Security at Rand

How we protect your most sensitive business data

Infrastructure

Rand runs on SOC 2 Type II certified infrastructure. Integration credentials receive an additional layer of AES-256-GCM authenticated encryption before storage.

Our infrastructure is hosted on Vercel and Supabase, which provide automatic HTTPS, TLS encryption in transit, edge network distribution, and DDoS protection. Error monitoring is configured to redact sensitive data before capture.

Access control

Your data is isolated at the database level. Every query is automatically scoped to your organisation — no organisation can access another’s data, even in the event of an application bug.

  • Role-based access controls with distinct permissions for members, finance users, administrators, and expert reviewers.
  • Expert reviewers can only access organisations they are explicitly assigned to.
  • Connected tool integrations use fine-grained permissions where available. GitHub connects via a GitHub App with read-only pull request access — no OAuth tokens or repository content access. Other integrations use read-only OAuth scopes with CSRF protection.

What we access from your tools

When you connect an integration, we access the minimum data needed to identify R&D activity:

GitHub

Connected via a GitHub App with read-only pull request permissions. We access PR titles, descriptions, commit messages, and metadata. We cannot read source code, file diffs, or repository contents — the App does not request content permissions.

Jira

Issue summaries, descriptions, and changelog entries. We do not access attachments or comments.

Linear

Issue titles, descriptions, and status changes. Read-only access.

Slack

Messages in channels you explicitly connect. We do not access files, attachments, or DMs.

Notion

Page titles and text content from pages you grant access to. We do not access your entire workspace.

You can disconnect any integration at any time from Settings.

AI & data processing

  • Your data is never used to train AI models. Data sent to our AI provider is processed under commercial API terms — it is not stored beyond the request lifecycle and is not accessible to other customers.
  • All AI output is validated against strict schemas before being stored. Malformed responses are rejected.
  • AI drafts are never auto-confirmed. Every AI-generated suggestion requires human approval before becoming part of your claim.
  • Confidence scores and risk assessments are always visible so you can make informed decisions.

Audit trail

Every significant action in Rand is recorded in an immutable activity log. Once an event is recorded, it cannot be modified or removed.

  • All changes to your claim — drafts, approvals, allocations, status transitions — are logged with actor and timestamp.
  • Expert reviewer actions are fully logged.
  • Audit logs are exportable for your records and retained in accordance with ATO record-keeping requirements.

Human review

Every R&D Tax Incentive claim prepared through Rand is reviewed by a registered tax professional. AI assists with drafting, but humans make the final decisions.

  • Expert reviewers are assigned to specific organisations — they cannot see data from other clients.
  • Reviewer identity and credentials are visible in-app so you know who is reviewing your claim.
  • AI-generated suggestions go through reviewer approval before reaching your organisation.

Data lifecycle

  • Disconnect and purge — you can disconnect any integration at any time from Settings.
  • Account deletion — self-service account deletion is available from Settings. Deleting your account removes your personal data. Where audit records must be retained for legal compliance, references to your identity are anonymised.
  • Financial records — retained for a minimum of 7 years in accordance with ATO record-keeping requirements.

Questions?

If you have questions about how we handle your data, contact us:

Rand Pty Ltd

Email: support@randadvisory.com.au

Melbourne, Victoria, Australia