Data Management and Security
Last updated: 19 July 2026
1. Purpose and roles
This summary describes how Drum Software Inc. (“Drum”) manages and protects information that customers and their authorised users enter, upload, import, connect or generate through Drum (“Customer Data”). It should be read with our Privacy Policy, Terms of Service and Subprocessors list.
The Customer controls the Customer Data in its Drum account and determines who may access and use it. Drum processes Customer Data to operate, provide, secure, monitor, maintain, support and improve the Services, carry out the Customer’s instructions, and comply with applicable law.
2. Hosting and data location
Drum’s core production application, PostgreSQL databases, Redis caches and file storage are hosted by DigitalOcean in Sydney, Australia. Cloudflare provides network proxying, load balancing, security and performance services in front of the application.
Some features use specialist providers that may process selected information outside Australia. Examples include payment processing, email delivery, support, monitoring, analytics, assisted onboarding and optional AI-assisted features. The current providers and their roles are listed on our Subprocessors page.
3. Access and confidentiality
- Customers control their Users and assign application permissions appropriate to their roles.
- Drum limits internal access to personnel and contractors who need it to operate, secure or support the Services and who are subject to confidentiality obligations.
- As a rule, Drum personnel do not review Customer Data. Access may occur where reasonably necessary to fulfil a support request, maintain or secure the Services, investigate misuse, or comply with law.
- Where available, authorised support access uses account-access tools designed to record the person accessing the account, the Customer involved and the reason for access.
4. Technical and operational safeguards
Drum uses safeguards designed to protect Customer Data from misuse, interference, loss and unauthorised access, modification or disclosure. These include encrypted network connections, account and role-based access controls, protection of connected-service credentials, parameter filtering designed to prevent sensitive values appearing in ordinary application logs, and operational error and performance monitoring.
No online service can guarantee absolute security. Drum reviews suspected security events and will notify affected Customers, individuals or regulators where required by applicable law or contractual obligations.
5. Imports, integrations and AI-assisted features
For assisted onboarding or imports, Drum may upload Customer-provided source data to Google Sheets or use other Google services to review, validate, map, transform and import it into Drum. Drum uses that material for the requested onboarding or import and handles it as Customer Data.
Customers may direct Drum to exchange data with connected Google, Microsoft, Xero, MYOB or QuickBooks services, or with API clients and webhook destinations they control. Customers are responsible for selecting and authorising these recipients.
When a User invokes an optional AI-assisted feature, selected emails, receipts, invoices, spreadsheets, documents or extracted content may be sent to OpenAI to perform the requested extraction or structuring. Users should review generated results before relying on them.
6. Retention, exports and deletion
Drum retains Customer Data while an account remains active and as otherwise reasonably necessary to provide the Services, satisfy legal or accounting obligations, resolve disputes and protect the Services. Operational records used for imports, email processing, webhook delivery and diagnostics may have different retention periods appropriate to their purpose.
Customers should export information they need before requesting account deletion. Cancellation of a subscription does not by itself necessarily delete the account. When an account is deleted, active Customer Data is deleted as part of that process. Where applicable, limited copies may remain temporarily in backup or disaster-recovery systems until they are overwritten or expire through their normal lifecycle, and Drum may retain information required for legal, security or accounting purposes.
7. Customer responsibilities
Customers are responsible for ensuring they have authority to provide Customer Data to Drum, managing User access, keeping credentials secure, configuring integrations and webhook destinations appropriately, reviewing AI-generated results, and maintaining any exports or independent copies they require for their own legal, contractual or business-continuity obligations.
8. Questions and contractual documentation
Customers with security, confidentiality or data-processing questions, or who require a data processing agreement, can contact support@getdrum.com.