Security · Compliance · Trust
AES-256 encryption. Zero-knowledge PII tokenisation. Cryptographically tamper-evident audit trail. Australian data residency by default. Architecture aligned to ISO 27001, SOC 2 Type II, NDIS Practice Standards, AFSL Best Interests Duty, APRA CPS 234, and the Privacy Act 2026.
Architecture
Inspired by NVIDIA's published thinking on agentic AI security and adapted for Australian regulatory frameworks. Each layer is a narrow, auditable choke-point. None depends on the AI model behaving correctly.
Every AI agent action executes inside a policy-controlled boundary. The model cannot reach a system the operator has not authorised, and cannot perform an action the policy has not whitelisted. Defence in depth, not a single fence.
All client data passes through the privacy router before any external API call. Seventeen categories of personal information are detected and replaced with reversible tokens. The model receives structure, never identity.
Every agent action is validated against operator-defined policy before execution. High-risk actions surface to a human approver with full context: inputs, rationale, downstream impact. The AI proposes, the human decides.
The Guard Pipeline
Validate and sanitise every user request. Detect prompt injection, homoglyphs, salted-tag manipulation, zero-width unicode, and 18 documented attack patterns before the request reaches the model.
Control conversation flow and enforce business-context boundaries. The agent stays within the matter, the participant, the file, the deal. It does not freelance into an unrelated client's data, even when asked.
Monitor and validate every tool invocation. Domain allowlists on outbound HTTP, method restrictions, body-size limits, private-IP blocking, and TOTP re-verification for destructive actions.
Control which data is accessed during operations. Row-level security at the PostgreSQL layer enforces organisation isolation on every query. A stolen API key cannot read another tenant's data.
Screen every AI response before delivery. Catch unlicensed financial-advice patterns, regulator-defined PII leakage, credential disclosures, and twelve other categorical risks before the message reaches the client.
How it works
01 / Data residency
All client data is stored and processed in Australian regions. The default deployment runs on Vercel infrastructure in the Sydney region and Supabase Postgres in the Sydney region — the database, storage buckets, and Realtime channels all hosted within Australian jurisdiction.
Each client deployment is dedicated cloud infrastructure: its own Supabase project, its own Vercel project, its own AES-256 encryption keys. There is no shared multi-tenant database. A stolen API key from one tenant cannot read another tenant's data because the boundary is enforced at infrastructure level, not by application logic.
For clients with stricter sovereignty requirements — government, IRAP-assessed deployments, certain APRA-regulated entities — an on-premise deployment path is available via Docker Compose with local LLM inference through Ollama. In that configuration, no client data leaves the building.
02 / Encryption
Bulk data is encrypted at rest with AES-256-GCM. Per-organisation encryption keys are derived via scrypt KDF from a master key held in Vercel's environment-variable store and rotated on a documented schedule.
Sensitive PII columns — participant identifiers, NDIS numbers, contact details, free-text clinical notes, BSP narratives — carry an additional column-level encryption layer using a separate key. A compromise of the bulk database key alone does not expose personal information.
Transit is TLS 1.3 with HSTS preload, modern cipher suites, and certificate pinning on mobile clients. The Content Security Policy is strict. X-Frame-Options is DENY. The Permissions-Policy explicitly disables camera, microphone, geolocation, payment, and the dozens of other browser APIs the platform does not need.
03 / PII tokenisation
Before client data reaches an external AI model, the privacy router replaces seventeen categories of personal information with reversible tokens — full names, given names, surnames, email addresses, phone numbers, postal addresses, dates of birth, ABNs, ACNs, TFNs, Medicare numbers, NDIS participant numbers, bank accounts, BSBs, driver licences, passports, IP addresses.
The reverse-mapping table lives only inside the client's own Supabase project, encrypted with the client's per-organisation key. The AI model receives TKN_a8f2c1 instead of the raw value. The output is detokenised back to plaintext only when it is delivered to the authorised user inside the client's browser session.
The architectural consequence: even if a model provider were compromised, the data they hold is structurally meaningless. SydClaw operates on a zero-knowledge basis with respect to its model providers — they process tokens, not personal data.
04 / Hash-chained audit trail
Every AI action — every prompt, every tool call, every approval, every data access, every guard evaluation — is logged to an immutable audit trail. Each entry contains the inputs the system relied on (with PII handled separately), the prompt template, the model and version, the timestamp, the human who reviewed and approved the result, and the action taken.
The audit log uses a SHA-256 hash chain: every entry's hash includes the previous entry's hash, so any tampering after the fact is mathematically detectable. RESTRICTIVE row-level security policies on the audit_log table prevent UPDATE and DELETE operations even by authenticated database users with service-role privileges.
The only way to write a new row is through an append-only RPC that acquires a transaction-scoped advisory lock to serialise concurrent writers and prevent chain forks. This is the audit trail the Privacy Act 2026 ADM transparency provisions require — when a regulator or affected individual asks how a decision was made on a specific date, the export takes seconds and the chain is cryptographically defensible.
