SortedLegalSecurity
Legal · Security

Security. How we keep money safe.

How we secure your account, your balance, and your data. Real engineering, not buzzwords.

Three layers, three different threats.

Money safety is really three problems. Account security (someone steals your phone or password), fund safety (the company holding your money fails), and data security (someone breaches the company's database). We treat each separately.

1. Account security.

  • Phone number + biometric. Login is phone-number-bound. Every transaction over $100 requires FaceID/TouchID. Larger transactions require a second factor.
  • Device binding. Your account is bound to a specific device. Adding a new device requires re-verification (SMS + selfie liveness check).
  • Slide-to-send. No tap-and-pay for transfers. Every send requires deliberate physical action.
  • 5-second undo. Every send is reversible for 5 seconds, even after biometric confirmation.
  • Real-time fraud monitoring. Anomalous patterns (new device + large transfer + new recipient) get an instant freeze + human review.

2. Fund safety.

  • You hold AUDD, not a deposit on our books. If Sorted disappears tomorrow, your AUDD remains redeemable through Novatti directly.
  • 1:1 reserves at tier-1 banks. Every AUDD in circulation is backed by an AUD held in an Australian ADI deposit account.
  • Monthly auditor-attested reserves. Novatti publishes attestations from a registered auditor.
  • No lending against deposits. Reserves can't be lent out, leveraged, or rehypothecated. They sit and earn deposit rates.

3. Data security.

  • Australian data centres. All data lives in AWS ap-southeast-2 (Sydney). No offshore replication.
  • Encryption everywhere. TLS 1.3 in transit, AES-256 at rest. Database backups encrypted with a customer-managed key.
  • No raw IDs stored. KYC documents are verified by Frankie and discarded; we keep only a hash of the verification.
  • Penetration tested annually. Independent security firm, results shared with our AFSL holder.
  • Bug bounty. Coming soon. In the meantime, email security@sortedaud.app with disclosures.

What you can do.

  • Use FaceID or TouchID. Always on by default; please don't turn it off.
  • Set a unique 6-digit PIN. Not your birthday. Not 1-2-3-4-5-6.
  • Don't share verification codes. Sorted will never ask for your code over phone or email.
  • Watch for impersonation. We'll only ever email from @sortedaud.app. Anything else is a scam.

Found a vulnerability?

Email security@sortedaud.app. We respond within 24 hours and credit responsible disclosures.

Claim your handle Read compliance