Security Overview

Overview

At Parachute, we take the security and privacy of our users’ data seriously. This page summarises the technical and organisational measures we use to protect your data. If you have questions or need a security questionnaire completed, contact us at security@goparachute.ai.

‍

Data sovereignty and control

With Parachute, you keep control of your data. You choose what to upload, can delete organisation and firm data at any time (with full cleanup and an audit record), and your data stays in-region.

Data location: All Parachute application and customer data is hosted and processed in Australia. Our database and storage providers operate in-region. For AI-powered features we use third-party APIs; we can discuss data residency and provider locations for your compliance needs.

Deletion: You can request full deletion of your organisation or firm data at any time.

‍

Encryption

Our systems are designed for encryption at rest using AES-256 and in transit with a minimum of TLS 1.2. Sensitive third-party credentials (for example OAuth tokens) are encrypted at rest before storage. Our database and file storage providers also encrypt data at rest.

‍

Authentication and access control

We use Auth0 as our identity provider. Access to the platform is token-based (JWT); we do not store user passwords.

Enterprise SSO (SAML) is available for customers who require it.

We enforce role-based access control (RBAC) at the application layer.  Access follows the principle of least privilege

Multi-factor authentication (MFA) can be enabled for customers who require it.

‍

We are currently deemed to be ISO 27001 compliant and are undergoing the necessary external audit process to achieve certification.

‍

AI and third-party model providers

We do not train any models on your data. Where we use third-party AI APIs to provide our services, we contractually require those providers not to use your data for model training.

‍

Last updated: February 2026