Security and trust
The product is trust as much as data. Here is exactly where the numbers come from, what we keep about you, and how the API behaves when something upstream breaks.
Data provenance
Every figure is public government data, served unchanged in its native
scale. We do not invent, smooth, or re-base values. There are nine named
sources, each used under its own Creative Commons licence, and the
attribution for each response travels with it in the
meta block of the envelope.
| Source | Agency | Licence |
|---|---|---|
| ABS | Australian Bureau of Statistics | CC-BY 4.0 |
| RBA | Reserve Bank of Australia | CC-BY 4.0 |
| ATO | Australian Taxation Office | CC-BY 3.0 AU |
| APRA | Australian Prudential Regulation Authority | CC-BY 3.0 AU |
| AIHW | Australian Institute of Health and Welfare | CC-BY 3.0 AU |
| ASIC | Australian Securities and Investments Commission | CC-BY 3.0 AU |
| AEMO | Australian Energy Market Operator | CC-BY 4.0 |
| WGEA | Workplace Gender Equality Agency | CC-BY 3.0 AU |
| AU-WEATHER | Weather (Open-Meteo, BOM-aggregated) | CC-BY 4.0 |
Attribution is not a footnote you have to chase. Every response carries
source, source_url, attribution,
licence and retrieved_at in its meta,
so the provenance of any number is one field away. The full list of
datasets per agency lives on the sources pages.
Reporting a vulnerability
If you find a security issue, we want to hear about it before anyone else does. Email security@ausdata.io with enough detail to reproduce the problem. We will acknowledge your report, work with you on a fix, and credit you if you would like the credit.
Our machine-readable policy follows
RFC 9116 and lives at
/.well-known/security.txt.
Please give us a reasonable window to remediate before any public
disclosure, and do not run tests that degrade service for other users or
access data that is not yours.
Data handling and privacy
The account model is deliberately small, because the less we hold, the less there is to leak.
-
The only personal detail we store is the email address you use to mint a
key. That is what
POST /v1/registertakes, and it is all we keep. - The free tier takes no card. There is no payment detail on file unless you choose to upgrade to a paid plan, where billing is handled by our payment processor.
- Your API key is a bearer token. Anyone holding it can call the API as you, so treat it like a password: keep it out of public repositories and client-side code, and rotate it if it is ever exposed.
- The data you query is public government data. Your requests are not the product, and we do not sell them.
Keys are bearer tokens, so send them only over HTTPS in the
Authorization: Bearer ... header, never in a URL or query
string where they can land in logs. You can manage and rotate keys from
your account.
Reliability by contract
The most damaging thing a data API can do is hand you a stale number while
pretending it is fresh. We refuse to do that. When a source is reachable
and current, you get the current data. When it is not, you get a clear
503, not a quietly outdated vintage dressed up as live.
That is the contract: current data or an honest error, every time. It
keeps the failure mode loud and obvious instead of silent and wrong, which
is the kind of failure that costs you downstream. Liveness of the API
itself is exposed at the /v1/health endpoint.
Want to put this to the test? Get a free key,
read the docs, and inspect the meta block
on your very first response.