OpenAgent Core
Compliance

Compliance Overview

Last updated: February 16, 2026

OpenAgent Core is built on regulated Open Banking infrastructure. This page explains how ThinkFoundry.ai Pty Ltd meets its obligations under Australian law, what our sub-processors certify, and what your obligations are as a developer building on our platform.

CDR Compliant

via Basiq.io accreditation

Privacy Act 1988

APPs & NDB scheme

SOC 2 Type II

Supabase & Vercel

PCI DSS L1

Payments via Stripe

1Our Compliance Posture

ThinkFoundry.ai Pty Ltd operates at the intersection of AI and consumer financial data — one of the most regulated domains in Australia. We design our platform to be compliant by default, embedding regulatory requirements into the architecture rather than treating them as an afterthought.

Our compliance programme covers four layers:

Regulatory

Privacy Act 1988 (Cth), Consumer Data Right Act 2019 (Cth), Australian Privacy Principles

Financial Services

CDR Banking sector rules, Open Banking consent and data standards, ACCC/OAIC oversight

Security Standards

OWASP Top 10, ASD Essential Eight, ISO 27001 (via sub-processors), SOC 2 Type II

Payment Processing

PCI DSS Level 1 (via Stripe), Stripe Radar fraud controls, no raw card data storage

Compliance questions? Contact our compliance team at compliance@thinkfoundry.ai.

2Consumer Data Right (CDR)

The Consumer Data Right (CDR) is Australia's most significant data portability reform, enacted under the Consumer Data Right Act 2019 (Cth) and administered jointly by the ACCC and the OAIC. In the banking sector (Open Banking), CDR gives consumers the right to safely share their financial data with accredited third parties.

2.1 Our Position in the CDR Ecosystem

OpenAgent Core is an infrastructure provider that sits on top of Basiq.io's CDR-accredited data platform. This means:

Basiq.io (Illion Australia Pty Ltd)

Accredited Data Recipient (ADR)

Holds CDR accreditation. Manages consent flows, data holder connections, and CDR rule compliance at the data layer.

ThinkFoundry.ai Pty Ltd

Infrastructure Provider

Provides the MCP server, multi-tenant isolation, API key management, and developer tooling on top of Basiq.io. Bound by Basiq.io's CDR obligations and these compliance commitments.

You (the Developer)

Third-Party Application Builder

Build applications that use Financial Data via our platform. Responsible for your own CDR data handling obligations, consent disclosures, and End User privacy notices.

End Users

CDR Consumers

Individuals who grant consent for their banking data to be shared with your application via the CDR framework.

2.2 CDR Data Handling Principles

When Financial Data flows through our platform, we apply the following CDR-aligned controls:

  • Purpose limitation: Financial Data is used solely to fulfil the authorised API request. It is not retained, aggregated, or used for secondary purposes without explicit consent.
  • Minimisation: Only the data fields necessary for the requested MCP tool operation are retrieved and processed.
  • Consent integrity: All data access is gated by a valid, in-scope consent obtained through Basiq.io's consent management system.
  • Deletion on request: Consumer data deletion requests are passed through to Basiq.io and actioned within the timeframes required by CDR rules.
  • No onward disclosure: We do not disclose CDR data to any party other than the requesting tenant for the purpose of the authorised request.

2.3 Data Standards

Our integration with Basiq.io conforms to the Consumer Data Standards published by the Data Standards Body (DSB), including the Banking sector API specifications for accounts, transactions, and balance data.

2.4 Regulatory References

Consumer Data Right Act 2019 (Cth)CDR Rules (Competition and Consumer (Consumer Data Right) Rules 2020)Consumer Data Standards (DSB)ACCC CDR Register

3Privacy Act 1988 & Australian Privacy Principles

ThinkFoundry.ai Pty Ltd is bound by the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs) that govern the collection, use, disclosure, and storage of personal information about individuals.

