

No client PII sent to AI

Names, DOB, address & ID numbers are stripped first

How we protect your data

Concrete measures, not marketing. Each of these is how the product actually works today.

Australian data residency

Your account data, client records, and uploaded documents are stored in Sydney, Australia (AWS ap-southeast-2). Your clients’ information stays onshore — it is not moved offshore for storage.

Encryption in transit

Every request between your browser and AML Mate travels over HTTPS (TLS 1.2 or higher). Data is never sent in the clear.

Tenant isolation

Every database query is scoped to the business making it. There is no shared view of records — one firm can never see, or even address, another firm’s clients or documents.

Private document storage

Files you or your clients upload go into a private bucket, never a public one. Each download is authorised against your business and served through a signed link that expires after 60 seconds.

Password & session security

We never store your password — authentication and hashing are handled by Supabase Auth. Sessions use short-lived signed tokens, and every request is re-verified on our servers.

Monitoring & breach response

We monitor the application for errors and anomalies, and we comply with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth). If a breach affects your clients’ data, we notify you promptly so you can meet your own obligations.

AI that never sees your clients’ identities

Several features use AI to draft and review your program, risk assessment, and reports. Before anything is sent to the AI model, we strip out the details that identify a person — so the model can help with the wording without ever holding your clients’ identities.

  • Direct identifiers are removed

    Client names, dates of birth, residential addresses, and ID or document numbers are masked (e.g. [NAME], [ID]) before any text leaves our systems.

  • Only de-identified risk inputs are sent

    Things like client type, occupation, nationality, and transaction amounts — the attributes needed to assess risk, never to identify someone.

  • Your data is never used to train AI

    AI runs under paid API terms with no model training on your inputs.

  • No AI adverse-media guesswork

    We deliberately do not let AI invent adverse-media findings — that step is flagged for human review instead.

Screening that fails safe

Clients are screened against DFAT sanctions and PEP data. If a screening source is unavailable, AML Mate never records the result as “clear” — it flags the check as incomplete so a real match can never be silently missed. That’s the whole point of a compliance tool.

Your data, in your control

  • Export your client data to CSV at any time from the dashboard.
  • Delete your account and data whenever you choose. AI conversation history is automatically deleted after 12 months.
  • Your clients’ information is yours. We never sell it, never use it for marketing, and never use it to train AI.

Built on independently audited infrastructure

AML Mate runs on infrastructure providers that hold independent security certifications. These certifications belong to our providers — we build on their audited foundations.

Amazon Web Services (Sydney)

ISO 27001, SOC 1/2/3, PCI DSS

Supabase

SOC 2 Type 2 (database, auth & storage)

Vercel

SOC 2 Type 2 (application hosting)

Stripe

PCI DSS Level 1 (payments & identity)

AML Mate is an early-stage Australian product and does not yet hold its own SOC 2 or ISO 27001 certification. We’re transparent about that — the protections described on this page are how the product works today, and the certifications above are those of the infrastructure we run on.

Report a security issue

Found a vulnerability or have a security question? Email us at support@amlmate.com.au and we’ll respond promptly. We appreciate responsible disclosure.

The full detail

Our Privacy Policy sets out exactly what we collect, the sub-processors we use, how overseas disclosure is handled under the Australian Privacy Principles, and your rights under the Privacy Act 1988 (Cth).

Compliance you can trust with your clients’ data

Get AUSTRAC-ready before the 29 July 2026 enrolment deadline — without handing your clients’ information to an offshore black box.

Security & Data Protection — AML Mate