Your trust is our priority. Learn how we protect your data with enterprise-grade security.
Last updated: 27 August 2025
FIND AI NOW PTY LTD
ABN 67 686 241 814 | ACN 686 241 814
Jurisdiction: Victoria, Australia
Purpose and scope
This page explains how Find AI Now protects data across our platform lifecycle. It covers security controls, compliance posture, third-party vendors, incident response, and your responsibilities. For privacy details and controller roles, see our Privacy Policy.
Governance and accountability
• Security ownership by leadership with defined roles across engineering, product, and operations
• Written policies for information security, access control, vendor management, incident response, acceptable use
• Policy review at least every 6 months
• Staff and contractors sign confidentiality and IP assignment agreements and complete security training
Hosting and architecture
We use modern cloud infrastructure and managed services. Typical components include Vercel for hosting and edge, Supabase for Postgres and auth, and Redis or Upstash for caching and queues. Current subprocessors and regions are listed on our Data Transfers page.
• Isolated prod, staging, and dev environments
• Least-privilege service and database access
• WAF, rate limiting, and DDoS protections from our hosting stack
Encryption and key management
• TLS 1.3 in transit
• AES-256 or provider-equivalent encryption at rest
• Secrets stored in environment vaults or cloud KMS
• Credential rotation on schedule and on personnel changes
Identity and access controls
• MFA for administrative and production access
• RBAC with quarterly access reviews
• Optional SSO for enterprise teams
• Secure, HTTP-only cookies and short-lived tokens
Application security
• Mandatory code review on all changes and protected main branches
• Dependency, container, SAST, and secret scanning in CI
• Deletion and de-identification on request and at end of need
Backups, business continuity, and disaster recovery
• Encrypted automated backups with periodic restore tests
• Point-in-time recovery for primary databases where supported
• Targets: RPO 24 hours or less; RTO 24 hours or less for core platform components
• SLA details live on our pricing and SLA page
Monitoring and logging
• Centralised application, auth, and audit logs
• 24×7 automated monitoring and alerting for availability and security signals
• Logging of admin actions and configuration changes with regular review
Vulnerability and patch management
• Continuous dependency scanning with defined patch windows
• Monthly vulnerability assessments and immediate triage for critical issues
• Independent penetration testing twice per year with tracked remediation
• Coordinated disclosure program in section 14
Incident response and breach notification
Our plan defines roles, runbooks, communication, and post-mortems.
Target timelines
• Detection and triage: under 60 minutes
• Containment and assessment: under 4 hours
• User notice (when required): without undue delay once impact is confirmed
• Regulator notice: within 72 hours where required by law
Where an eligible data breach occurs under Australia's Notifiable Data Breaches (NDB) scheme, we will notify affected individuals and the OAIC as soon as practicable, consistent with legal requirements.
We will inform affected users via in-product notices or email if an incident materially affects their data.
Third-party risk and international transfers
• Vendor reviews, contractual controls, and periodic reassessment
• Standard Contractual Clauses or equivalent safeguards for cross-border transfers
• For EU–UK transfers we use the EU Standard Contractual Clauses and, where required, the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs.
• Our current subprocessors, purposes, and regions are listed on the Data Transfers page (linked in the footer).
Compliance posture
Standard/Regulation
Status
Australian Privacy Act and APPs
Compliant
GDPR
Compliant for EU and UK users
CPRA/CCPA
Supported controls for access, deletion, and opt-out of sharing for advertising
ISO 27001
In progress, target Q3 2025
SOC 2 Type II
Planned, target Q4 2025
Targets are goals, not attestations, until certification is complete.
Responsible vulnerability disclosure
If you discover a security vulnerability, email privacy@findainow.com. Do not publicly disclose before we confirm a fix. Acting in good faith under this policy will not be treated as unauthorised access or a breach of our Terms.
Include steps to reproduce, impacted URLs or endpoints, and proof of concept if safe to share. We aim to acknowledge within 24 hours.
Acceptable use and AI ethics
We require compliance with our Terms of Service and Acceptable Use standards, including:
• No tools that promote illegal, harmful, or discriminatory content
• Clear disclosure of AI-generated content where relevant
• Respect for intellectual property, privacy, and data rights
We may edit, de-list, or disable listings or integrations that breach these standards.
Customer responsibilities
Security is shared. You agree to:
• Use strong unique passwords and enable MFA where available
• Keep account details current and manage staff offboarding promptly
• Limit access to authorised users
• Avoid sending unnecessary personal or sensitive data in messages or uploads
• Use the Platform Invoice Button and avoid external payment links, per the Commission Terms
Service levels and status
• Uptime and performance targets are on our SLA page
• During major incidents we will provide status updates on our status page or by email
Changes and review cadence
We review this page at least every 6 months and after material changes to our posture. Material updates are posted here and may be emailed to registered users.
Contact
Security and privacy: privacy@findainow.com
FIND AI NOW PTY LTD ABN 67 686 241 814 ACN 686 241 814