3.1 How We Meet Each APP

APPPrincipleOur Approach
1Open & transparent managementPrivacy Policy published and linked from all pages
2Anonymity & pseudonymitySandbox tier supports pseudonymous access; account email required for production
3Collection of solicited personal informationCollect only minimum data necessary for account and billing
4Unsolicited personal informationUnsolicited data destroyed or de-identified promptly
5Notification of collectionPrivacy Policy discloses what is collected and why at registration
6Use or disclosure of personal informationData used only for stated purpose; no on-selling
7Direct marketingMarketing requires opt-in; unsubscribe honoured within 5 business days
8Cross-border disclosureContractual protections in place with Supabase (US) and Vercel (US)
9Government related identifiersNo government identifiers collected or used
10Quality of personal informationAccount holders can update their information via the dashboard at any time
11Security of personal informationAES-256-GCM, PBKDF2, RLS, TLS 1.2+ — see Security Policy
12Access to personal informationAccess requests responded to within 30 days via compliance@thinkfoundry.ai
13Correction of personal informationCorrection requests responded to within 30 days

3.2 Notifiable Data Breaches (NDB) Scheme

We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act. In the event of an eligible data breach:

  • We will assess whether a breach is eligible within 30 days of becoming aware of it.
  • Affected individuals and the OAIC will be notified within 72 hours of confirming eligibility.
  • Notification will include: the nature of the breach, the type of information involved, and the steps we recommend individuals take.

4Financial Services Compliance

4.1 Anti-Money Laundering (AML/CTF)

OpenAgent Core is a software infrastructure provider, not a financial institution, payment processor, or remittance dealer. We do not hold, transfer, or process money on behalf of customers or their End Users. Accordingly, we are not a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act).

However, if you use our platform to build an application that constitutes a designated service under the AML/CTF Act (e.g., a remittance service, digital currency exchange, or credit provider), you are responsible for registering with AUSTRAC and implementing your own AML/CTF programme. We are not a substitute for your own compliance obligations.

4.2 Australian Financial Services Licensing (AFSL)

ThinkFoundry.ai Pty Ltd does not hold an Australian Financial Services Licence (AFSL) and does not provide financial product advice, dealing, or market-making services. Our platform is a developer infrastructure tool; it does not constitute a financial service.

If your application provides financial advice, credit, insurance, or investment services to End Users, you must hold the appropriate AFSL or credit licence, or operate under an authorised representative arrangement.

4.3 AUSTRAC Compliance

We do not engage in financial transactions, currency exchange, or remittance services. We maintain internal controls to ensure we do not inadvertently become a reporting entity. If you have concerns about whether your application triggers AUSTRAC reporting obligations, seek independent legal advice.

5Third-Party Certifications

We rely on industry-certified sub-processors for core infrastructure components. Their certifications extend to the layers of our platform that run on their infrastructure.

Basiq.io (Illion Australia Pty Ltd)

CDR Accredited Data Recipient
Open Banking Accredited
  • ACCC-accredited CDR Data Recipient under the Consumer Data Right Act 2019
  • Compliant with Consumer Data Standards published by the Data Standards Body
  • Subject to ACCC and OAIC oversight and annual compliance assessments

Supabase Inc.

SOC 2 Type II
ISO 27001
GDPR Compliant
  • SOC 2 Type II certified — Security, Availability, and Confidentiality trust service criteria
  • ISO 27001 certified information security management
  • Data residency options available; GDPR Data Processing Agreement in place

Stripe Inc.

PCI DSS Level 1
SOC 1 Type II
SOC 2 Type II
  • PCI DSS Level 1 Service Provider — the highest level of payment card security certification
  • SOC 1 Type II and SOC 2 Type II certified
  • Stripe Radar provides machine-learning fraud detection on all transactions

Vercel Inc.

SOC 2 Type II
GDPR Compliant
  • SOC 2 Type II certified hosting and edge network
  • GDPR-compliant data processing with DPA available
  • Automatic TLS, DDoS mitigation, and global CDN included

6Shared Responsibility Model

Compliance for a platform like OpenAgent Core is a shared responsibility. The table below clarifies who is responsible for what.

