Built for the bite, not the brochure.
The AU regulators are tightening — at the same time we're moving real money between brands and creators. PROOF is opinionated about how that flow is built and audited. Here's what runs under every contract.
Hash-chained, immutable, verifiable yourself.
Every contract state transition writes a row to contract_audit_events with a SHA-256 hash of the prior row. An immutable Postgres trigger blocks UPDATE and DELETE. Download the chain JSON, run the verifier — chain_valid: true or we owe you the dispute.
- Every contract hash-chained by design
- Audit table is append-only — UPDATE/DELETE blocked at the database.
- Court-evidence-grade by design
ETA-1999, ESIGN, eIDAS-SES — all three.
Clickwrap signing designed to satisfy AU Electronic Transactions Act 1999, US ESIGN Act, and EU eIDAS Simple Electronic Signature. A Certificate of Completion attached to every signed PDF. ABN of PROOF Pty Ltd on every page.
- Mutual brand + creator signatures
- PDF + certificate by email
- Independent verifier endpoint
AUSTRAC, ACCC, OAIC, ATO — all covered.
US-first incumbents miss every AU-specific risk: AUSTRAC transit-money rules on escrow, ACCC accessory-liability on undisclosed #ad, OAIC privacy-tort under the new $50M cap, ATO bi-annual SERR. PROOF was built for these from day one.
- Pre-funded escrow with 7-day creator hold
- Caption scanner rejects undisclosed #ad
- SERR XML reporter; Stripe automatic_tax
Every AU regulator we're built for.
Each row is a real exposure US-first incumbents (Aspire, GRIN, Influee, Statusphere) don't cover — with the exact PROOF behaviour that shields the brand from it.
Transit-money rules on pre-funded escrow
7-day creator-payout hold; AML/CTF review underway
Accessory liability on undisclosed #ad under ACCC / AANA rules
Auto-prepend #ad clause; caption scanner auto-rejects undisclosed posts
Privacy Act + new A$50M statutory privacy tort (live 10 Jun 2025)
Phyllo OAuth deferred until brand shortlist; 90-day deletion job for unmatched creators
SERR bi-annual reporting; AU GST, EU/UK VAT, US sales tax on subscription
Stripe automatic_tax wired; SERR XML reporter on schedule
Industry-code disclosure obligations on sponsored content
Brand-side compliance dashboard surfaces AANA Code references on every brief
Employee-like worker chapter — risk of mis-classification of creators
Signed contract = independent-contractor evidence; binding terms shipped at acceptance
AU controller. AU jurisdiction. Honest about the rest.
- Data controller: PROOF Pty Ltd, ABN 39 696 947 118, registered in NSW. Australian Privacy Act 1988 (APP) applies to every record.
- Hosting: Railway, with Stripe Connect handling all payment-card flows (PCI scope on Stripe's side, not ours). Phyllo + Influencers.club process creator metric data under our DPA.
- Encryption: TLS 1.3 in transit. AES-256 at rest on the database. Brand secrets (OAuth tokens, webhook keys) AES-GCM encrypted with rotating keys.
- Sub-processors: Stripe, Phyllo, Influencers.club, Anthropic, OpenAI, Resend, Railway. Full list with regions on request.
The things we're building toward — not pretending to have.
Most competitors handwave their security posture. We'd rather list what isn't shipped than overpromise.
SOC 2 Type II: not in scope until 12 months of trail data. Roadmap H2 2026.
ISO 27001: deferred. Considered alongside SOC 2.
AU-region hosting: Railway currently runs Europe-region; AU-region migration is an Enterprise-tier commitment once first paying customer signs.
BAA / HIPAA: not applicable — we don't process health data.
SAML SSO: deferred to Enterprise tier; pilot brands use email + password + TOTP MFA today.