AI Data Security
Quickli Pty Ltd
Quickli Pty Ltd
AI Data Security
Your clients' data stays yours. Here's how we make sure of it.
Quickli's AI features are built on a simple principle: we process your data to get the job done, then we don't keep it. No training on your data. No retention by AI providers. No exceptions. This page explains exactly how each feature works so you can evaluate us with confidence.
Who is this page for?
Aggregators
Understand the risk profile of AI tools across your broker network.
Lenders
Confirm your policies and borrower data never enter AI training pipelines.
IT & Security Consultants
Get the technical detail you need for due diligence and risk assessments.
Security-Conscious Brokers
Know exactly what happens to your clients' data when you use AI features.
Security Response
3 business days
Security
Trust Inquiries
5 business days
Security due diligence
Four deliberate design decisions, not afterthoughts.
Your data never trains AI models
Lender policies are proprietary. Borrower details are sensitive. Neither should ever end up improving a third-party model.
Training and retention are disabled across all production AI providers. Providers process requests statelessly and do not store documents.
Encrypted at every step
Data moves between your browser, our servers, and AI providers. Every hop is protected.
TLS for data in transit; encryption at rest provided by our cloud and database providers. Data sent to AI providers is also encrypted in transit and at rest.
We send the minimum, never the maximum
If a feature only needs a document type, we don't send the full document content along with it.
Only the information needed to complete the requested task is sent to AI providers. Each feature is designed to send the minimum data required.
Zero data retention across all AI providers
Once the AI provider returns a result, your data is gone. No copies, no logs, no lingering storage on their side.
All production AI providers are configured for zero data retention (ZDR). Providers process requests statelessly and do not store documents.
Feature-by-Feature Security Breakdown
Each AI feature has its own data handling profile. The plain-language summary is for everyone. The technical detail underneath is for your IT and security teams.
A custom AI credit assistant that answers questions across lender policies and products. Brokers ask natural language questions about lending criteria and receive accurate, lender-sourced answers in seconds.
What this means in practice
Jiffi AI works with Quickli-curated lender policy data, not your clients' personal information. It does not accept document uploads. Quickli does not automatically send borrower names, loan amounts, or financial details to AI providers — however, if a broker includes personal information in their query text, that text is sent as part of the request. The AI provider processes each query statelessly and retains nothing.
Technical detail
Data Accessed
Lender policy documents (Quickli-curated, not customer data). The broker's natural language query text.
Data Flow
Broker types a question in the Quickli UI. The query is sent to the Quickli backend. The backend constructs a prompt using pre-indexed lender policy data. The prompt and query are sent to an enterprise AI provider API. The response is returned to the broker.
What's Stored
Chat history is stored within the broker's Quickli account. Curated lender policy index maintained by Quickli.
What's NOT Stored
Jiffi AI does not accept document uploads. No borrower documents or files are sent to AI providers. AI providers do not retain any request data (zero data retention). A limited internal team (credit analysts and senior engineers) may review interactions for quality assurance to ensure responses meet professional standards in a credit environment.
Encryption
TLS for data in transit. Encryption at rest through cloud and database providers.
Third-Party Services
Enterprise AI provider APIs (zero data retention configured, no training on Quickli data). Specific providers are not disclosed.
AI-powered document detection and renaming. Processes documents in minutes, automatically identifying document types like pay slips, bank statements, and tax returns, then renaming them to match your workflow conventions.
What this means in practice
Documents are stored temporarily in the Sydney region and automatically deleted within 24 hours. The AI provider classifies the document type but does not keep any copy. Extracted text is not stored in our database. The only people with access to these files are a shortlist of engineering staff explicitly approved by our security committee.
Technical detail
Data Accessed
Uploaded document files. Document metadata (filename, file type, size).
Data Flow
Broker uploads documents to Quickli. Documents are stored temporarily in secure object storage in the Sydney region. Document content is sent to an AI provider API for classification and type detection. The detected document type is returned. Quickli renames the file accordingly. Files automatically expire within 24 hours.
What's Stored
Documents are stored temporarily in secure object storage in the Sydney region. Files automatically expire within 24 hours. Extracted text is not retained in the database.
What's NOT Stored
AI providers do not store documents after processing (zero data retention). Document Renamer files are not backed up. No permanent copy of documents is held by any AI provider. Access during the retention window is restricted to a shortlist of engineering staff explicitly approved by our security committee.
Encryption
TLS for data in transit (including to AI providers). Encryption at rest through cloud storage providers.
Third-Party Services
Enterprise AI provider APIs (zero data retention configured). Specific providers are not disclosed.
AI-powered document extraction that reads uploaded documents and pre-fills scenario data fields. Reduces manual data entry by automatically extracting key financial information from documents.
What this means in practice
Doc Extractor will follow the same zero-data-retention approach as our other AI features. The AI provider will process documents for extraction only and retain nothing. Brokers will always review and confirm extracted data before it's used. Full security specifications will be published before launch.
Technical detail
Data Accessed
Uploaded financial documents (pay slips, bank statements, tax returns). Existing scenario fields to determine what data to extract.
Data Flow
Broker uploads documents. Quickli sends document content to an AI provider API for extraction. Extracted data fields are returned and mapped to scenario inputs. Broker reviews and confirms pre-filled data before proceeding.
What's Stored
Extracted data fields within the broker's Quickli workspace. Security details for document storage will be confirmed closer to launch.
What's NOT Stored
AI providers will not retain document content after processing (zero data retention). Full security specifications will be published prior to launch.
Encryption
TLS for data in transit. Encryption at rest through cloud and database providers.
Third-Party Services
Enterprise AI provider APIs (zero data retention configured). Specific providers are not disclosed.
Six commitments that apply across every AI feature.
