Security

Security you can actually verify

Ragsha processes borrower financials, identity documents, and bank data on behalf of brokers and lenders. This page sets out the controls we operate today — and, just as importantly, what is still on our roadmap. We would rather be precise than impressive.

Where we are. Ragsha is an early-stage Australian company. We do not yet hold SOC 2 or ISO 27001 certification. Rather than imply otherwise, we describe exactly what is in place below and keep a public roadmap of what we are building next. If your compliance team needs detail, we are glad to walk them through it.

01

Data residency

We handle some of the most sensitive information in financial services. It stays in Australia.

Hosted in Australia

All customer and borrower data is stored and processed in Australia, on Microsoft Azure — never sent offshore for storage or processing.

Australian AI processing

Document analysis and AI inference run on Australian-hosted infrastructure — not sent offshore for processing.

02

Encryption

Encrypted at rest

All stored data — documents, extracted data, and assessment outputs — is encrypted at rest using AES-256.

Encrypted in transit

All connections are protected with TLS 1.2 or higher, including traffic between the application, the database, and your browser.

03

Access & isolation

Multi-tenant isolation

Every request is scoped to your account using a cryptographically verified token. One customer cannot reach another customer’s data.

Least-privilege access

Access to production infrastructure is restricted to authorised personnel, and privileged actions within the app require an administrator role.

Modern authentication

Passwords are hashed with Argon2id, sessions use short-lived signed tokens, and repeated failed logins are rate-limited.

04

Your data & AI

We don’t train on your data

Customer data, borrower information, and assessment outputs are never used to train or improve AI models. Third-party model providers operate under enterprise terms that prohibit training on your data.

You own your data

You retain ownership of everything you upload. We process it solely to provide the service, and delete it on request in line with our retention terms.

05

Monitoring & resilience

Dependency monitoring

We run continuous automated monitoring for known vulnerabilities in our software dependencies, and prioritise security updates.

Backups & recovery

The production database has automated backups with point-in-time restore, so data can be recovered to a specific moment if needed.

06

Privacy & compliance

Privacy Act 1988 & the APPs

We handle personal information in accordance with the Australian Privacy Principles. See our Privacy Policy for how we collect, use, and protect information.

Notifiable Data Breaches

We maintain a documented breach-assessment and notification process under the NDB scheme in the Privacy Act 1988 (Cth).

ISO 27001 infrastructure

Ragsha runs on Microsoft Azure, whose data centres are independently certified to ISO/IEC 27001. Ragsha’s own certification is on our roadmap below.

07

On our roadmap

Not yet in place. We list these so you know where we are headed, not to imply they exist today.

PlannedMulti-factor authentication for administrator accounts
PlannedIndependent penetration testing
PlannedGeo-redundant backups and disaster-recovery drills
PlannedFormalising controls toward ISO 27001 / SOC 2 certification

Report a vulnerability

If you believe you have found a security issue, we want to hear from you. Email us and we will acknowledge your report and investigate. We appreciate responsible disclosure and will not pursue researchers who act in good faith.

security@ragsha.com

Security practices last reviewed 6 July 2026. This page describes current controls and is not a warranty or a contract.