Trust & Security

AutoCalc does not store payslip files. When you upload one, the bytes are sent to AWS Bedrock for AI parsing and then discarded. We never write the file to disk, S3, or any database.

This applies to every upload, every user, no exceptions. If our team needs sample documents to test or improve the parser, we use our own test fixtures — not files uploaded by brokers.

What we do keep is the structured data the AI extracts (e.g. employer, gross pay, allowances), and only inside the saved cases you create. You can delete those cases at any time. See the retention table in section 6.

We use Amazon Bedrock (region: Sydney, ap-southeast-2) to extract structured data from payslip documents. AWS publishes its data-handling commitments for Bedrock here:

aws.amazon.com/bedrock/security-compliance ↗

The commitments we rely on:

• Inputs you submit to Bedrock are not used to train foundation models.
• Inputs are not stored by AWS after the request completes.
• Inputs are processed within the AWS region you select.

AutoCalc routes every payslip parse through that Sydney region. The extracted data we receive back is the only thing that touches our systems.

SOC 2 (System and Organization Controls 2) is an independent audit standard, set by the AICPA, that examines how a software company handles customer data across five trust criteria: security, availability, processing integrity, confidentiality, and privacy.

A SOC 2 audit is conducted by an external accounting firm. They review how our controls actually operate — from how we provision accounts and rotate keys to how we respond to incidents — and publish a report companies can request before they trust us with their data.

Type I reports the design of those controls at a point in time. Type II reports how they have operated across a window (typically 6–12 months).

AutoCalc is currently working towards SOC 2 Type I. The audit is in progress and the report is expected in the near future. We are publishing this page now, rather than waiting for the report, so you can see exactly what controls we operate today.

We do not claim to be “SOC 2 certified” or “SOC 2 compliant”. The AICPA does not certify; companies receive a report after a successful audit. We will update this page with the firm name and report date once those are confirmed, and link the report itself when issued.

• Encryption in transit — all traffic to and from AutoCalc is over HTTPS/TLS 1.2+.
• Encryption at rest — all data stored in AWS S3 and DynamoDB is encrypted server-side (AES-256).
• Australian data residency — all infrastructure lives in AWS Sydney (ap-southeast-2). No data leaves Australia.
• AI no-training commitment — AWS Bedrock does not use your inputs to train models (see section 2).
• Authentication — sign-in is delegated to AWS Cognito with Google OAuth. Passwords are never stored by AutoCalc.
• Session lifetime — session tokens expire after 4 hours. Deactivated accounts lose access on the next request.
• Least-privilege access — production data is accessible only to a small number of named team members through scoped AWS IAM roles. Admin and staff role grants happen only via the AWS Console — there is no way for the application itself to elevate a user's privileges.
• Audit logs — CloudWatch retains operational logs for 90 days. Logs contain metadata (file hashes, request IDs, outcomes) but do not contain extracted payslip content.

AutoCalc relies on the following third-party services. Each is bound by its provider's data-handling terms.

Only a small number of named AutoCalc team members have production access. Admin and staff role grants are made by adding an account to the corresponding Cognito group via the AWS Console — there is no path inside the AutoCalc application that lets a user grant themselves elevated access.

Brokers can only see the cases they themselves have created. Admins can list customer accounts for support and tier management but do not have a path that exposes raw payslip files (because none are stored).

If we detect or are notified of a security incident, we will investigate, contain, and (where required by the Privacy Act 1988 or applicable law) notify affected users.

Report a security concern to: security@autocalc.com.au. We aim to acknowledge within one business day.

Brokers and broker firms can request a Data Processing Agreement covering AutoCalc's role as a processor under the Australian Privacy Principles. Email security@autocalc.com.au and we will send the current template.