ACBDiDATAP.AI

Security & Trust

DATAP.AI is built for regulated AU industries. Security is the product, not a footnote. This page summarises how we protect your data and our path to formal certification.

How we earn trust

๐Ÿ‡ฆ๐Ÿ‡บ
Australian residency by default
Managed infrastructure runs in AWS Sydney. Aligned with APRA CPS 234 and OAIC APP 8 without additional configuration.
๐Ÿ 
Deploy in your VPC
Governance engine, MCP server, and audit store ship as a Docker bundle you run inside your own network. Prompts and responses stay on your side.
๐Ÿ”
Encryption in transit
Modern TLS on every external endpoint. HSTS preload, strict transport headers, and no plaintext listeners on public interfaces.
๐Ÿชช
Authenticated by default
Every request carries a bearer token. Missing or invalid credentials fail closed. Per-tenant keys are on the near-term roadmap.
๐Ÿ›ก
Fail-closed governance
Unknown regulated domain, missing policy catalogue, or unparseable model output all return a cited refusal, never a silent allow.
๐Ÿ“
Write-once audit
Every gate and validator decision is recorded with a named regulatory citation, point-in-time reconstructible via SCD2 and archived immutably.
๐Ÿงน
No PII or PHI in logs
Operational logs record metadata only โ€” method, URI, status, latency. Prompt and response bodies are never written to application logs.
๐Ÿ”„
Policy stays current
Our regulator-refresh pipeline reviews APRA, ASIC, OAIC, ISO, OWASP and partner catalogues weekly and proposes reviewed diffs โ€” never auto-merged.

Regulatory alignment

The platform is designed for โ€” and by default cites decisions against โ€” the following regulators and industry standards:

  • APRA CPS 234 / CPS 230 / AI 2025
  • ASIC REP 798 / s912A
  • OAIC Privacy APPs
  • AU 6 Essential AI Practices
  • NSW AI Assurance Framework
  • OWASP Top 10 for Agentic Applications
  • NIST AI RMF
  • ISO/IEC 42001
  • ISO/IEC 27001
  • EU AI Act
  • UK 5 Principles
  • AHPRA Code of Conduct
  • TGA Software as a Medical Device
  • WHO AI for Health
  • HIPAA Privacy + Security Rules

Certification roadmap

We are on the path to ISO/IEC 42001 (AI management system) and ISO/IEC 27001 (information security), with an in-house Chief Compliance Officer already certified as an ISO/IEC 42001 Lead Implementer. Independent penetration testing and SOC 2 Type II follow. Our certification status, audit letters and SBOM are available to prospective customers under a mutual NDA.

For procurement and security reviewers

We maintain a detailed security whitepaper, pre-filled SIG-Lite and CAIQ questionnaires, DPIA templates and our VPC deployment runbook. Available to serious procurement reviewers under a mutual NDA โ€” contact sales@datap.ai.

Responsible disclosure

Security researchers: we welcome your reports at security@datap.ai. We respond within 24 business hours. In-scope targets are *.datap.ai and our published container images. We acknowledge responsible-disclosure contributions on request.

Last updated: April 2026.