Trust & security
How we handle your data.
AU mid-market procurement asks the same questions in every RFP. This is our standing answer.
Operating principles
Six principles. No exceptions.
These aren’t marketing positions. They’re the binding constraints we design every engagement around.
Your data stays in your tenancy.
We deploy into your existing cloud environment (Azure, AWS, GCP). We don’t move your data into ours. Inference, retrieval and storage all happen within your boundary.
AU-resident inference where required.
Where engagements require AU-only data residency, we configure inference regions accordingly — Azure Australia East, AWS Sydney, GCP australia-southeast1. No prompts or context leave the country.
Audit trails by default.
Every production system we deploy includes a model-decision audit log: inputs, outputs, confidence, model version, decision metadata. Schemas are designed to survive a Privacy Act 2026 disclosure request.
Human-in-the-loop on high-stakes actions.
Decisions that touch money, customer communication or regulated processes require human review by default. We don’t deploy fully-autonomous agents in those paths.
No third-party data sharing.
We don’t use client data for our own training, our own product development, or anything other than the engagement it was provided for. SOWs codify this explicitly.
Defensible to your board, your regulator, and the AFR.
We design every system around a single test: would the firm’s GC, internal auditor and external regulator be comfortable with this in front of them. If the answer’s no, we redesign.
Data lifecycle
What we touch, at each phase.
Least privilege at every stage. Read-only by default. Operational access transfers to your named internal counterpart on handover.
Phase 1
Discovery
Stakeholder interviews and a light-touch systems review. No production data accessed.
Phase 2
Audit / scoping
Read-only access to representative samples. Aggregated metrics only; no individual records leave your environment.
Phase 3
Pilot build
Deployment inside your cloud tenancy. We hold least-privilege scoped access for the duration of the engagement.
Phase 4
Handover
Named internal counterpart takes over operational access. Our credentials are revoked on the date written into the SOW.
Compliance posture
Where we stand. And where we’re heading.
We don’t claim certifications we don’t hold. Roadmap dates are real commitments.
ABN-registered Australian business
Current
Professional Indemnity & Public Liability insurance
Current — A$10M cover
Privacy Act 1988 (Cth) compliance — APP framework
Current
Privacy Act 2026 — automated-decision transparency
Aligned (effective 10 Dec 2026)
AU Voluntary AI Safety Standard — six practices
Aligned
Guidance for AI Adoption (GfAA) — six-practice framework
Aligned
ISO/IEC 27001 (Information Security)
Roadmap — H2 2026 target
SOC 2 Type II
Roadmap — evaluating need based on client mix
IRAP assessment (for government-adjacent work)
On request
Procurement, GCs, internal audit
Need our security pack?
We share the long-form trust pack — data flow diagrams, sub-processor list, insurance certificates, contract template — on request, under NDA.