Trust isn’t a marketing claim. It’s an architecture.
Every layer of opzo.ai — identity, storage, AI inference, audit — is built for the standards Australian buyers expect in enterprise security and procurement reviews.
Australian data sovereignty
Onshore by design, not by exception.
Sovereignty in regulated industries is a binary state. opzo.ai is engineered to keep it that way without configuration choices that could regress it.
- Compute and storage exclusively in Azure Australia East and Australia Southeast
- Vector search (Azure AI Search) and AI inference (Azure OpenAI) onshore
- No third-party services storing customer data outside Australia
- Backups stored in Australian regions only
- Network policy denies international egress for customer data plane
Security architecture
The controls a security team expects to see.
Identity & SSO
Auth0 OIDC across the suite. MFA. Session management. Per-app roles. Service principals for API access. Per-organisation access control.
Encryption
TLS 1.2+ in transit. AES-256 at rest in Azure SQL and Azure Blob. Customer-managed keys via Azure Key Vault for sensitive workloads.
Tenant isolation
Org-scoped entities with EF Core global filters. Azure SQL row-level security patterns. No shared customer indexes in vector search.
Audit log
Every create, update, delete, AI operation, export and admin action — recorded with user, org, app, IP and user agent. Exportable.
Soft delete & retention
Soft delete with 30-day retention by default. Permanent purge schedule and right-to-be-forgotten flow available on request.
Document handling
Document upload through Portal’s document service. Permission inheritance from Portal. Antivirus scan and content type validation.
AI governance
The opinionated AI guardrails that survive a regulator.
Australia’s appetite for unaccountable AI is shrinking fast. opzo.ai is engineered with controls that match where the regulators are heading.
Deterministic where it matters
Dollar amounts, dates, awards, rates, plan windows — calculated by deterministic engines, never inferred by an LLM.
Cited reasoning
Every AI assertion ships with a citation, fetched and verified by opzo.ai RAG against authoritative regulatory corpora.
PII detection at the AI boundary
Australian PII (TFN, Medicare, ABN, driver’s licence, credit cards) is detected and redacted before content reaches an AI model. Never logged.
Reasoning traces
A persisted, queryable trace of inputs, retrievals, decisions and verdicts — supporting ADM transparency expectations.
Senior-auditor (judge) tier
High-stakes outputs reviewed by a separate model deployment trained on golden cases before they reach humans.
Human-in-the-loop approval
Approval chains (single, dual / four-eyes, delegated, confidence-thresholded) with cryptographically signed decisions.
Frameworks & alignment
Built to align with the standards procurement asks about.
We are upfront about which alignments are in place today and which are on the roadmap. No marketing claims you can’t verify.
| Framework | Posture |
|---|---|
| Australian Privacy Principles (APPs) | Aligned |
| Privacy Act 1988 | Aligned |
| Notifiable Data Breaches scheme | Process in place |
| Security of Critical Infrastructure (SOCI) | Designed for |
| APRA CPS 234 (where applicable) | Designed for |
| Essential Eight (controls maturity) | In progress |
| ISO/IEC 27001 controls map | Mapped, certification roadmap |
| IRAP (Australian Government) | Roadmap |
| SOC 2 Type II | Roadmap |
Incident response
Predictable, transparent, and on the clock.
Customers receive a single point of contact, defined SLAs by severity, and post-incident reports. opzo.ai follows the Notifiable Data Breaches scheme and notifies impacted customers as required, in plain English.
| Severity | First update | Cadence |
|---|---|---|
| P1 · Critical | 15 min | Hourly |
| P2 · High | 1 hour | Every 4 hours |
| P3 · Medium | 8 business hours | Daily |
| P4 · Low | 2 business days | As needed |
Need our security pack?
We provide an in-product assurance pack — data residency, sub-processors, retention, incident response and AI use statements — to help your security team move faster.