Security
Security & privacy
Last updated 22 June 2026
Sparks Flow holds sensitive information about people receiving support and the workers who care for them. Protecting it is part of how the product is built, not something bolted on afterwards. This page explains, in plain language, where your data lives, how it is protected, and what we have and have not done.
Where your data lives
Sparks Flow runs on managed, professionally operated infrastructure, not a server we patch by hand. The application is hosted on Vercel. Your records sit in a managed PostgreSQL database on Supabase, in their Sydney region, which means participant and worker information is stored in Australia.
Connections to the platform are encrypted in transit, and your data is encrypted at rest by these providers. Because the infrastructure is managed, the routine work of patching and hardening the underlying servers is handled by specialists rather than left to chance. Some functions, such as sending SMS and processing payments, rely on specialist providers that operate from overseas. Our Privacy Policy lists them and explains how that is handled.
How access is controlled
No single setting keeps your data safe on its own. Access is protected in layers, so that if one were to fail, others still stand:
- Each account is separated at the database level. Row level security means your account can only ever read or change its own records, enforced by the database itself rather than by application code alone.
- Sensitive actions are authorised on the server, inside our edge functions, rather than trusted to the browser.
- Components and database roles are given only the access they need, and no more.
- API keys and credentials live in the hosting platform’s protected environment, never in the code or the browser.
- Administrative access is restricted and kept separate from the everyday app.
Payments
Subscription payments are handled by Stripe, a PCI DSS Level 1 payment provider. Your full card details are entered with Stripe and never pass through or get stored on our systems. We hold enough to manage your subscription, not your card number.
Worker access
Support workers do not have logins. They receive shift requests and submit their end of shift notes through secure, tokenised links sent by SMS. You can refresh a worker’s links at any time, which immediately retires the old ones. If a phone is lost or a worker moves on, their access can be cut without affecting anyone else’s.
Your data is yours
You can export your information at any time from your account settings, as standard spreadsheet files. If you close your account, your data stays available to you for 30 days in case you change your mind, and is then deleted or de-identified. We do not sell your data, and we do not use participant records to train AI.
How AI fits in
Some features use AI to draft job ads, summarise applications, and read details from an uploaded NDIS plan. These are suggestions you review and confirm. The content sent for processing is used to return a result to you, not to train AI models. Our AI Use Statement covers this in full.
Built and reviewed properly
Flow was engineered from the ground up by a professional development team, and built alongside its sister product, Sparks Scribe, with real investment behind both. This is a serious, funded product, not a weekend build.
We have carried out a structured security review of the platform, covering authentication, data access, the handling of personal and health information, and our software dependencies. Security is not a one off, so we revisit it as the product grows.
What we have not done yet
We would rather be straight with you than imply more than is true. Sparks Flow is an Australian product still early in its life. We have not yet pursued formal certifications such as SOC 2 or ISO 27001. Those are usually driven by the requirements of large enterprise buyers, and they certify a process rather than guarantee safety. We build to the controls those frameworks assess, and we will seek certification when our customers’ needs call for it.
No system can be promised as completely secure. What we can tell you is that ours stays under active review, and that we will be honest with you about where we stand.
Found a problem?
If you believe you have found a security issue, please email hello@sparksflow.app. We look into genuine reports promptly and will work with you to confirm and fix anything real. We ask only that you give us a reasonable chance to respond before sharing it publicly.
Questions
For anything else about how we protect your information, contact us at hello@sparksflow.app. Our Privacy Policy sets out the formal detail of how we collect, use and store personal information.
