Data Security Policy

1. About This Policy

This Data Security Policy describes the security measures implemented by Krrisp Pty Ltd (ACN: 609 221 570), trading as Klaris AI ("we", "us", "our"), to protect information processed through our wealth planning software platform ("Klaris" or the "Platform").

This policy applies to all users of the Platform, including individual clients and financial advisors who access the Platform.

Our commitment is to protect your financial structure data with industry-standard security practices while maintaining transparency about how we safeguard your information.

2. Data Storage and Infrastructure

Infrastructure Provider

Our platform infrastructure is hosted on Supabase, which uses Amazon Web Services (AWS) data centres. Our database is provisioned in the Sydney (ap-southeast-2) region.

Data Segregation

Each user's data is logically segregated at the database level using Row Level Security (RLS) policies. This means:

• Each user can only access their own financial structure data.
• Advisors can only access data for clients who have explicitly granted them access.
• Database queries are automatically filtered to prevent cross-user data access.
• Administrative access does not include visibility into user financial data.

3. Encryption

Data in Transit

All data transmitted between your browser and our servers is encrypted using:

• SSL/TLS encryption — All connections use HTTPS with TLS 1.2 or higher.
• HSTS (HTTP Strict Transport Security) — Browsers are instructed to only connect via HTTPS, preventing downgrade attacks.
• API calls between our frontend and backend services are encrypted end-to-end.

Data at Rest

All data stored in our database is encrypted at rest using:

• AES-256 encryption — Industry-standard encryption used by financial institutions worldwide.
• Database backups are also encrypted using the same standard.
• Encryption keys are managed by AWS Key Management Service (KMS) and are rotated regularly.

4. Authentication and Access Control

Password Requirements

• Minimum 12 characters with complexity requirements (uppercase, lowercase, numbers, and special characters).
• Passwords are hashed using bcrypt before storage.
• We never store passwords in plain text.

Email Verification

All accounts require email verification before accessing the Platform. A verification link is sent to the registered email address and must be confirmed before the account becomes active.

Two-Factor Authentication (2FA) and Google SSO

• Two-factor authentication is available and recommended for all accounts.
• Google Single Sign-On (SSO) is available as an alternative authentication method, leveraging Google's security infrastructure.
• Advisor accounts are strongly encouraged to enable 2FA due to the elevated access they may have to client data.

Session Management

• Sessions are managed using secure, HTTP-only tokens.
• Sessions expire after a period of inactivity to reduce the risk of unauthorised access.
• Users can manually sign out to terminate their session at any time.

5. Access Controls and Permissions

Client Access

Clients have full control over their own financial structure data. Clients can view, create, edit, and delete their own structures. Clients can grant or revoke advisor access at any time.

Advisor Access

Advisors can only access client data when explicitly invited by the client:

• Advisors receive read-only or edit access as determined by the client.
• Access can be revoked by the client at any time, effective immediately.
• Advisors cannot share client data with other advisors or third parties.

Advisor Collaboration Limits

Each client account can have a maximum of 2 advisors connected at any time. This limit exists to maintain data security and minimise the risk of unauthorised access. Clients must remove an existing advisor before adding a new one if the limit is reached.

Internal Access

Our systems are designed so that Klaris staff do not have routine access to user financial structure data. Administrative tools manage platform operations (account status, subscription management, technical support) without exposing financial data entered by users. When support requires data access, this is strictly opt-in by the user and fully audit-logged. In the event of a technical incident, our response team may access the minimum data necessary to resolve the issue. Database access is restricted to essential maintenance operations and is logged.

6. Third-Party Security

We use a limited number of third-party services, each selected for their security standards:

7. Security Monitoring and Incident Response

Monitoring

• We monitor for unusual access patterns and potential security threats.
• Failed login attempts are tracked and accounts may be temporarily locked after repeated failures.
• System logs are maintained for security audit purposes.

Incident Response

In the event of a security incident:

• We will investigate and contain the incident as quickly as possible.
• Affected users will be notified in accordance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988.
• We will notify the Office of the Australian Information Commissioner (OAIC) if the breach is likely to result in serious harm.
• We will provide affected users with information about the breach and recommended steps to protect their accounts.

8. User Responsibilities

While we implement robust security measures, account security is a shared responsibility. We recommend that all users:

• Use a strong, unique password for your Klaris account.
• Enable two-factor authentication (2FA).
• Do not share your login credentials with anyone.
• Sign out of your account when using shared or public devices.
• Keep your email address up to date for security notifications.
• Review advisor access permissions regularly and revoke access that is no longer needed.
• Report any suspected unauthorised access immediately to info@krrispdigital.com.au.

9. Privacy Act Alignment

Our security practices are designed to align with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth), including:

• APP 11 (Security of Personal Information) — We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure.
• APP 8 (Cross-border Disclosure) — Financial structure data remains within Australian jurisdiction. Where account-level data is processed internationally (e.g., payment processing via Stripe), we ensure appropriate safeguards are in place.
• Notifiable Data Breaches Scheme — We comply with the NDB scheme and will notify affected individuals and the OAIC of eligible data breaches.

10. Limitations

While we implement industry-standard security measures, no system can guarantee absolute security. We cannot be held liable for:

• Unauthorised access resulting from user actions (e.g., sharing credentials, weak passwords, compromised devices).
• Security breaches at third-party providers despite their own security certifications.
• Force majeure events or circumstances beyond our reasonable control.

11. Changes to This Policy

We may update this Data Security Policy from time to time to reflect changes in our security practices, technology, or legal requirements. When we make material changes:

• We will update the "Last Updated" date at the top of this policy.
• For significant changes, we will notify users via email or an in-app notification.
• Continued use of the Platform after changes constitutes acceptance of the updated policy.

12. Contact Information

If you have questions about our security practices or wish to report a security concern, please contact us: