SECURITY

Security posture.

LAST REVIEWED — JUNE 2026 · INTERNAL REVIEW · PUBLIC SUMMARY

This page describes Coraz's security posture in plain language. It is the public-facing summary. A long-form whitepaper for procurement teams is in preparation and available under NDA on request.

01

Data isolation

  • Row-level security (RLS) enforced at the database. Tenant data is isolated by database-level policy, not application logic alone. No cross-tenant data is reachable even if an application defect exists.
  • Tenants in regulated verticals receive additional logical isolation. Financial planning, medical, and legal tenants are separated at the schema level by default — not as an upgrade or add-on.
  • No shared data stores between tenants. Each tenant's graph, documents, and event history are partitioned and cannot be queried across tenant boundaries.
02

Data residency

  • Production database, backups, and file storage: Australian data centres. No cross-border transfer for stored data.
  • AI inference: Anthropic PBC (United States). Queries submitted to AI features are processed by Anthropic's infrastructure in the US. This is disclosed in our Privacy Policy §6 and covered by Anthropic's data processing commitments.
  • No other cross-border transfers for production workloads. Infrastructure management, monitoring, and backups operate within Australian regions.
03

Encryption

  • In transit: TLS 1.2 minimum on all endpoints. All communication between clients and the platform, and between internal services, is encrypted in transit.
  • At rest: encrypted at the storage layer. Database volumes and file storage are encrypted at rest using platform-managed keys.
04

Audit and logging

  • Append-only audit log on every operator action. Every login, query, document action, AI tool call, and database write is recorded. Entries cannot be modified or deleted at the application layer.
  • Tenants have access to their own audit log. Operators can review the full activity history for their tenant from within the platform.
05

Incident response

  • Confirmed data incidents: tenant notification within 24 hours. If we confirm a data incident affecting your tenant, we will notify you within 24 hours of confirmation.
  • Notifiable data breaches reported to the OAIC. Eligible data breaches are reported to the Office of the Australian Information Commissioner in accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth).
06

Compliance status

In progress

SOC 2 Type II

Readiness programme in progress. Certification target: 2026. Reports available to qualified prospects under NDA.

Active

Australian Privacy Act 1988 (Cth)

Operating in accordance with the Australian Privacy Principles (APPs). Privacy Policy published at coraz.ai/privacy.

Active

Notifiable Data Breaches scheme

Subject to and compliant with the NDB scheme. Incident response procedures aligned to statutory obligations.

Scheduled

Penetration testing

External penetration test scheduled before general availability launch. Reports available under NDA on request.

For procurement teams.

We support structured security reviews. The following are available on request to qualified prospects under NDA:

  • Long-form security whitepaper (in preparation)
  • Penetration test report (post-GA)
  • Completed security questionnaires (CAIQ, custom)
  • Data Processing Agreement (DPA)
  • Sub-processor list

Contact: security@coraz.ai

Found a vulnerability? Disclose responsibly: security@coraz.ai. We acknowledge all disclosures within one business day.