Your clients’ data deserves the same care as your advice
AML/CTF compliance means handling your clients’ most sensitive information. AML Mate is built for Australian professionals — data kept onshore, client identities kept out of AI, and every firm’s records walled off from every other.
Hosted in Australia
Data & documents stored in Sydney (AWS ap-southeast-2)
Encrypted in transit
All traffic over HTTPS / TLS 1.2+
Strict tenant isolation
One firm can never read another firm’s data
No client PII sent to AI
Names, DOB, address & ID numbers are stripped first
How we protect your data
Concrete measures, not marketing. Each of these is how the product actually works today.
Australian data residency
Your account data, client records, and uploaded documents are stored in Sydney, Australia (AWS ap-southeast-2). Your clients’ information stays onshore — it is not moved offshore for storage.
Encryption in transit
Every request between your browser and AML Mate travels over HTTPS (TLS 1.2 or higher). Data is never sent in the clear.
Tenant isolation
Every database query is scoped to the business making it. There is no shared view of records — one firm can never see, or even address, another firm’s clients or documents.
Private document storage
Files you or your clients upload go into a private bucket, never a public one. Each download is authorised against your business and served through a signed link that expires after 60 seconds.
Password & session security
We never store your password — authentication and hashing are handled by Supabase Auth. Sessions use short-lived signed tokens, and every request is re-verified on our servers.
Monitoring & breach response
We monitor the application for errors and anomalies, and we comply with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth). If a breach affects your clients’ data, we notify you promptly so you can meet your own obligations.
AI that never sees your clients’ identities
Several features use AI to draft and review your program, risk assessment, and reports. Before anything is sent to the AI model, we strip out the details that identify a person — so the model can help with the wording without ever holding your clients’ identities.
Direct identifiers are removed
Client names, dates of birth, residential addresses, and ID or document numbers are masked (e.g. [NAME], [ID]) before any text leaves our systems.
Only de-identified risk inputs are sent
Things like client type, occupation, nationality, and transaction amounts — the attributes needed to assess risk, never to identify someone.
Your data is never used to train AI
AI runs under paid API terms with no model training on your inputs.
No AI adverse-media guesswork
We deliberately do not let AI invent adverse-media findings — that step is flagged for human review instead.
Screening that fails safe
Clients are screened against DFAT sanctions and PEP data. If a screening source is unavailable, AML Mate never records the result as “clear” — it flags the check as incomplete so a real match can never be silently missed. That’s the whole point of a compliance tool.
Your data, in your control
- Export your client data to CSV at any time from the dashboard.
- Delete your account and data whenever you choose. AI conversation history is automatically deleted after 12 months.
- Your clients’ information is yours. We never sell it, never use it for marketing, and never use it to train AI.
Built on independently audited infrastructure
AML Mate runs on infrastructure providers that hold independent security certifications. These certifications belong to our providers — we build on their audited foundations.
Amazon Web Services (Sydney)
ISO 27001, SOC 1/2/3, PCI DSS
Supabase
SOC 2 Type 2 (database, auth & storage)
Vercel
SOC 2 Type 2 (application hosting)
Stripe
PCI DSS Level 1 (payments & identity)
AML Mate is an early-stage Australian product and does not yet hold its own SOC 2 or ISO 27001 certification. We’re transparent about that — the protections described on this page are how the product works today, and the certifications above are those of the infrastructure we run on.
Report a security issue
Found a vulnerability or have a security question? Email us at support@amlmate.com.au and we’ll respond promptly. We appreciate responsible disclosure.
The full detail
Our Privacy Policy sets out exactly what we collect, the sub-processors we use, how overseas disclosure is handled under the Australian Privacy Principles, and your rights under the Privacy Act 1988 (Cth).