Security & Data Residency
Last updated: 30 June 2026
This page summarises where SWMSBuilder stores your data and the controls that protect it. It is written for principal contractors and procurement teams assessing the platform. For how we handle personal information generally, see our Privacy Policy.
Where your data lives
Your core records — your account, the SWMS you create, worker sign-on records and signatures, and uploaded files (logos, attachments) — are stored in Sydney, Australia (Supabase on AWS, region ap-southeast-2). Your compliance data does not leave Australian-hosted infrastructure in the ordinary course of using the Service.
Two activities can involve processing outside Australia, and only for what they do: AI draft generation (only when you choose to use it) and a small amount of product analytics. These are listed below.
Sub-processors
| Provider | Purpose | Location |
|---|---|---|
| Supabase (on AWS) | Database, authentication, file storage — your SWMS, sign-ons, signatures, files | Sydney, Australia (ap-southeast-2) |
| Vercel | Application hosting and cookieless web analytics | Global edge; AU region for app compute |
| Stripe | Payments — we never see or store card numbers | Global (PCI-DSS Level 1) |
| AI provider (via Vercel AI Gateway) | Generates a draft only when you use AI generation | United States |
| Resend | Transactional email (e.g. sign-in, sharing a SWMS) | United States |
| Google Analytics / PostHog | Website and product usage measurement | United States |
Each provider processes data on our behalf under its own security and contractual commitments. We send the minimum needed for each function.
How your data is protected
- Isolation by workspace: row-level security in the database enforces that each organisation can only read and write its own records — at the data layer, not just in the app.
- Encryption: all traffic is encrypted in transit (TLS); data at rest is encrypted by our infrastructure providers.
- Authentication: access requires a verified sign-in; sessions are scoped to your workspace and role.
- No card data: payments are handled entirely by Stripe; card numbers never touch our servers.
- Least privilege: production access is restricted to what is needed to operate and support the Service.
- Backups: the database is backed up automatically by our infrastructure provider.
Your compliance records
Worker sign-on records (name, role, signature, timestamp and the SWMS version signed) are retained as an audit trail so you keep a defensible record. You can export your register at any time, and we retain records as needed for legal and compliance purposes before deletion or de-identification.
Responsibility for the document
SWMSBuilder structures documents to WHS frameworks and cites each control to its source, but it is a drafting aid, not legal or safety advice. A competent person must review and customise every SWMS for the specific site and confirm currency before use.
Reporting a concern
To report a security issue, request a copy of your data, or ask a due-diligence question, email hello@swmsbuilder.au and we will respond promptly.