AreaThinkFoundry.ai Pty LtdYou (Developer)
Platform infrastructure security Yes
Multi-tenant data isolation (RLS) Yes
Encryption of platform API keys Yes
Encryption of your Basiq key (at rest) Yes
Platform privacy policy & NDB notifications Yes
Basiq.io CDR accreditationVia Basiq.io
Your application's privacy policy Yes
End-user consent for financial data access Yes
Secure storage of CDR data in your systems Yes
API key security (not exposing keys client-side) Yes
AFSL / credit licence (if applicable) Yes
AUSTRAC registration (if applicable) Yes
Compliance with your own industry regulations Yes
We provide the infrastructure. You are responsible for your application's compliance posture. We strongly recommend consulting a qualified Australian privacy lawyer or compliance specialist before launching a production application that handles consumer financial data.

7Developer Compliance Obligations

By building on OpenAgent Core, you agree (under our Terms of Service) to comply with the following. These are not optional — they are requirements that flow from the CDR rules and Australian privacy law.

7.1 Privacy and Consent

  • Maintain a publicly accessible, up-to-date privacy policy that discloses to your End Users how their financial data is collected, used, stored, and deleted.
  • Obtain valid, informed consent from End Users before requesting access to their financial data. Consent must be specific, granular, and easily revocable.
  • Only request access to the data fields your application actually needs (data minimisation).
  • Honour End User requests to delete their data promptly.

7.2 CDR Data Use Restrictions

  • Use CDR consumer data only for the purpose disclosed to the End User at the time of consent.
  • Do not on-sell, disclose, or otherwise transfer CDR data to third parties without the End User's explicit consent.
  • Do not use CDR data to make credit decisions, build marketing profiles, or for any purpose unrelated to the stated function of your application.
  • Delete CDR data when consent expires or is revoked, and upon End User request.

7.3 Security Obligations

  • Store API keys and credentials in environment secrets — never in client-side code, browser storage, or public repositories.
  • Encrypt any Financial Data you persist in your own systems using at minimum AES-256.
  • Implement appropriate access controls to ensure only authorised personnel and systems can access Financial Data.
  • Notify us immediately at security@thinkfoundry.ai if you discover or suspect a breach involving data accessed via our platform.

7.4 Prohibited Use Cases

The following use cases are expressly prohibited on our platform:

  • Building applications that facilitate financial crime, fraud, or money laundering.
  • Using Financial Data to discriminate against End Users in lending, insurance, or employment decisions without appropriate legal authority.
  • Aggregating CDR data across consumers to build anonymised datasets for sale to third parties.
  • Accessing financial data without a valid, current End User consent.
  • Impersonating a CDR-accredited data recipient without holding the required ACCC accreditation.

8Regulatory Authorities

The following Australian regulatory bodies have oversight over areas relevant to our platform and our customers' applications:

Office of the Australian Information Commissioner (OAIC)

Privacy Act 1988 enforcement, NDB scheme, CDR privacy rules

Australian Competition and Consumer Commission (ACCC)

CDR accreditation, CDR rules enforcement, Open Banking register

Australian Securities and Investments Commission (ASIC)

Australian Financial Services Licensing (AFSL), credit licensing, fintech regulatory sandbox

Australian Transaction Reports and Analysis Centre (AUSTRAC)

Anti-money laundering and counter-terrorism financing (AML/CTF) compliance for reporting entities

Australian Prudential Regulation Authority (APRA)

Prudential supervision of banks, insurers, and superannuation funds (applies to Data Holders, not to us)

9Contact and Compliance Requests

For compliance enquiries, data access requests, or to report a potential breach of our compliance obligations:

Company: ThinkFoundry.ai Pty Ltd

Product: OpenAgent Core

Compliance enquiries: compliance@thinkfoundry.ai

Security incidents: security@thinkfoundry.ai

Privacy requests: privacy@thinkfoundry.ai

OAIC (regulator): www.oaic.gov.au

This page is reviewed at least annually and updated following any significant regulatory change. The previous version is retained in our compliance archive on request.

← Back to home
Privacy PolicyTerms of ServiceSecurity Policy