Security and trust,built in from the start
We build AI for regulated industries: healthcare, banking, and telco among them. That means how we handle your data and govern our AI is not an afterthought, it is part of the build. Here is exactly where we stand.
Six things we get right, every build.
Encryption everywhere
Your data is encrypted in transit with TLS and at rest with AES-256. Secrets and credentials are encrypted with per-record keys, never stored in plain text.
Least-privilege access
Every system, agent, and integration gets the narrowest access it needs to do its job, scoped per client and per user, and nothing more.
Human in the loop by design
Our agents prepare and propose, but any change to your systems is gated behind human approval. Nothing mutates your data without a person signing off.
Your data stays yours
You own your data, full stop. We never sell it, and we never use it to train public AI models. You can export or delete it on request.
Privacy Act 2020 compliant
We operate under the New Zealand Privacy Act 2020 and sign data-processing agreements with every client so the terms of how we handle your data are in writing.
Enterprise-grade foundations
We build on trusted infrastructure, including Anthropic's Claude and reputable cloud providers, so our security inherits theirs rather than reinventing it.
The standards we are building toward.
We will always be straight with you about where we are. Today we comply with the NZ Privacy Act and run on enterprise-grade infrastructure. These are the formal certifications on our roadmap, in the order we are pursuing them.
Privacy Act 2020
What it is. The legal baseline for handling personal information in New Zealand.
Why it matters. Table stakes for any NZ business. We comply today and back it with signed data-processing agreements.
ISO/IEC 27001
What it is. The international gold standard for managing information security, certified by an accredited body.
Why it matters. Required by many enterprises and banks across Australia, NZ, and Asia. Our first major certification target.
SOC 2 Type II
What it is. An independent attestation that our security controls operate consistently over time, issued by a licensed CPA firm.
Why it matters. The single most-requested security artefact in enterprise procurement, especially in North America.
ISO/IEC 42001
What it is. The world's first certifiable standard for responsible AI governance, published in late 2023.
Why it matters. Our differentiator. Very few AI companies hold it, and it proves we govern AI responsibly, not just securely.
We are standing up a governance and compliance platform to run these programmes with continuous control monitoring rather than once-a-year box ticking. We will mark each as certified here the moment it is independently confirmed, and not before.
AI you can actually trust.
Security keeps your data safe. Governance keeps your AI accountable. As an AI development company, we hold ourselves to both, well ahead of the ISO 42001 standard we are pursuing.
Human oversight
A person stays accountable for what our AI does. Agents never take irreversible action on your business on their own.
Transparency
We are clear about which models we use, what data they see, and what they are and are not allowed to do.
Risk classification
Every AI system we build is inventoried and risk-rated, so higher-stakes use cases get more controls and more review.
Bias and quality checks
We test outputs for accuracy and fairness, and we keep a human review loop on anything customer or compliance facing.
How we handle your data, in plain terms.
Ownership
Your data is yours. We process it to deliver the work you hired us for, nothing else.
No model training
We never use your data to train public AI models. Your context stays your context.
Vetted subprocessors
We use a small, named set of reputable providers, each under their own data protection terms.
Retention and deletion
We keep data only as long as needed for the engagement, and delete or return it on request.
Confidentiality
We work under NDAs and keep strict separation between clients. One client's data never bleeds into another's.
Access on a need-to-know basis
Only the people working on your account can see your data, and access is logged.
Running a security review?
We make procurement easy. Ask us anything about our controls, data handling, or certification roadmap, and we will give you straight answers.