Venue Axis

Security Overview

Last updated: April 2026

Venue Axis is a compliance platform built for Australian registered clubs handling sensitive patron and regulatory data. Security is a foundational requirement, not an afterthought. This page summarises the technical and organisational measures Venue Axis uses to protect your data.

Data hosted in Australia

All Venue Axis data is hosted in Australia via Supabase's ap-southeast-2 (Sydney) region. Your compliance records, patron data, and staff information never leave Australian jurisdiction.

  • Database: PostgreSQL hosted in AWS Sydney (ap-southeast-2)
  • Authentication: Supabase Auth, hosted in the same Sydney region
  • File storage: Supabase Storage, same region
  • Application hosting: Vercel with Edge Network, with data operations routed to Sydney

Australian data residency supports compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APP 8) regarding cross-border disclosure of personal information.

Encryption at rest and in transit

In transit

All data transmitted between your browser and Venue Axis's servers is encrypted using TLS 1.2 or higher. This includes all API calls, authentication flows, and real-time subscriptions. HTTPS is enforced on all endpoints — plaintext HTTP connections are automatically redirected.

At rest

All data stored in Venue Axis's database is encrypted at rest using AES-256 encryption, managed by the underlying cloud infrastructure. This covers all tables including incidents, welfare checks, CDD records, patron information, self-exclusion data, and staff profiles. Database backups are also encrypted.

Multi-tenant isolation

Venue Axis is a multi-tenant platform — multiple clubs share the same infrastructure but their data is strictly isolated. Every database table in Venue Axis uses Row-Level Security (RLS) policies enforced at the database level.

  • Every table has a club_id column
  • RLS policies use a security-definer function to verify the authenticated user belongs to the requesting club
  • Tenant isolation is enforced by PostgreSQL itself — not by application code alone
  • A user from Club A cannot read, write, or query data belonging to Club B, even with a valid session

This architecture means that even if an application-level bug were to occur, the database itself enforces the access boundary. RLS is the gold standard for multi-tenant data isolation in PostgreSQL environments.

Role-based access control

Venue Axis implements role-based access control across three portals, each designed for a specific user type:

  • Floor portal — for RGO staff on the gaming floor. Mobile-optimised PWA. Access limited to shift-scoped compliance workflows (incidents, welfare checks, KYC/CDD, self-exclusion checks).
  • GM portal — for Gaming Managers. Desktop dashboard with full visibility across all compliance data, staff management, document generation, and export.
  • CEO portal — for board members and compliance officers. Read-only view with analytics, trend data, approvals, and board pack generation.

Users are assigned roles during onboarding (RGO, Floor, GM, CEO). Role determines which portal they can access and what data they can see. Authentication is handled by Supabase Auth with secure session management.

API security

  • Authenticated endpoints: All API routes (except registration and public pages) require a valid Supabase session, verified at the middleware level
  • Club scoping: API route handlers verify the caller belongs to the target club before processing requests
  • Input validation: Request payloads are validated before processing
  • Error sanitisation: Error responses do not expose internal details, stack traces, or database structure

AI data handling

When AI features are enabled, Venue Axis uses Amazon Bedrock in the AWS Sydney region (ap-southeast-2) for all AI processing. Patron data processed by AI stays within Australian jurisdiction.

  • AI is used for internal analytics only — trend analysis, pattern detection, monthly review observations
  • AI never generates content that is submitted to AUSTRAC, L&GNSW, or any external regulator
  • Direct patron identifiers are minimised in AI calls — anonymised descriptions are used where possible
  • All AI calls are logged for audit purposes
  • Amazon Bedrock is IRAP-assessed at the PROTECTED level — the same standard Australian government agencies use

Our commitment

Venue Axis is built by an Australian developer for Australian venues. We understand that compliance data is sensitive, that regulatory obligations are serious, and that trust is earned through transparency. If you have questions about Venue Axis's security practices, please contact us.

For detailed privacy information, see our Privacy Policy. For data deletion requests, see our Data Deletion page.

Terms of ServicePrivacy PolicyData DeletionSecurityHome