Introduction
Keeping broker and consumer data safe and secure is a huge
responsibility and a top priority for Sherlok. We work hard to
protect our customers (Brokers) and their customers (consumers)
from current threats. We store all our own sensitive information
using the same practices we apply to store sensitive information of
our customers. We don't want our information to be compromised,
and this motivates us to keep everything as secure as we can. Our
security & privacy goals are aligned with those of brokers and
consumers. We engage independent security reviewers, auditors
and utilise continuous compliance monitoring tools to further
validate our commitment to security and privacy of the data we
store.
Sherlok Data Sources
Accurate customer churn prediction and repricing automation
requires a diverse set of data points about loans, customers, and
properties. We use a variety of first-party and third-party data
sources to gather required information we use in our platform.
Typically, every customer and loan record rely on multiple data
sources to gather complete and up-to-date picture.
Key information we collect includes:
• Consumer data such as their names, contact details and
their relationship to specific loans (applicants, co-applicants, guarantors)
• Loan data such as loan type, balances, product details,
settlement dates, rates, and loan features.
• Property data such as location, estimated property price,
whether specific property is used as security against a loan.
• Current lender product data - available lender products,
their features and qualification criteria.
• Broker details such as their accreditation, contact details,
lender panel details.
Customer agrees to Sherlok’s
T&C’s and privacy policy as part of
open banking consent process or manual data collection. When a
broker signs up to Sherlok they accept
Sherlok's Platform
Agreement which ties together the client’s privacy agreement with
the broker, allowing the broker to share the clients data for
purposed that are related to the original credit facility. This ensures
that privacy is legally linked and protected between client, broker
and Sherlok.
Open Banking and Direct Input by Consumers
We collect information such as loan details, account balances and
transaction data directly from consumers through a secure open
banking ecosystem. Sherlok operates as a Trusted Adviser in the
Consumer Data Right (CDR) system. We partner with
Adatree, an
accredited data recipient. Consumers provide explicit consent to
share their data with Sherlok and have control over what is being
shared with Sherlok, for what purposes and for how long. We
provide customer consent management dashboard to consumers
where they can review their current and historic consents and
revoke any active consents if they chose so.
To supplement open banking data sharing we provide an option for
consumers to enter their loan details manually, as a fallback to the
CDR system.
Sherlok is an active member of the CDR / open banking community.
We engage directly with the Australian government (Treasury),
ACCC and various industry groups to make sharing data through
open banking more accessible, reliable, and transparent. We believe
that this is the best way to access sensitive up-to-date consumer
data while maintaining privacy, security, and consumer control over
who gets access to their data, for what purposes and for how long.
Aggregator CRMs and Third-party CRMs
We have a number of active agreements with aggregators to allow
us the access to their CRM platforms on behalf of their brokers. Our
preferred way of integration is via dedicated secure API that allows
brokers to import some of the details of their customers and their
loans into Sherlok on as-needed basis. Some brokers use third party CRM platforms on top of the tools provided by aggregator.
Where it makes sense, we integrate with these platforms or allow
for a manual import of data from these third-party tools. Typically,
CRM data is a "point in time" snapshot of a customer details and we
supplement them with up-to-date details through open banking,
collecting data directly from consumers and requesting brokers to
update key data points manually.
Credit Reporting and Transaction Classification Services
We integrate with credit reporting providers and services that
classify fine grained transaction data. We use these tools for
categorisation of income and expenses data required to assess
consumer's serviceability when it comes to their existing and new
loans. We do not share these details with third parties without
explicit permission from consumers.
Property Valuation and Insights Services
We integrate with several providers to calculate property value
estimate and gain access to additional property/location insights
and research data. We use this information to accurately assess
serviceability and availability of certain products to consumers and
as inputs into our predictive churn modelling.
Manual Entry by Broker and Sherlok Staff
The Broker can enter customer, loan, and property details manually,
directly into Sherlok. This could be a part of the onboarding process
to supplement required details that are missing from open banking,
CRM, or manual data import. As part of repricing automation, the
broker has additional options to enter lender specific details
manually, such as accreditation data. Brokers can request our staff
to act on their behalf to collect missing data points required for
reprice automation process. We have a dedicated team that
specialises in manual data collection and adheres to strict data
processing rules.