05 / Access control
Authentication is via Supabase Auth with multi-factor authentication required for all users. TOTP-based MFA — Google Authenticator, Authy, 1Password compatible — is enforced at session start. Sessions are locked at AAL1 until MFA is completed. Backup codes are generated on enrolment and rotated on use.
Authorisation uses role-based access control with four levels — Admin, Manager, User, Viewer — combined with PostgreSQL row-level security policies that enforce organisation isolation at the database layer. Every query is scoped to the authenticated user's organisation. Department-scoped data access is configurable per role; tool-level permissions are configurable per action.
For high-risk actions — sending payments, deleting records, approving large purchase orders, lodging Commission notifications — TOTP re-verification is required even within an active session. This prevents a stolen session token from approving destructive operations. For enterprise deployments, SSO/SAML is supported with SCIM provisioning for user lifecycle management. We have integrations published for Okta, Azure AD / Entra ID, and Google Workspace.
06 / Incident response
Incidents are detected through a combination of anomaly monitoring on the audit log, error-rate alarms on Sentry, latency alarms on Vercel, and the platform's own internal heartbeat checks. Detection-to-acknowledgement target is under 15 minutes during business hours.
Containment is documented in the Incident Response SOP and includes immediate session revocation for compromised accounts, key rotation for compromised encryption material, and forensic-snapshot procedures for the Supabase project. The Notifiable Data Breaches scheme requires notification to the OAIC and affected individuals within 72 hours where the criteria are met. SydClaw's runbook is calibrated to that timeline with internal alerting set well below it.
Post-incident review produces a written root-cause analysis within 14 days. Remediation actions are logged against the operations register and tracked to closure. Every incident is added to the APRA CPS 234-style asset incident register that ships with the platform, regardless of whether the client falls under APRA jurisdiction.
Compliance
Where a certification status is named, the language reflects current state and updates as audits progress. Architecture alignment is documented; certification is the wrapper, not the substance.
Architecture aligned to ISO 27001 controls (Annex A). Information security management system documented across access control, cryptography, incident management, vendor management, and operational security. Certification in progress.
Architecture aligned to the Trust Services Criteria — Security, Availability, Confidentiality, Processing Integrity. Continuous control monitoring across change management, logical access, and incident response. Audit in progress.
Designed for the ADM transparency provisions activating 10 December 2026. Every automated decision is recorded with inputs, prompt template, model version, reviewer, and a cryptographic chain that supports the explainability requirement under amended APP 1.7–1.9.
Built-in evidence mapping against Practice Standards indicators (Outcomes 1–5 plus High Intensity Daily Personal Activities Skill Descriptors). Continuous audit-prep module, restrictive practices register, SIRS reporting workflow, worker compliance tracking.
Output rails screen every AI response for twelve categories of unlicensed financial advice language patterns. Best Interests Duty audit trail under ASIC RG 273 links every recommendation to the licensed professional who reviewed and approved it.
AI asset register maintained automatically. Security-relevant incidents logged with timestamps and root-cause analysis. Security testing evidence assembled continuously rather than at audit time.
Strengthened standards (in force since 1 July 2025). Evidence mapped against Standards 1–7 outcomes and actions. AN-ACC care minute tracking, electronic medication administration with double-check enforcement, SIRS priority-1 / priority-2 reporting.
AI prompts and responses are stored alongside the matter as working papers. The chain of evidence is one query away when the Tax Practitioners Board asks how a position was reached. Registered tax agent obligations honoured by design.
Supply chain
SydClaw depends on Anthropic for Claude (primary LLM), OpenAI for fallback model access, Supabase for Postgres and Storage, Vercel for compute and edge, Inngest for durable workflows, Sentry for error monitoring, and Resend for transactional email. Every provider has a published Data Processing Agreement, a public security posture, and a documented residency commitment for Australian data.
The supply chain itself is monitored continuously. Dependabot tracks dependency updates with grouped weekly PRs. TruffleHog scans every push for committed secrets. CodeQL static analysis runs on every PR. Pre-merge CI enforces type-check, lint with zero warnings tolerated, chaos-test execution, and migration linting. Software bill of materials is generated on every release.
Adversarial testing
External penetration tests are scheduled annually with an Australian-based provider. Scope: web application, API surface, authentication flows, multi-tenant isolation boundary. Findings are remediated against severity-based timelines — Critical 7 days, High 30 days, Medium 90 days, Low backlog.
Internal red-team exercises are run quarterly, focused on the agentic surface — prompt injection, tool misuse, privilege escalation through chained actions, output exfiltration attempts. The platform was scored against the OWASP Top 10 for Agentic Applications 2026 and the architecture covers all ten control families. Findings feed back into the guard pipeline as additional rails. The pipeline is not static.
We share our DPA, security policies, network diagrams, and incident response runbook with prospects under NDA. Book a call and we'll send the full security review pack ahead of the conversation.