Australian data residency
All customer data — recordings, transcripts, documents, fact-find records — is stored and processed in AWS Sydney (ap-southeast-2). Compute runs in the same region. Your data does not leave Australia in the course of normal operations.
Encryption
TLS 1.2+ for all traffic in and out of the platform. AES-256 at rest for object storage and the database. OAuth tokens for third-party integrations are wrapped in envelope encryption with per-row data keys, themselves encrypted by AWS KMS.
AI inference
Document generation runs on AWS Bedrock using Claude (Anthropic) via the Australian cross-region inference profile. Bedrock provides explicit guarantees that customer prompts and outputs are not used to train models. We do not retain prompts or completions beyond what’s needed to render and audit the resulting document.
Recording retention
Audio is the most sensitive thing on the platform — and the most disposable. By default we delete recordings 30 days after upload. The retention window is configurable per practice. The Statement of Advice, transcript, and document history remain in place; the audio does not. The SOA is the permanent record of advice, not the recording.
Tenant isolation
Every record in our database is tagged with a practice ID. Every query is scoped to the authenticated user’s practice. Licensee admins receive an explicit cross-practice scope; standard users do not. Postgres row-level security is on the roadmap as a future defence-in-depth layer.
Audit trail
Authentication events, document status changes, integration credential lifecycle, plan changes, and cross-practice access are all logged to a structured audit trail. Our retention target is seven years, in line with Australian advice-record retention guidance.
Compliance grounding
Generated documents are grounded in a curated library of Australian regulatory references — ASIC RG175, FASEA, ATO thresholds, SSA pension parameters. When a threshold changes, the regulatory snapshot is updated and downstream documents reflect the new figure.
Compliance checking
Every generated document passes through an advisory rule engine before you approve it. Eight rules — FSG reference, scope statement, best-interests narrative, fee disclosure, risk profile capture, alternatives considered, and more — surface as advisory badges. Issues are visible to you; we don’t block your work, but we do flag what’s missing.
Backups & disaster recovery
Database snapshots are taken daily. Object storage is S3 with cross-availability-zone redundancy as standard. Recovery objectives are appropriate for a SaaS at our stage; we publish a more detailed posture as part of customer due-diligence questionnaires.
Roadmap
We are working towards SOC 2 Type 2 attestation. Independent penetration testing is scheduled on a recurring cadence. We will publish updates as these milestones land.
Privacy posture
We do not sell your data. We do not share it with third parties for marketing. We do not use your meetings, transcripts, or documents to train AI models. The data export feature lets you take everything with you whenever you want — one click, 24-hour rate limit, no negotiation.
Have a due-diligence questionnaire? Email security@advixa.com.au with your DDQ and we’ll respond within five business days.