SydClaw is a managed AI workforce platform for Australian professional services firms, built by AI Lab Australia Pty Ltd. It provides an AI employee that handles email automation, calendar management, document generation, invoice processing, safety compliance, and reporting — 800+ automated actions across 22 modules. It connects to Gmail, Microsoft 365, Xero, SafetyCulture, HubSpot, SharePoint, Smartsheet, and 8,000+ apps via Zapier.

How much does SydClaw cost?

SydClaw Pilot pricing is $360 per user per month plus a one-time $5,000 setup fee. The Pilot plan includes up to 5 modules, full AI guardrails, and a 30-day pilot with rollback. Enterprise pricing is custom and includes unlimited modules, SSO/SAML, dedicated infrastructure, and an SLA. Contact sydclaw.com.au/contact for a quote.

Is SydClaw compliant with Australia's Privacy Act 2026?

Yes. SydClaw includes an immutable audit trail of every AI decision — input data, reasoning, output, model version, and timestamp — automatically meeting the December 10, 2026 Privacy Act transparency requirements. Consumers and employees can request explanations of any automated decision. Reports are generated automatically without manual preparation.

Does SydClaw store data in Australia?

Yes. SydClaw uses Australian data residency by default — hosted on Vercel and Supabase infrastructure located in Sydney, NSW. An on-premise option is also available using Docker Compose and local LLM inference via Ollama, where zero data leaves your building. The on-premise option is architected for IRAP PROTECTED assessment for government contracts.

How long does it take to deploy SydClaw?

SydClaw deploys in approximately 10 days. This includes OAuth connection of your existing tools, configuration of policies and guardrails specific to your business, compliance setup for your applicable frameworks (Privacy Act, AFSL, APRA CPS 234), and testing the AI workflows against your real data before go-live.

What integrations does SydClaw support?

SydClaw has native integrations with Gmail, Microsoft 365, Xero (invoicing and accounting), SafetyCulture (safety compliance), HubSpot (CRM), SharePoint and OneDrive (document storage), Smartsheet (spreadsheets), and Vapi (AI voice calls). It also connects to 8,000+ additional applications via Zapier. OAuth tokens are stored with AES-256 encryption.

How does SydClaw protect personal data and PII?

SydClaw uses a zero-knowledge PII tokenisation system before any data is processed by AI models. It automatically detects 17 categories of personal information — including names, email addresses, ABNs, TFNs, phone numbers, and physical addresses — and replaces them with reversible tokens. AI models never process real personal information. All tokens are reversible by authorised users only. Data is encrypted with AES-256 at rest and TLS 1.3 in transit.

Is SydClaw suitable for AFSL-licensed financial services firms?

Yes. SydClaw automatically screens every AI-generated response for 12 categories of unlicensed financial advice language patterns, blocking or flagging responses that could constitute financial advice without proper licensing. It also maintains a Best Interests Duty audit trail that links every AI recommendation to the licensed professional who reviewed and approved it, supporting ASIC compliance requirements.

Does SydClaw support APRA CPS 234 requirements?

Yes. SydClaw supports APRA CPS 234 for banks, insurers, and superannuation funds. It automatically maintains an AI asset register, logs all security-relevant incidents with timestamps, and generates security testing evidence. These controls are maintained continuously rather than assembled at audit time.

What security certifications does SydClaw have?

SydClaw's architecture is aligned to ISO 27001 (certification in progress) and SOC 2 Type II (audit in progress). It uses AES-256 encryption, TLS 1.3 in transit, role-based access control with Row Level Security at the database layer, multi-factor authentication, immutable audit logging, and human-in-the-loop approval workflows for sensitive actions. Enterprise deployments support SSO/SAML.

What is the difference between SydClaw and ChatGPT or Copilot?

SydClaw is a managed AI workforce platform — not a chat assistant. Unlike ChatGPT or Microsoft Copilot, SydClaw autonomously executes business workflows: it connects directly to your email, calendar, invoicing, and document systems and takes action without prompting. It runs on a schedule (morning briefings at 7 AM), responds to triggers (new email arrives), and processes tasks overnight. It also has Australian-specific compliance built in — Privacy Act 2026, AFSL screening, APRA CPS 234 — and all data stays in Australia.

Who is SydClaw built for?

SydClaw is built for Australian professional services firms — including legal, accounting, financial planning, construction project management, consulting, and managed services businesses — typically with 5 to 100 employees. It is particularly valuable for firms subject to Australian regulatory requirements including Privacy Act 2026, AFSL obligations, or APRA CPS 234.

← Back to blog

30 April 2026 · 7 min read

Why Australian Firms Shouldn't Use ChatGPT for Client Work — and What to Use Instead

ChatGPT is the AI tool every team has a tab open to. For Australian professional services firms with regulatory obligations, using it on client data exposes the firm in ways most partners haven't yet absorbed. Here's the specific exposure, and what compliant looks like.

