Your data is commercially sensitive.
We treat it that way.

Last updated: April 2026

Data handling and encryption

All data transmitted to and from TLK Source is encrypted using TLS 1.3. Data stored within our systems is encrypted at rest using AES-256 encryption. This applies to all uploaded files, processed results, and derived data.

• All file uploads are encrypted immediately upon receipt
• Database records are encrypted at rest via Cloudflare's infrastructure
• API communications require HTTPS — plaintext HTTP is rejected
• Encryption keys are managed by Cloudflare's key management infrastructure and are not accessible to TLK Source staff

Infrastructure

TLK Source operates on Cloudflare infrastructure with Australian-region storage controls where available.

• Primary data storage: Cloudflare D1 (SQLite) — provisioned in the Oceania region
• File storage: Cloudflare R2 (object storage) with Australian-region storage controls where available
• Compute: Cloudflare Workers (request-edge compute serves from the nearest point of presence to the request origin)
• No Amazon Web Services, Google Cloud, or Microsoft Azure infrastructure is used

Data retention and deletion

Retention is tied to the type of engagement, not a fixed clock.

• One-off engagements (Freight Tender, 3PL Health Check, 3PL Tender, Advisory work): uploaded files and processed reports are retained for the duration of the engagement plus 30 calendar days after final delivery, then automatically deleted.
• Annual monitoring subscriptions (Freight Monitoring, 3PL Cost Monitoring): uploaded files and reports are retained for the active subscription term plus 30 calendar days from term end, then automatically deleted. Each renewal extends the window — clients should expect to be able to run trend and year-on-year analysis throughout the term.
• Client account data (email, company name): retained until the client requests deletion.
• Anonymised market reference data (carrier rates by lane, fuel-levy mechanics, DIFOT, surcharge structure): retained indefinitely only where the client has given explicit consent at engagement start. No shipper identifiers are stored in this dataset. Without consent, no derived benchmark data is retained.
• Clients can delete their data at any time from the customer portal, or by emailing hello@tlksource.com.au.
• The portal warns at least 30 days before any automatic deletion, with email and an in-portal banner.
• Deletion is confirmed in writing with a deletion certificate upon request.

Access controls

Access to client data is restricted using role-based access controls.

• Client data is accessible only to the automated analysis engine and the internal QA review process
• No external contractors, freelancers, or third-party personnel have access to client data
• Administrative access requires multi-factor authentication
• All access events are logged with timestamp, user identity, and action taken

Audit logging

Every access to client data is logged in an immutable audit trail.

• Logs include: who accessed the data, when, what action was taken, and the IP address
• Audit logs are retained for 12 months
• Clients can request an audit log extract for their data by contacting support

Data usage restrictions

Client data is used solely for the purpose of producing the report or deliverable the client has paid for — whether Freight Monitoring, a Freight Tender, a 3PL Health Check, 3PL Cost Monitoring, or a 3PL Tender.

• Client data is never sold, shared, or provided to any third party
• Client data is never used to train AI models (external or internal)
• Client data is never used as inputs to our benchmark dataset unless the client provides explicit written consent, in which case only anonymised and aggregated data is used
• Client data is never used for marketing purposes
• Client data is never shared with carriers, 3PLs, or any other logistics provider

Third-party sub-processors

TLK Source uses the following third-party services in the delivery of its product:

Provider	Purpose	Location
Cloudflare	Infrastructure — compute, storage, networking	Australia
Stripe	Payment processing — card data only, no freight data	Australia
Resend	Transactional email — email addresses and notifications only	United States
Anthropic	AI analysis — zero-retention, no-training terms	United States

AI and automated processing

TLK Source uses Anthropic's Claude API as part of its analysis engine.

• Data residency: Client data at rest is stored on Cloudflare infrastructure with Australian-region storage controls where available
• AI processing location: AI inference via the Anthropic API is processed in the United States. Client data is sent to Anthropic's API for analysis and returned in real-time
• No data retention by Anthropic: Anthropic does not retain client data after processing. Anthropic does not use client data to train models. This is enforced via Anthropic's zero-retention API configuration
• AI-generated findings are subject to automated quality checks before delivery
• The AI does not make decisions — it identifies patterns and anomalies, which are then structured into the deliverables

Privacy Act alignment

While TLK Source may fall below the $3M annual turnover threshold for mandatory compliance with the Privacy Act 1988 (Cth), we voluntarily align our data handling practices with the Australian Privacy Principles (APPs) as a matter of principle.

• We collect only the data necessary to perform the audit
• We inform clients of what data we collect and why
• We provide clients with access to their data upon request
• We allow clients to request correction or deletion of their data
• We take reasonable steps to protect data from misuse, loss, and unauthorised access

Breach notification

In the event of a data breach that may result in serious harm to clients:

• Affected clients will be notified within 72 hours of TLK Source becoming aware of the breach
• Notification will include: what data was affected, what happened, and what steps TLK Source is taking
• The Office of the Australian Information Commissioner (OAIC) will be notified if the breach meets the threshold under the Notifiable Data Breaches scheme

Client data rights

Clients have the following rights regarding their data:

• Access: request a copy of all data TLK Source holds about them
• Correction: request correction of inaccurate data
• Deletion: request immediate deletion of all data
• Export: request data in a machine-readable format (JSON)
• Audit log: request a log of all access to their data

Requests can be made to hello@tlksource.com.au and will be actioned within 30 days.

Insurance

• Professional indemnity insurance is held and current
• Cyber liability insurance is held and current
• Public liability insurance is held and current

Policy details are available upon request for enterprise clients as part of vendor due diligence processes.

Contact

For security-related enquiries or to report a vulnerability: hello@tlksource.com.au

TLK Source · Australian-owned and operated