Where we are. Ragsha is an early-stage Australian company. We do not yet hold SOC 2 or ISO 27001 certification. Rather than imply otherwise, we describe exactly what is in place below and keep a public roadmap of what we are building next. If your compliance team needs detail, we are glad to walk them through it.
Data residency
We handle some of the most sensitive information in financial services. It stays in Australia.
Hosted in Australia
All customer and borrower data is stored and processed in Australia, on Microsoft Azure — never sent offshore for storage or processing.
Australian AI processing
Document analysis and AI inference run on Australian-hosted infrastructure — not sent offshore for processing.
Encryption
Encrypted at rest
All stored data — documents, extracted data, and assessment outputs — is encrypted at rest using AES-256.
Encrypted in transit
All connections are protected with TLS 1.2 or higher, including traffic between the application, the database, and your browser.
Access & isolation
Multi-tenant isolation
Every request is scoped to your account using a cryptographically verified token. One customer cannot reach another customer’s data.
Least-privilege access
Access to production infrastructure is restricted to authorised personnel, and privileged actions within the app require an administrator role.
Modern authentication
Passwords are hashed with Argon2id, sessions use short-lived signed tokens, and repeated failed logins are rate-limited.
Your data & AI
We don’t train on your data
Customer data, borrower information, and assessment outputs are never used to train or improve AI models. Third-party model providers operate under enterprise terms that prohibit training on your data.
You own your data
You retain ownership of everything you upload. We process it solely to provide the service, and delete it on request in line with our retention terms.
Monitoring & resilience
Dependency monitoring
We run continuous automated monitoring for known vulnerabilities in our software dependencies, and prioritise security updates.
Backups & recovery
The production database has automated backups with point-in-time restore, so data can be recovered to a specific moment if needed.
Privacy & compliance
Privacy Act 1988 & the APPs
We handle personal information in accordance with the Australian Privacy Principles. See our Privacy Policy for how we collect, use, and protect information.
Notifiable Data Breaches
We maintain a documented breach-assessment and notification process under the NDB scheme in the Privacy Act 1988 (Cth).
ISO 27001 infrastructure
Ragsha runs on Microsoft Azure, whose data centres are independently certified to ISO/IEC 27001. Ragsha’s own certification is on our roadmap below.
On our roadmap
Not yet in place. We list these so you know where we are headed, not to imply they exist today.
Report a vulnerability
If you believe you have found a security issue, we want to hear from you. Email us and we will acknowledge your report and investigate. We appreciate responsible disclosure and will not pursue researchers who act in good faith.
security@ragsha.comSecurity practices last reviewed 6 July 2026. This page describes current controls and is not a warranty or a contract.