Security - CrossVault
Free It's free and can save you thousands on compliance. See why NDIS providers use it.
← Back to CrossVault

Security

Your payroll data, kept private and secure.

From encryption to access controls, CrossVault is built to keep your employees’ data confidential, protected, and yours — processed only to give you the compliance answers you came for.

Built on enterprise-grade infrastructure

Standards we build on

CrossVault doesn’t reinvent the data centre. We run on Google Cloud and inherit the certifications, physical security, and resilience of one of the world’s most scrutinised platforms.

Google Cloud

CrossVault runs entirely on Google Cloud Platform, whose data centres hold independent certifications including ISO 27001, ISO 27017, ISO 27018 and SOC 2.

Encryption

AES-256 at rest and TLS for data in transit, applied by default across the platform.

Australian business

Built and operated by CrossVault Pty Ltd for Australian NDIS and disability-support providers, under Australian privacy law.

Aligned, not just asserted

Our practices are designed around recognised privacy and security principles. Customers with formal compliance needs can request our DPA and provisions during onboarding.

ISO and SOC 2 certifications above are held by Google Cloud, our infrastructure provider. CrossVault is not itself certified to these standards; we align our own practices with them and can share details on request.

How we handle your data

Privacy isn’t a setting — it’s the default

Encryption everywhere

Your data is encrypted in transit with TLS and at rest with AES-256 on Google Cloud infrastructure. Credentials and secrets are stored separately from customer data.

No AI training on your data

We do not use customer-uploaded payroll data to train or fine-tune any public AI model — not without explicit, written consent. Your timesheets are processed only to produce your results.

Least-privilege access

Access to customer data is role-based and limited to the minimum needed to operate the service. Sharing inside the app is explicit and controlled by you.

You own your data

You retain ownership of everything you upload. You can delete data you control, and we never sell customer data to anyone.

Human review by design

CrossVault is a decision-support tool, not an autopilot. AI outputs are surfaced for a qualified person to review before you act on them.

Transparent subprocessors

A small, named set of providers powers the service. We publish who they are below and keep the list current for customers under contract.

Full ownership and control

You stay in control of your data

Data retention

We keep your data only as long as needed to provide the service. Retention windows and backup handling are set out in the Data Processing Agreement.

Deletion on request

You can delete data you upload, and request deletion of your account data when you stop using CrossVault.

Authentication

Sign in with Google (OAuth) or email and password. Account access is scoped to your organisation.

Data residency

Hosting and processing locations can be discussed for customers with specific residency requirements — contact our team.

Frequently asked

Security questions, answered

How is my data encrypted? +

Data is encrypted in transit using TLS and at rest using AES-256, applied by default on Google Cloud. Secrets and credentials are managed separately from customer data.

Do you use my data to train AI models? +

No. We do not use customer-uploaded payroll data to train or fine-tune any public AI model without your explicit, written consent. Your data is processed solely to produce your results.

Who can access my data? +

Access is role-based and limited to the minimum needed to run and support the service. Within the app, you control who in your organisation can see a given timesheet or report.

Which subprocessors does CrossVault use? +

The core providers are Google Cloud (hosting and database) and Google Gemini (AI processing), and Stripe (payments). We can provide the current, full subprocessor list to customers on request.

What happens to my data if I cancel? +

You can delete data you control at any time. After you stop using CrossVault you can request deletion of your account data; retention and backup specifics are described in our DPA.

Can I get a DPA or security documentation? +

Yes. Customers and prospective customers can request our Data Processing Agreement and security details during onboarding — just contact our team.

Serious about keeping your data safe?

Ask us anything about how CrossVault stores, processes, and protects your information — or request our Data Processing Agreement.

A note on accuracy This page describes CrossVault’s current security practices and may evolve as the product does. For contractual commitments, data residency, or our full subprocessor list, see our Terms of Service or contact our team.