Data Processing & Security Overview
Introduction
Keeping broker and consumer data safe and secure is a huge responsibility and a top priority for Sherlok. We work hard to protect our customers (Brokers) and their customers (consumers) from current threats. We store all our own sensitive information using the same practices we apply to store sensitive information of our customers. We don't want our information to be compromised, and this motivates us to keep everything as secure as we can. Our security & privacy goals are aligned with those of brokers and consumers. We engage independent security reviewers, auditors and utilise continuous compliance monitoring tools to further validate our commitment to security and privacy of the data we store.
Sherlok Data Sources
Accurate customer churn prediction and repricing automation requires a diverse set of data points about loans, customers, and properties. We use a variety of first-party and third-party data sources to gather required information we use in our platform. Typically, every customer and loan record rely on multiple data sources to gather complete and up-to-date picture.
Key information we collect includes:
• Consumer data such as their names, contact details and their relationship to specific loans (applicants, co-applicants, guarantors)
• Loan data such as loan type, balances, product details, settlement dates, rates, and loan features.
• Property data such as location, estimated property price, whether specific property is used as security against a loan.
• Current lender product data - available lender products, their features and qualification criteria.
• Broker details such as their accreditation, contact details, lender panel details.
Customer agrees to Sherlok’s T&C’s and privacy policy as part of open banking consent process or manual data collection. When a broker signs up to Sherlok they accept Sherlok's Platform Agreement which ties together the client’s privacy agreement with the broker, allowing the broker to share the clients data for purposed that are related to the original credit facility. This ensures that privacy is legally linked and protected between client, broker and Sherlok.
Open Banking and Direct Input by Consumers
We collect information such as loan details, account balances and transaction data directly from consumers through a secure open banking ecosystem. Sherlok operates as a Trusted Adviser in the Consumer Data Right (CDR) system. We partner with Adatree, an accredited data recipient. Consumers provide explicit consent to share their data with Sherlok and have control over what is being shared with Sherlok, for what purposes and for how long. We provide customer consent management dashboard to consumers where they can review their current and historic consents and revoke any active consents if they chose so.
To supplement open banking data sharing we provide an option for consumers to enter their loan details manually, as a fallback to the CDR system.
Sherlok is an active member of the CDR / open banking community. We engage directly with the Australian government (Treasury), ACCC and various industry groups to make sharing data through open banking more accessible, reliable, and transparent. We believe that this is the best way to access sensitive up-to-date consumer data while maintaining privacy, security, and consumer control over who gets access to their data, for what purposes and for how long.
Aggregator CRMs and Third-party CRMs
We have a number of active agreements with aggregators to allow us the access to their CRM platforms on behalf of their brokers. Our preferred way of integration is via dedicated secure API that allows brokers to import some of the details of their customers and their loans into Sherlok on as-needed basis. Some brokers use third party CRM platforms on top of the tools provided by aggregator. Where it makes sense, we integrate with these platforms or allow for a manual import of data from these third-party tools. Typically, CRM data is a "point in time" snapshot of a customer details and we supplement them with up-to-date details through open banking, collecting data directly from consumers and requesting brokers to update key data points manually.
Credit Reporting and Transaction Classification Services
We integrate with credit reporting providers and services that classify fine grained transaction data. We use these tools for categorisation of income and expenses data required to assess consumer's serviceability when it comes to their existing and new loans. We do not share these details with third parties without explicit permission from consumers.
Property Valuation and Insights Services
We integrate with several providers to calculate property value estimate and gain access to additional property/location insights and research data. We use this information to accurately assess serviceability and availability of certain products to consumers and as inputs into our predictive churn modelling.
Manual Entry by Broker and Sherlok Staff
The Broker can enter customer, loan, and property details manually, directly into Sherlok. This could be a part of the onboarding process to supplement required details that are missing from open banking, CRM, or manual data import. As part of repricing automation, the broker has additional options to enter lender specific details manually, such as accreditation data. Brokers can request our staff to act on their behalf to collect missing data points required for reprice automation process. We have a dedicated team that specialises in manual data collection and adheres to strict data processing rules.
