Trust & Security

All your financial data is stored and processed exclusively in Australia. Our entire infrastructure runs in the Sydney region:

• Application servers – hosted in Sydney (Fly.io SYD region)
• Database – PostgreSQL hosted in Sydney (AWS ap-southeast-2)
• Web application – served from Sydney (Vercel SYD region)

Your financial data never leaves Australian jurisdiction. This isn't just a policy – it's enforced by our infrastructure architecture.

All sensitive financial data is encrypted before it reaches the database using AES-256-GCM, the same encryption standard used by banks and government agencies.

We use an envelope encryption pattern: each record is encrypted with its own unique key, and those keys are themselves encrypted by a master key stored separately from the database. This means that even if the database were fully compromised, your financial data would remain unreadable.

Encrypted data includes your income, superannuation balances, net worth, investment holdings, FIRE projections, and any other financial figures you enter.

All connections to GetFired.au are encrypted with TLS (HTTPS). This protects your data as it travels between your browser and our servers. Unencrypted HTTP connections are automatically redirected to HTTPS.

We store only what's needed to provide the service. We deliberately avoid storing sensitive data that isn't ours to keep:

• We store: your calculator inputs and projections (encrypted), scenario names, and account preferences
• Auth0 stores: your email, name, and login credentials – we never see your password
• Stripe stores: your payment card details and billing address – we never see your card number

We do not store bank account credentials, card numbers, billing addresses, or any data beyond what's needed for your FIRE calculations.

User authentication is handled by Auth0, a SOC 2 Type II certified identity provider. This gives you enterprise-grade login security including:

• Secure password hashing (we never see or store your password)
• Social login options (Google, etc.)
• Brute-force and bot protection

All API requests are authenticated with short-lived tokens. Your data is scoped to your account – our API enforces ownership checks on every request, so you can only access your own scenarios and portfolios.

Payments are processed by Stripe, a PCI DSS Level 1 certified payment processor. Your card details are entered directly into Stripe's secure forms and never touch our servers. We receive only a reference ID to manage your subscription.

We take care to ensure your personal information doesn't leak into logs or error reports:

• Email addresses, authentication tokens, and financial values are never logged
• Error reports are scrubbed of personal data before being sent to our error tracking service
• Internal error details are never returned to your browser – you see a generic message while we investigate server-side

Our security practices are designed to meet or exceed the following standards:

• Australian Privacy Act (APP 11) – reasonable steps to protect personal information
• GDPR Article 32 – encryption of personal data
• SOC 2 CC6.1 – encryption at rest controls

Our identity provider (Auth0) and payment processor (Stripe) both hold SOC 2 Type II and PCI DSS certifications respectively.

Your financial data is yours. We do not sell, rent, or share your personal information with advertisers, data brokers, or any third party. The only parties with access to your data are the infrastructure providers needed to run the service, and they are bound by strict confidentiality obligations.

If you have questions about our security practices or want to report a vulnerability, contact us at security@getfired.au.

For general privacy questions, see our Privacy Policy.