Your R&D claim is sensitive. We treat it that way.

KarenGrants runs on Supabase (Postgres) hosted in AWS ap-southeast-2 (Sydney). Documents you upload (timesheets, invoices, contracts) are stored in private Supabase Storage buckets in the same region. We do not replicate data to regions outside Australia.

• Every claim, activity, expenditure line and document is gated by Postgres row-level security. The policy resolves to: "the row's company has me as a member, or I'm KarenGrants staff."
• Staff access is logged. Only the staff member assigned to your claim, plus an admin for emergency support, has read access.
• Your competent professional, accountant or anyone else only sees your claim if you explicitly add them as a company member.
• There is no "view all claims" admin button. Cross-tenant queries require a migration and are auditable.

• Email/password with 12-character minimum and leaked-password rejection.
• Google sign-in for password-free access.
• Sessions are short-lived JWTs; refreshed silently and invalidated immediately on sign-out.
• Service-role keys (which bypass RLS) are only used by verified backend code, never shipped to the browser, and never exposed to AI prompts.

• Karen's AI features (narrative drafts, enquiry risk score, prior-art scan) call models through a server-side gateway. Your data never reaches a browser-side AI API.
• We use models from Google and OpenAI under enterprise zero-retention terms: inputs and outputs are not retained by the model provider and never used for model training.
• Every AI output is structured (JSON-validated) against AusIndustry's HEEC fields, so model drift can't change what gets saved.
• Outputs are clearly attributed as AI-drafted and version-stamped. Nothing is lodged without your explicit review.

• The engagement letter you sign is hashed (SHA-256) and stored with the version, timestamp, IP and user agent of the signer. The exact letter text is reproducible forever.
• Estimates are locked with a snapshot of assumptions, confidence band and gaps at the moment of signing - we can defend the number you saw.
• Status events (draft → in_progress → lodged → received → paid) are immutable rows on an audit table.

• Export your full claim (activities, expenditure, narratives, documents) at any time.
• Email hello@karengrants.com.au to delete your account; we purge claim data within 7 days and overwrite backups within 30.
• We retain engagement letters and lodged claim records for 7 years after lodgement to meet ATO record-keeping obligations on your behalf, unless you direct otherwise.

We monitor authentication, edge-function failures and database errors continuously. If a security incident affects your data, we will notify you within 72 hours with what was affected and what we've done. Suspected vulnerabilities can be reported to security@karengrants.com.au.