The standing security posture for Australian regulated workflows

Australian data boundary

Customer inference, customer data, and model weights stay on Australian infrastructure. No third-party inference dependency unless explicitly contracted.

Encrypted in transit and at rest

TLS for every public surface. Disk-level encryption on every storage tier that holds customer or workflow data.

Signed audit trail on every consequential output

Every consequential model output is logged with the reviewer, the input source, the model version, and the decision context. The log is engineered so that model swaps and prompt revisions do not break the evidence chain.

Operator-controlled access

Role-based access on every administrative surface. Privileged operations require named operator approval and produce their own audit entries.

Strict transport + content security headers

Transport, framing, content-type, and referrer policies are configured as part of the standing pre-deploy baseline and checked against a fixed control set before each release reaches production.

Designed against APRA CPS 234 + OAIC + AHPRA evidence form

The audit trail is engineered to support prudential-review and practitioner-accountability evidence requests from day one, not retrofitted at audit time. See the APRA CPS 234 implementation checklist and the human-in-the-loop framework for the underlying design.