Your data is commercially sensitive.
We treat it that way.

Last updated: April 2026

Data handling and encryption

All data transmitted to and from TLK Source is encrypted using TLS 1.3. Data stored within our systems is encrypted at rest using AES-256 encryption. This applies to all uploaded files, processed results, and derived data.

• All file uploads are encrypted immediately upon receipt
• Database records are encrypted at rest via Cloudflare's infrastructure
• API communications require HTTPS — plaintext HTTP is rejected
• Encryption keys are managed by Cloudflare's key management infrastructure and are not accessible to TLK Source staff

Infrastructure

TLK Source operates on Cloudflare infrastructure with Australian-region storage controls where available.

• Primary data storage: Cloudflare D1 (SQLite) — provisioned in the Oceania region
• File storage: Cloudflare R2 (object storage) with Australian-region storage controls where available
• Compute: Cloudflare Workers (request-edge compute serves from the nearest point of presence to the request origin)
• No Amazon Web Services, Google Cloud, or Microsoft Azure infrastructure is used

Data retention and deletion

Client data is retained only for the duration of the engagement plus 30 calendar days. After this period, all client data — including uploaded files, processed results, and derived analysis — is automatically and permanently deleted.

• Uploaded files: automatically deleted 30 days after engagement completion
• Processed results and reports: retained for 30 days after delivery for client re-download, then deleted
• Client account data (email, company name): retained until client requests deletion
• Clients can request immediate deletion of all data at any time by emailing hello@tlksource.com.au
• Deletion is confirmed in writing with a deletion certificate upon request

Access controls

Access to client data is restricted using role-based access controls.

• Client data is accessible only to the automated analysis engine and the internal QA review process
• No external contractors, freelancers, or third-party personnel have access to client data
• Administrative access requires multi-factor authentication
• All access events are logged with timestamp, user identity, and action taken

Audit logging

Every access to client data is logged in an immutable audit trail.

• Logs include: who accessed the data, when, what action was taken, and the IP address
• Audit logs are retained for 12 months
• Clients can request an audit log extract for their data by contacting support

Data usage restrictions

Client data is used solely for the purpose of producing the client's Audit Kit.

• Client data is never sold, shared, or provided to any third party
• Client data is never used to train AI models (external or internal)
• Client data is never used as inputs to our benchmark dataset unless the client provides explicit written consent, in which case only anonymised and aggregated data is used
• Client data is never used for marketing purposes
• Client data is never shared with carrier companies

Third-party sub-processors

TLK Source uses the following third-party services in the delivery of its product:

Provider	Purpose	Location
Cloudflare	Infrastructure — compute, storage, networking	Australia
Stripe	Payment processing — card data only, no freight data	Australia
Resend	Transactional email — email addresses and notifications only	United States
Anthropic	AI analysis — zero-retention, no-training terms	United States

AI and automated processing

TLK Source uses Anthropic's Claude API as part of its analysis engine.

• Data residency: All client data at rest is stored in Australia on Cloudflare infrastructure
• AI processing location: AI inference via the Anthropic API is processed in the United States. Client data is sent to Anthropic's API for analysis and returned in real-time
• No data retention by Anthropic: Anthropic does not retain client data after processing. Anthropic does not use client data to train models. This is enforced via Anthropic's zero-retention API configuration
• AI-generated findings are subject to automated quality checks before delivery
• The AI does not make decisions — it identifies patterns and anomalies, which are then structured into the deliverables

Privacy Act alignment

While TLK Source may fall below the $3M annual turnover threshold for mandatory compliance with the Privacy Act 1988 (Cth), we voluntarily align our data handling practices with the Australian Privacy Principles (APPs) as a matter of principle.

• We collect only the data necessary to perform the audit
• We inform clients of what data we collect and why
• We provide clients with access to their data upon request
• We allow clients to request correction or deletion of their data
• We take reasonable steps to protect data from misuse, loss, and unauthorised access

Breach notification

In the event of a data breach that may result in serious harm to clients:

• Affected clients will be notified within 72 hours of TLK Source becoming aware of the breach
• Notification will include: what data was affected, what happened, and what steps TLK Source is taking
• The Office of the Australian Information Commissioner (OAIC) will be notified if the breach meets the threshold under the Notifiable Data Breaches scheme

Client data rights

Clients have the following rights regarding their data:

• Access: request a copy of all data TLK Source holds about them
• Correction: request correction of inaccurate data
• Deletion: request immediate deletion of all data
• Export: request data in a machine-readable format (JSON)
• Audit log: request a log of all access to their data

Requests can be made to hello@tlksource.com.au and will be actioned within 30 days.

Insurance

• Professional indemnity insurance is held and current
• Cyber liability insurance is held and current
• Public liability insurance is held and current

Policy details are available upon request for enterprise clients as part of vendor due diligence processes.

Contact

For security-related enquiries or to report a vulnerability: hello@tlksource.com.au

TLK Source · ABN 16 525 180 164 · Australian-owned and operated