Roman Silantev — Founder, AI Lab Australia

The browser tab that ate your compliance posture

Walk through any Australian professional services firm's office today and you will find ChatGPT open in someone's browser. A junior accountant drafting a client email. A paralegal summarising a contract. A mortgage broker preparing a Statement of Credit Assistance. A property manager triaging tenant complaints. The tool is good; the work it produces is fast; the partners are mostly unaware of how much of it is happening.

Nothing about that scene is operationally wrong. What is wrong is the regulatory exposure the firm is accumulating, quietly, with every browser tab. Each interaction sends client data to an overseas model provider in plaintext, leaves no record the firm controls, and generates outputs the firm cannot explain to a regulator if asked. The exposure compounds: every junior using the tool every day is creating audit-trail liability that will surface the moment the regulator asks for an explanation of an automated decision, the firm fails to produce one, and the OAIC, ASIC, the TPB, the Commission, or the relevant aggregator decides the firm is non-compliant.

What ChatGPT does well

Before getting to the criticisms, the credit. ChatGPT is the most capable conversational AI assistant available at consumer pricing. The underlying models are state of the art. The user experience is excellent. For an individual user working on their own data — drafting a personal email, summarising a research paper, brainstorming an internal memo — ChatGPT delivers value that earlier generations of productivity tools could not. Anthropic's Claude offers similar capability with a slightly different stylistic profile, and Microsoft Copilot does the same inside the Microsoft 365 surface. The technology is good; the professionals using it are usually getting better outcomes faster than they would otherwise.

The issue is not the AI's capability. The issue is the regulatory frame the firm operates in, and the gap between what the consumer-grade product captures and what the regulator expects.

Where the exposure actually sits

Three categories. First: data residency and personal information. Most Australian firms operate under the Privacy Act 1988 (as amended) and have data-handling commitments to clients that specify Australian or jurisdictionally controlled storage. ChatGPT's default data-handling sends prompts to OpenAI's processing infrastructure, which is not Australian. ChatGPT Enterprise has stronger commitments, but most firms running ChatGPT through individual paid subscriptions have not contractually agreed to enterprise terms. The data flow is technically out of compliance with most firms' published privacy notices.

Second: audit trail. The Privacy Act 2026 ADM transparency provisions activating 10 December 2026 require an explanation of any automated decision that significantly affects an individual. ChatGPT Enterprise's audit logs capture interaction metadata, but the link between a specific interaction and a specific client matter — and the chain of inputs, prompt template, model version, and reviewer that the regulator wants to see — is something the firm has to maintain itself. Most firms don't.

Third: vertical compliance. AFSL Best Interests Duty, NDIS Practice Standards, Aged Care Quality Standards, TASA 2009 — all impose obligations that go beyond the generic privacy frame. A consumer AI tool, however good, does not maintain the vertical-specific evidence those obligations demand.

What compliant looks like

Compliant doesn't mean abandoning AI. It means routing AI through infrastructure the firm controls, with the audit trail the firm needs, and the data-handling the firm's clients are entitled to expect.

The core controls: client data is tokenised before any external model call, so the model provider never receives raw personal information; the inputs, the model version, the prompt template, and the reviewer are captured against the matter; the output passes through a screening layer that catches unlicensed-advice patterns, regulator-defined PII leakage, and other category-specific risks before delivery; the audit log is immutable and exportable in a format the relevant regulator accepts.

This is what SydClaw provides as a managed service. It is not unique to SydClaw — any platform that combines tokenisation, dedicated audit infrastructure, vertical compliance modules, and Australian residency can satisfy the same controls. The point is that consumer ChatGPT does not, and patching it with manual workflows is operationally unsustainable.

What to do if your firm is using ChatGPT today

First, audit. Produce a written register of every AI tool actually in use, every workflow that touches client data, and every staff member using each tool. The register will be longer than expected. Second, classify the workflows by regulatory exposure: drafting an internal memo is low-risk, drafting a Statement of Credit Assistance is high-risk. Third, for the high-risk workflows, either move them to a tool that produces the audit trail natively, or document them manually. The manual path is legitimate but operationally painful at any meaningful scale.

Don't try to ban ChatGPT outright. The firms that try this find that the tool is back in use within a week through personal devices and unsanctioned accounts; the only thing the ban achieves is removing the firm's visibility into what's happening. Better to provide a compliant alternative for client work, leave ChatGPT in place for non-client uses, and govern by where the data goes rather than which tool is open.

Disclosure: I'm the founder of the company that builds SydClaw, the AI workforce platform purpose-built for Australian professional services firms. We sell against ChatGPT directly. The audit-the-current-AI-usage exercise above is something we run with prospects in our discovery sessions, and we share the resulting register regardless of whether the firm ends up using SydClaw. If you'd like one of those sessions with no obligation, reach me at info@ailabaustralia.com.

About the author

Roman Silantev — Founder, AI Lab Australia. Roman is the founder of AI Lab Australia Pty Ltd, the company that builds and operates SydClaw. He has spent the last decade building enterprise software for Australian professional services firms, and writes regularly on AI compliance and Privacy Act obligations.

Talk to us about Privacy Act 2026 readiness