Security & Privacy
Isolation, Audit Trails, Compliance.
Your agent sits on top of your data, your accounts, your customers. That's a small blast radius until it isn't. Everything below is how we keep it small. By architecture, not by promise.
Isolation
Multi-tenant in the sense that we serve more than one customer. Single-tenant in the sense that your agent has no idea any other customer exists.
Per-tenant Neo4j databases
Every customer gets their own graph database. Not a schema in a shared cluster, not a namespace. Its own database. Cross-tenant queries are physically impossible, not policy-impossible.
Per-user rooms
Inside your tenant, each user works in a private room. Your agent sees what you share with it there. Other users in your org cannot read your thread unless you invite them in.
Its own infrastructure
Your agent is not a slice of a shared worker pool. It runs as its own process, with its own memory, its own skills, its own file system. The blast radius of anything it does is bounded to your tenant.
No global directory
There is no way to discover another tenant's users, rooms, or agents. Cross-tenant search does not exist as a surface. You cannot find them. They cannot find you.
Separate databases, not separate rows. A misconfigured query in a shared database can still leak. A query against a database that doesn't exist in your agent's connection string cannot. That's the distinction we spend engineering budget on.
Audit Trail
Every action your agent takes is recorded. Not sampled. Not aggregated. Recorded. The only way to answer the question "what did it do on Tuesday" is to have the full record. So we keep it.
Every tool call
Every time it touches a tool. Send an email, read a file, query a database, hit a web API. The call is logged with arguments, result, and the exact prompt that triggered it.
Every decision
Refusals, approvals, handoffs, escalations. Each carries a timestamp, the input that prompted it, and the reasoning trace. Traceable from outcome back to the message that asked for it.
Every email draft → approval → send
The full three-step record is preserved: what your agent drafted, what you approved, what actually left the building. If anyone asks what was sent on whose authority, the answer is retrievable in seconds.
7-year retention
Audit records are kept for seven years to meet AML/CTF s.116(3). Not 30 days. Not whatever the log aggregator default is. Seven years, on cold storage, retrievable on request.
Traceable means retrievable. When your compliance team asks who approved the 3:47pm Friday transfer, the answer is a record with a timestamp, an approver, a draft, and a sent confirmation. Not a story. Not an inference. A record.
Retrieving Your Audit Logs
Your audit trail is yours. You can access it anytime:
Ask your agent
The simplest path. Ask: "Show me everything you did on Tuesday" or "Export this week's audit log." Your agent pulls the records from its graph and formats them for you.
Direct database access
For compliance teams that need raw data: your tenant's Neo4j database is directly queryable. Your administrator can run Cypher queries against the audit nodes. Every tool call, every decision, every approval chain.
Scheduled exports
Set up a cron job: "Every Monday at 6am, export last week's audit trail to my Drive." Compliance documentation that generates itself.
Guardrails
Guardrails are permanent rules you set that your agent enforces in every conversation, forever. They live in a file called AGENTS.md. A rule in that file is not a suggestion. It is a hard constraint your agent checks before it acts.
Approval before external comms
Drafts show you recipient, subject, body. It waits. It sends on your word. The default is pause. You loosen it per-surface if you want to, never globally.
No emails without review
Your agent drafts to your inbox queue, not to the recipient. Nothing leaves the building until you hit approve. This is the rule most customers never bother changing.
Refuse cross-tenant queries
It declines. With a logged refusal. Any request to reach into another tenant's data. Even if you ask it to. Even if it looks harmless.
Enforce compliance rules
AUSTRAC Tranche 2, APRA CPS 230, Privacy Act ADM. Each becomes a rule in AGENTS.md that fires before the action, not after. Your agent checks, then acts. Never the reverse.
Setting a Guardrail
You don't edit a config panel. You tell your agent the rule in chat and ask it to write the rule into AGENTS.md. It takes effect on the next turn. Here are four that most customers add on day one.
Add a rule to AGENTS.md: always show me a draft and get my approval before sending any email. Never send without my explicit confirmation.
Add a rule: refuse any request to query data outside my tenant. If someone asks you to pull another org's records, decline and tell me.
Add a rule: before any action that touches a reportable transaction, check AUSTRAC AML/CTF s.43 obligations and pause for my review.
Add a rule: if a decision about an individual would materially affect them, flag it as automated decision-making under the Privacy Act and require me to sign off before you act.