Purpose Limitation
We only use data for the task you asked for. Nothing else.
Data is only processed for the specific function the broker has invoked. Only the information needed to complete the requested task is sent to AI providers.
Data Minimisation
If a feature doesn't need it, we don't send it.
Each feature sends only the minimum data required to complete the task. We do not send unnecessary context or unrelated data to AI providers.
No Model Training
Your data never improves someone else's AI.
Training and retention are disabled across all production AI providers. No customer data is used to train, improve, or fine-tune any third-party AI models.
Retention Controls
AI providers keep nothing. Temporary files auto-delete.
AI providers process requests statelessly and do not store documents. For features like Document Renamer, files automatically expire within 24 hours.
Access Controls
Only the people who need access have it, and we review regularly.
Role-based access controls and least-privilege principles are applied, with access restricted to authorised personnel. For Jiffi AI, only a limited team (credit analysts, senior engineers) may review interactions for quality assurance.
Zero Data Retention
AI providers process your request and then discard it. Nothing is kept on their end.
All production AI providers are configured for zero data retention (ZDR). Providers process requests statelessly and do not store documents. Application logs do not contain sensitive customer data.
Infrastructure and hosting details for IT teams and security assessments.
Hosting
Cloud-hosted on Vercel and MongoDB Atlas (with supporting third-party services). AI features use multiple enterprise API providers configured for zero data retention.
Data Residency
Australia (primary): core hosting, database services, and temporary document storage (Document Renamer) are hosted in the Sydney region. Some processing may occur outside Australia for certain third-party services, including AI API endpoints.
Encryption
TLS for data in transit; encryption at rest provided by our cloud and database providers. Data sent to AI providers is encrypted in transit and at rest.
Retention
Operational logs and support records have defined retention periods. AI providers are configured for zero data retention. Document Renamer files automatically expire within 24 hours. Application logs do not contain sensitive customer data.
Backups
Automated backups are maintained for critical data stores; restore procedures are documented. Document Renamer files are not backed up.
Penetration Testing
Independent penetration testing is conducted. Executive summary available on request.
We don't just say we're secure. We prove it with independent certifications and audits.
ISO/IEC 27001:2022
Scope: ISMS (Information Security Management System)
Year: 2026
An independent auditor has verified that Quickli operates a formal information security management system covering how we develop, deploy, and run AI features.
SOC 2 Type I
Scope: Security
Year: 2024
An independent assessment confirmed our security controls are properly designed, including those governing AI data processing and third-party API integrations.
SOC 2 Type II
Scope: Security
Year: 2026
This extended audit is currently validating the ongoing operational effectiveness of our security controls over time. Report will be available on request upon completion.
Independent Penetration Testing
Scope: Application & Infrastructure
Year: 2025
An independent third-party firm conducts penetration testing against Quickli's application and infrastructure. Executive summary available on request.
AI Provider Governance
Quickli uses multiple enterprise AI providers via API. All production AI usage is configured for zero data retention (ZDR). Training and retention are disabled across all providers. Specific model allocations are not disclosed as they form part of Quickli's intellectual property. Vendor and subprocessor risk is actively managed as part of our ISMS.
The questions we hear most from aggregators, lenders, and security teams during evaluations.
Do you use AI in Quickli?
Yes. Some Quickli features use AI via multiple enterprise API providers. All production AI usage is configured for zero data retention (ZDR). Providers process requests statelessly and do not store documents. Only the information needed to complete the requested task is sent to AI providers.
Is customer data used to train AI models or stored for AI logging?
No. Training and retention are disabled across all production AI providers. Customer inputs are not used to train models, and all providers are configured for zero data retention. Application logs do not contain sensitive customer data.
Which AI models or providers does Quickli use?
We use multiple enterprise AI providers via API. Specific model allocations are not disclosed as they form part of our intellectual property. All providers are configured with zero data retention and training disabled in production.
How does the Jiffi AI chat feature handle data?
Jiffi AI does not accept document uploads. Chat history is stored within your Quickli account. A limited internal team (credit analysts and senior engineers) may review interactions for quality assurance to ensure responses meet professional standards in a credit environment.
How does the Document Renamer handle uploaded files?
Documents are stored temporarily in secure object storage in the Sydney region. Files automatically expire within 24 hours, are not backed up, and extracted text is not stored in the database. Access during the retention window is restricted to a shortlist of engineering staff explicitly approved by our security committee.
Are AI API endpoints hosted in Australia?
Some AI API endpoints are hosted offshore. Customer data sent to AI providers is encrypted in transit and at rest, and all providers are configured for zero data retention.
Do you have recognized security certifications?
Yes. We are ISO/IEC 27001:2022 certified, completed SOC 2 Type I in November 2024, and SOC 2 Type II is underway.
Do you encrypt data?
Yes. We use TLS for data in transit and encryption at rest through our cloud and database providers. Data sent to AI providers is also encrypted in transit and at rest.
How do you control access to production systems and data?
We apply role-based access controls and least-privilege principles, with access restricted to authorized personnel.
How do you handle security incidents?
We follow an incident response process for triage, containment, remediation, and customer communication as appropriate.
How do we request security documentation?
Email our trust contact and we will share available documents under appropriate terms (for example NDA) where required.
Who can request security documentation?
Security documentation is available on request for larger customers (typically organisations spending around AUD 15,000 per year with Quickli). If you're evaluating Quickli and expect to be in that range, please request access and include your expected annual spend and timeline. Otherwise, contact us and we'll share an appropriate security overview.
Do you support customer security questionnaires?
Yes. Send your questionnaire to our trust contact and we will respond within the stated SLA.
If you're running a security assessment, completing a vendor review, or just want to talk through how a specific feature handles data, reach out. We respond within 3 business days and can support security questionnaires, DPA signing, and documentation requests.