Data Handling Policy
Last updated: May 2026
1. Scope
This Policy describes how TLK Source, ABN 16 525 180 164, trading as TLK Source, handles client data during the course of any engagement — across both Freight Intelligence and 3PL Intelligence product lines. It should be read alongside our Privacy Policy and Terms and Conditions.
2. Data categories
During an engagement, TLK Source collects and processes the following categories of data, depending on which product line the engagement falls under.
Freight Intelligence engagements (Freight Monitoring, Freight Tender):
- Freight invoices — PDF, CSV, and Excel formats
- Rate cards and carrier contracts — used for deviation analysis
- Shipment manifests and consignment data — used for volume and benchmark analysis
- Lane and corridor data — used for benchmarking and panel structure analysis
- Carrier service-level information — where provided for the engagement
3PL Intelligence engagements (3PL Health Check, 3PL Cost Monitoring, 3PL Tender):
- 3PL contracts and master services agreements — used for clause review and red-flag analysis
- 3PL pricing schedules and rate cards — used for market-rate benchmarking
- 3PL invoices — PDF, CSV, and Excel formats
- 3PL proposals and RFP responses — used for tender evaluation and recommendation
- Warehouse volume profiles — inbound, outbound, and storage volumes
- Pick and pack activity data — order, line and unit volumes
- Pallet and cubic storage data — including long-stay and dwell metrics
- Labour assumptions — rates, hours, productivity benchmarks where provided
- Lease and rent assumptions — where the engagement requires real-estate inputs
- WMS and systems fees — recurring software and integration charges
- SLA schedules — contracted service-level commitments and credits
- Exit and transition documentation — where the engagement covers contract exit or provider switch
Common to all engagements:
- Engagement metadata — timestamps, file counts, processing status, audit trail events
3. Infrastructure
| Component | Provider | Location |
|---|---|---|
| Primary file storage | Cloudflare R2 | Australian-region storage controls where available |
| Database | Cloudflare D1 | Oceania region |
| Compute (Workers) | Cloudflare | Edge — request-routed to nearest point of presence |
| DNS and security | Cloudflare | Global (Anycast) |
| AI inference | Anthropic API | United States |
| Payment processing | Stripe | Australia |
| Email delivery | Resend | United States |
4. Encryption
- In transit: All data transmitted between Client and TLK Source is encrypted using TLS 1.3 minimum.
- At rest: All stored data is encrypted using AES-256.
- Per-engagement: Each engagement's files are encrypted with a unique key, stored separately in Cloudflare Secrets Manager. Compromise of one engagement's key does not expose any other engagement's data.
5. Access controls
- No public access to any client data;
- Access restricted to authenticated Worker endpoints;
- Administrator access requires Cloudflare Access authentication, multi-factor authentication, and IP allowlisting;
- All access events logged to immutable audit log;
- Principle of least privilege applied to all service accounts.
6. Data processing
- Document parsing and data extraction performed on Cloudflare Workers (request-routed to nearest point of presence);
- AI-assisted narrative generation uses the Anthropic API (processing on US infrastructure);
- Anthropic API configured with zero data retention and no model training on client data;
- Benchmark comparison uses TLK Source's proprietary dataset stored in Cloudflare D1 with Australian-region storage controls where available.
7. Sub-processors
| Service | Purpose | Data processed | Location |
|---|---|---|---|
| Cloudflare Pty Ltd | Infrastructure (compute, storage, DNS, security) | All engagement data, metadata, audit logs | Australia |
| Stripe Payments Australia Pty Ltd | Payment processing | Payment card details, billing name, email, ABN | Australia |
| Resend | Transactional email | Email addresses, message content | United States |
| Anthropic PBC | AI inference | Extracted invoice data, rate card data (zero-retention) | United States |
8. Data retention
- Client commercial data: engagement duration + 30 days
- Engagement records: 7 years (tax/record-keeping compliance)
- Audit logs: 12 months
- Deletion certificates: indefinitely (as evidence of deletion)
9. Deletion procedures
Automated deletion:
- A scheduled Cloudflare Worker runs daily to identify engagements past their retention window;
- Matching data is permanently deleted from R2 storage;
- Per-engagement encryption keys are destroyed;
- A deletion certificate (PDF) is generated and stored;
- The deletion event is written to the audit log;
- Engagement status is updated to "deleted."
On-request deletion:
- Clients may request deletion of their data at any time by emailing hello@tlksource.com.au;
- Requests are processed within 24 hours during business days;
- A deletion certificate is provided confirming completion.
Verification:
- Deletion completeness is verified by automated checks against R2 storage and D1 database;
- Verification results are recorded in the audit log.
10. Data breach procedures
In the event of a suspected or confirmed data breach:
- Incident response team is notified immediately;
- Affected data is isolated and access revoked;
- Affected clients are notified within 72 hours if the breach is confirmed to affect their data;
- Regulatory authorities are notified as required under the Notifiable Data Breaches scheme (Privacy Act 1988);
- Remediation actions are taken to contain the breach and prevent recurrence;
- A post-incident report is provided to affected clients.
11. Monitoring and audit
- Comprehensive audit logging of all data access events;
- Weekly automated review of access logs for anomalies;
- Annual security review;
- Penetration testing conducted at least annually;
- Continuous uptime and error-rate monitoring.
12. Insurance
TLK Source maintains the following insurance coverage:
- Professional Indemnity insurance;
- Cyber Liability insurance;
- Public Liability insurance.
13. Client responsibilities
Clients are responsible for:
- Ensuring they have the right to submit the data provided to TLK Source;
- Redacting any data that is not required for the relevant TLK Source engagement (e.g., employee personal data unrelated to the freight or 3PL analysis being performed);
- Maintaining the security of their own systems from which data is exported;
- Securely storing the Deliverables once received.
14. Contact
For detailed security questions or procurement documentation, email hello@tlksource.com.au.
TLK Source
ABN: 16 525 180 164
Australian-owned and operated