Managing Your Guardrails
Guardrails aren't write-once. You can list, modify, or remove them anytime through chat.
"Show me all my current guardrails."
"Change the email rule: allow sending to internal team without approval, but keep approval for external."
"Remove the calendar-sharing restriction. I trust the team."
Every change is logged. Adding, modifying, or removing a guardrail creates an audit record. Your compliance team can see exactly when each rule was set and by whom.
Compliance Frameworks
The specific regulatory surfaces your agent is built to sit inside. Dated, because the dates matter.
AUSTRAC AML/CTF
s.26K · s.43 · s.108 · s.116
Anti-Money Laundering and Counter-Terrorism Financing Act obligations. Enrolment and identification (s.26K), suspicious matter reporting (s.43), threshold transaction reporting (s.108), and the 7-year record retention that shapes our audit log retention (s.116(3)).
APRA CPS 230
Operational Risk · effective 1 July 2026
If your regulated entity uses your agent as a material service provider, CPS 230 applies from 1 July 2026. We provide the operational risk controls, incident reporting, and service-provider due diligence artefacts you need to sign it in under your framework.
Privacy Act ADM transparency
effective 10 December 2026 · up to $50M penalties
The Privacy Act amendments on automated decision-making take effect 10 December 2026 with penalties up to AUD $50M for serious breaches. Your agent's decisions about individuals are traceable, reviewable, and flaggable before they act. The ADM transparency path is built in, not bolted on.
Bring Your Own Keys
Your agent runs on Claude (or the LLM of your choice). Under BYOK, the keys are yours. You hold the Anthropic contract. You see the usage dashboard. You pay the bill at cost. The model call uses your key directly. For the specific data-path guarantees that apply to BYOK mode — what we log, what we don't, where inference calls route — ask us in writing against your compliance framework; we'll answer specifically, not in marketing copy.
Costs stay with you.
No markup on tokens. No "platform fee" on inference. If your workload is 40M tokens a month, you pay Anthropic for 40M tokens. We bill the platform; they bill the model.
Your key, your model call.
Under BYOK, the model call is made with your key. The platform stores an audit trail of tool invocations and governance events inside your tenant. For the exact data-path of prompt/completion content — what we process, what we don't, what we retain, where calls route — ask us specifically against your compliance framework, and we will answer in writing. No load-bearing privacy claims in marketing prose.
You can rotate the key at any time.
Rotate it in your Anthropic console, update it once in your tenant settings, done. No service ticket. No migration. Your agent picks it up on the next turn.
BYOK is the default, not the upsell. We would rather you hold the model contract than we hold it on your behalf. It is cheaper for you and cleaner for your legal team. On the data-path specifics — exactly what is logged, retained, or routed where — we commit to answering in writing against your compliance framework, not in marketing copy.
Managed Claude Subscription
The managed path is for customers whose constraints make BYOK friction cost more than it saves. You leave the API-key field blank at intake; your agent runs on the platform's Claude subscription for the 48-hour sandbox by default. Past that window, managed is the convenience opt-in — one bill covers platform and inference together, and we hold the Anthropic contract on your behalf. The audit-trail view inside your tenant is identical to BYOK. For the specific data-path and retention guarantees that apply to managed mode (what we log, what we don't, where inference calls route), ask us directly before onboarding — we will answer specifically, in writing, against your compliance framework.
One bill, one vendor.
Platform plus inference on a single invoice. Useful when legal or procurement would rather manage one vendor relationship than two, or when a team trialing the platform does not want to stand up a second API contract yet.
The 48-hour sandbox is the starting entry.
Every new tenant starts on our managed sandbox for the first 48 hours (subject to fair-use limits), whether they intend BYOK or managed long-term. That window is for you to confirm the agent does what you hired it for, before you wire in your own billing or commit to the managed subscription.
When managed fits.
Trialing the platform inside the sandbox. Light-usage teams where BYOK setup overhead would exceed a month of token cost. Customers who specifically want a single-vendor relationship for procurement simplicity. Regulatory-minded customers — AUSTRAC, APRA, AFSL, REA — should default to BYOK per the section above; ask us for the managed-mode data-path specifics if you need to evaluate both against your compliance framework.
Managed is the convenience opt-in, not the default. We built it for customers whose constraints (procurement friction, trial, light usage) make BYOK setup cost more than it is worth. Switching BYOK to managed or back is a one-setting change — you are not locked in either direction.