Security & trust

Is your building's data safe with us? Yes, and here's exactly why.

We get this question on every call. Below: the promises we make, in plain English. Hover anything that looks like jargon — we'll explain it in terms that actually make sense.

AES-256-GCM

Ballot encryption

< 1 hr RPO

Point-in-time recovery

7 years

Financial data retained

3× logged

Per disbursement

Your money can't be misappropriated.

The — the human who legally owns trust account responsibility — has to approve every . The screen can't bypass it. Even our own engineers can't bypass it.

Show the technical detail

PSA s.86 enforcement at the PostgreSQL trigger level. A disbursement row is rejected unless the approving profile matches the building's designated Licensee. Three audit logs record every attempt, approval and completion.

Service accounts cannot bypass the trigger; the policy rejects on auth.uid() against the LIC profile, not on role grants.

Your records can't be altered.

Once a financial entry is in, it's in. Correcting an error works the way every accountant does it: by posting a . The original entry stays in the record forever.

Show the technical detail

Immutable ledger via a DELETE/UPDATE trigger on ledger_entries. Test-data cleanup uses reversing journal entries, not deletes; same as production accounting.

Arithmetic is Decimal.js with ROUND_HALF_EVEN (banker's rounding) at 20-digit precision. No floating-point drift across thousands of levy amounts.

Your data stays in Australia.

Your building's data lives in a database hosted in Sydney. It does not leave the country. We use specifically so this stays true.

Show the technical detail

Supabase region pinned to ap-southeast-2; AWS KMS at-rest encryption; TLS 1.2+ in transit. Australian Privacy Act APP 8 (cross-border disclosure) is addressed by the Sydney hosting choice.

The application layer (Vercel) is stateless: it processes requests but does not store data. Transactional emails are delivered via Resend; metadata for those crosses borders (US storage); the email body is encrypted in transit.

Only the right people can see your building.

A strata manager at Firm A literally cannot see Firm B's buildings. This isn't a permission setting — it's enforced by the . A bug in the app can't break it.

Show the technical detail

Row-Level Security (RLS) on every multi-tenant table. The active building is derived from auth_building_id() a SQL function that reads the caller's session, not an app-layer header. No app-layer auth gates are trusted alone.

Within a building, access follows least-privilege: SM (full portfolio), Committee Member (governance + minutes), Lot Owner (own lot + AGM docs), Building Manager (observer + ticket submission), Auditor (read-only financials).

Votes are sealed and the voter can verify them.

When an owner casts a , it's locked with a code only they know. They can check later that their vote was recorded exactly as they cast it. We can't even tell who voted which way.

Show the technical detail

AES-256-GCM encryption with a unique 256-bit session key per ballot and a random IV per vote. HMAC-SHA256 receipt over choice + voter + ticket + time + building.

The receipt token can be verified at /votes/verify to verify; the platform recomputes the HMAC and confirms the vote was recorded exactly as cast. A mismatch is logged as a tamper attempt.

If something breaks, you don't lose anything.

We back up your data every day, keep a week of history, and can restore to any point within the last hour if something goes wrong. takes a couple of hours, end-to-end.

Show the technical detail

Daily database backups with 7-day retention. Point-in-Time Recovery enabled for sub-hour granularity. RPO < 1 hour, RTO < 2 hours.

The application layer is stateless: if Vercel had an outage, a redeploy from git restores the app in 2–3 minutes. All your data lives in Supabase, separate from the app. Real-time error monitoring via Sentry.

We're built for Australian regulation, not retrofitted.

, , , . Built for these from the schema up. Multi-state coverage for NSW, VIC and QLD.

Show the technical detail

Australian Privacy Act (APPs 1–13): privacy policy at /legal/privacy. Cross-border disclosure (APP 8) addressed by Sydney hosting.

NSW SSMA & SSMR: meeting notice periods, quorum, by-law management, AGM procedures (s.18A, s.146, s.174/s.184) and record-keeping built to spec. VIC and QLD equivalents covered.

NSW Property Stock and Business Agents Act: trust accounting meets the PSA: immutable ledger, double-entry, LIC approval (s.86), bank reconciliation, ABA payment files, 7-year retention. Trust audit packs exportable in-app.

WCAG 2.1 AA: colour contrast, keyboard navigation, skip-to-content, ARIA roles, focus-visible rings, screen reader compatibility.

Architecture

Security, layer by layer.

Hover each layer to understand what it does in plain English.

Your browser

HTTPS everywhere · TLS 1.3 in transit · no data stored client-side

hover to explain

Edge network

Vercel CDN · rate limiting · DDoS protection · CORS enforcement

hover to explain

API layer

Next.js routes · auth validation on every request · input sanitisation · audit logging

hover to explain

Auth layer

Supabase Auth · short-lived JWTs · role-based session context

hover to explain

Database

PostgreSQL · RLS on every table · immutable ledger trigger · encrypted ballot store

hover to explain

Infrastructure

AWS Sydney (ap-southeast-2) · KMS at-rest encryption · daily backups · 7-day PITR

hover to explain

Built to comply with — hover each to learn what it means

Got a question we didn't answer?

Email aden@ourcommons.co with anything. We answer same-day.

Penetration testing results, data processing agreements, and specific compliance questions; happy to send on request.

What now?

Trust is earned, not asserted.

Book a 30-minute call. We'll show you the controls in action: the immutable ledger, the RLS policies, the audit pack. Then you can decide for yourself.

Book a call or just say hello