Built for live client work.
Matter Desk handles real client matters. That requires real commitments on data residency, privacy, audit trails, and human oversight. Here is how we deliver on each.
Our commitments.
Australian data residency
All customer data is stored and processed on Australian infrastructure. Database, file storage, and application hosting all run on Australian infrastructure. Your client data does not leave Australia for storage.
Human review policy
Every substantive AI output requires lawyer review before client-facing use. This is enforced in the product. When an authority cannot be verified, the exact phrase “Authority not verified” is shown. Nothing is fabricated to appear more capable.
Audit trail
Every AI action, document operation, and workflow change is logged with user, matter, timestamp, and saved output. Conflict checks are audit-logged with the relevant ASCR 2015 conduct rule. Logs are immutable and retained for the life of the account.
No training on your data
Your matter data is never used to train AI models. This is contractually enforced through our infrastructure agreements. Your data is yours.
Privacy Act compliance
Matter Desk complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles. We will assess any suspected eligible data breach within 30 days and notify the OAIC and affected individuals as soon as practicable in accordance with Part IIIC of the Privacy Act 1988 (Cth). Full details are in our Privacy Policy.
Deadline safety
Calculated deadlines are deterministic, versioned, and require explicit human confirmation before activation. No deadline auto-activates. Every calculation cites its statutory source.
Document and data handling.
Private by default
Matter documents are private. Access requires signed URLs that expire. Documents are never made public.
Encrypted in transit and at rest
All connections use HTTPS. Data is encrypted at rest on Australian infrastructure.
Deletion on request
Request deletion of your data at any time. Confirmed deletion within 30 days of written request.
90-day retention after cancellation
After cancellation, your data is retained for 90 days for export. After that, it is permanently deleted.
Security architecture.
Row-level security
Every database table enforces row-level security. Users can only access data belonging to their firm.
CSRF protection
Authenticated mutating actions are protected by double-submit CSRF tokens.
Rate limiting
API endpoints are rate-limited to prevent abuse. Distributed rate limiting backed by the database.
Security headers
HSTS, X-Frame-Options, Content-Security-Policy, Referrer-Policy, Permissions-Policy all enforced on every response.
Input validation
Every API boundary validates input with schema validation. No raw user input reaches the database unvalidated.
Signed document URLs
Matter documents are served via time-limited signed URLs. No public bucket access.
Data Processing Agreement.
Matter Desk acts as a data processor under the Privacy Act 1988 (Cth) and Australian Privacy Principles. Your firm is the data controller. A signed DPA is available on request within 2 business days. Contact legal@matterdesk.ai.
Subprocessors
Application hosting
Australia
Application compute and edge delivery.
Database and storage
Australia
All database records, file storage, and exports.
Retention
Active subscription + 90 days post-cancellation. Then permanently deleted.
Deletion rights
Written request to legal@matterdesk.ai. Confirmed deletion within 30 days.
Breach notification
We will assess any suspected eligible data breach within 30 days and notify the OAIC and affected individuals as soon as practicable in accordance with Part IIIC of the Privacy Act 1988 (Cth).
Certification roadmap.
We are pursuing SOC 2 Type II certification. Our current security controls are documented and available for review. Contact security@matterdesk.ai for our security questionnaire.
Confident your firm's data is safe?
Book a walkthrough. See the audit trail in action.