Feedback from the Repricing Process
As part of processing each repricing request we update loan details with new rate, outstanding balance and repricing notes received directly from lenders. We notify consumers about any updates to their loan details resulting from pro-active repricing by Sherlok.
What Additional Broker Data We Collect and Why
Identity and Access
For registered users (Brokers), we ask identifying information such as your name, email address, and sometimes company name. That's so we can personalise your experience, send you essential transactional communications and product updates. With your consent, we might send you our product updates, newsletter, and other updates. We give you an option to upload your photo and logo to further customise your account and how your customers will see your communications sent to them via Sherlok.
Billing Information
If you sign up for a paid version of Sherlok, you will be asked to provide your payment information and billing address. We do not store credit card details; this information is submitted directly to our payment processor.
API Keys and Lender Portal Credentials
Brokers can store their CRM API keys and lender portal credentials in Sherlok to automate certain repricing steps. The way we store broker credentials is comparable to those utilised by common password managers such as 1Password, Dashlane or LastPass. Sherlok’s system does not permit any access to a lender portal, or any reprice submissions to be made other than through the broker's own account. Within our system, the credentials can only be used by that individual broker to initiate our repricing services and no other persons, keeping their credentials secure and confidential. Our platform agreement requires that login credentials are not permitted to be shared. We can provide a copy of our Broker Credentials Management Guidelines on request.
Website Interactions
We collect information about your browsing activity for analytics and statistical purposes, such as conversion rate testing and experimenting with new product designs. This includes, for example, your browser and operating system versions, which Sherlok web pages you visited and how long they took to load, and which website referred you to us.
Voluntary Correspondence
When you email Sherlok with a question, request or ask for help, we keep that correspondence, including your email address, so that we have a history of past interactions to reference if you reach out in the future.
Access Control and Organisational Security
Our employees and contractors have confidentiality clauses in their contracts. They are required to sign them before getting access to any sensitive data. We perform employee background checks as part of the job application process. Everybody at Sherlok is trained and made aware of security concerns and best practices for their roles. Remote access to our systems is controlled via network security and two-factor authentication, and limited to workers who need access for their day-to-day work. We log all access to all accounts.
We have gone through security reviews and penetration testing performed by 3rd party security specialists for our platform.
We have dedicated staff in charge of access/identity management, network connectivity, firewalls, and audit management. Our systems run on a dedicated network secured with firewalls and carefully monitored.
Sherlok has been independently assessed and certified for ISO27001:2022. We have continuous automated audit in place to monitor our ongoing compliance status. Sherlok itself has not completed SOC audit. We can provide a copy of SOC reports for our data centres and cloud providers we use after completing an NDA.
Data Security and Protection
We use Amazon AWS data centres in Sydney as our primary hosting provider. All sensitive data is written to multiple storage copies instantly, backed up daily and stored in multiple locations. Infrastructure that runs our data storage is updated regularly with the latest security patches.
We offer encryption in-transit and at-rest for all data that is stored and transmitted in and out of Sherlok platform. Over public networks we send data using strong SSL/TLS encryption. Databases are encrypted using industry standard AES-256 algorithm. Unstructured storage objects are encrypted using 256-bit Advanced Encryption Standard Galois/Counter Mode (AES-GCM) to encrypt all uploaded objects. Authentication credentials hashed using one-way bcrypt algorithm with built-in salting.
We practice regular recovery drills where we test multiple diverse disaster and failure scenarios. We test our backups, and they are stored separately from our production systems for pre-defined retention period.
Sherlok's Sub-processors
• Amazon Web Services. Cloud services provider.
• Microsoft. Office & productivity software.
• Google Cloud Platform. Cloud services provider.
• Sentry. Error reporting software.
• Stripe Payments. Payment processing gateway.
• Zoho. Customer success software.
• VA Platinum. Virtual assistants & administration.