Feedback from the Repricing Process
As part of processing each repricing request we update loan details
with new rate, outstanding balance and repricing notes received
directly from lenders. We notify consumers about any updates to
their loan details resulting from pro-active repricing by Sherlok.
What Additional Broker Data We
Collect and Why
Identity and Access
For registered users (Brokers), we ask
identifying information such as your name, email address, and
sometimes company name. That's so we can personalise your
experience, send you essential transactional communications and
product updates. With your consent, we might send you our
product updates, newsletter, and other updates. We give you an
option to upload your photo and logo to further customise your
account and how your customers will see your communications sent
to them via Sherlok.
Billing Information
If you sign up for a paid version of Sherlok,
you will be asked to provide your payment information and billing
address. We do not store credit card details; this information is
submitted directly to our payment processor.
API Keys and Lender Portal Credentials
Brokers can store their
CRM API keys and lender portal credentials in Sherlok to automate
certain repricing steps. The way we store broker credentials is
comparable to those utilised by common password managers such
as 1Password, Dashlane or LastPass. Sherlok’s system does not
permit any access to a lender portal, or any reprice submissions to
be made other than through the broker's own account. Within our
system, the credentials can only be used by that individual broker to
initiate our repricing services and no other persons, keeping their
credentials secure and confidential. Our platform agreement
requires that login credentials are not permitted to be shared. We
can provide a copy of our Broker Credentials Management
Guidelines on request.
Website Interactions
We collect information about your browsing
activity for analytics and statistical purposes, such as conversion rate
testing and experimenting with new product designs. This includes,
for example, your browser and operating system versions, which
Sherlok web pages you visited and how long they took to load, and
which website referred you to us.
Voluntary Correspondence
When you email Sherlok with a
question, request or ask for help, we keep that correspondence,
including your email address, so that we have a history of past
interactions to reference if you reach out in the future.
Access Control and Organisational
Security
Our employees and contractors have confidentiality clauses in their
contracts. They are required to sign them before getting access to
any sensitive data. We perform employee background checks as
part of the job application process. Everybody at Sherlok is trained
and made aware of security concerns and best practices for their
roles. Remote access to our systems is controlled via network
security and two-factor authentication, and limited to workers who
need access for their day-to-day work. We log all access to all
accounts.
We have gone through security reviews and penetration testing
performed by 3rd party security specialists for our platform.
We have dedicated staff in charge of access/identity management,
network connectivity, firewalls, and audit management. Our systems
run on a dedicated network secured with firewalls and carefully
monitored.
Sherlok has been independently assessed and certified for
ISO27001:2022. We have continuous automated audit in place to
monitor our ongoing compliance status. Sherlok itself has not
completed SOC audit. We can provide a copy of SOC reports for our
data centres and cloud providers we use after completing an NDA.
Data Security and Protection
We use Amazon AWS data centres in Sydney as our primary hosting
provider. All sensitive data is written to multiple storage copies
instantly, backed up daily and stored in multiple locations.
Infrastructure that runs our data storage is updated regularly with
the latest security patches.
We offer encryption in-transit and at-rest for all data that is stored
and transmitted in and out of Sherlok platform. Over public
networks we send data using strong SSL/TLS encryption. Databases
are encrypted using industry standard AES-256 algorithm.
Unstructured storage objects are encrypted using 256-bit Advanced
Encryption Standard Galois/Counter Mode (AES-GCM) to encrypt all
uploaded objects. Authentication credentials hashed using one-way
bcrypt algorithm with built-in salting.
We practice regular recovery drills where we test multiple diverse
disaster and failure scenarios. We test our backups, and they are
stored separately from our production systems for pre-defined
retention period.
Sherlok's Sub-processors
• Amazon Web Services. Cloud services provider.
• Microsoft. Office & productivity software.
• Google Cloud Platform. Cloud services provider.
• Sentry. Error reporting software.
• Stripe Payments. Payment processing gateway.
• Zoho. Customer success software.
• VA Platinum. Virtual assistants & administration.