Skip to main content
advantAIge

Security & Compliance

Built for institutional confidence.

Procurement-ready documentation for universities, corporates and government. If you need information not listed here, request it via the enquiry form.

Hosting and data residency

  • Application deployed on Vercel's global edge network with Australian traffic routing
  • Database and delegate data stored in Australian-hosted Supabase infrastructure (PostgreSQL). Specific region details provided in procurement discussions.
  • No delegate data leaves the platform without explicit export
  • HTTPS enforced with HSTS headers across all routes
  • Content Security Policy headers configured on every response
  • All connections over TLS 1.2+

Authentication and access

  • Magic link sign-in by default — no passwords to manage, no reset flows, no shared credentials
  • SSO via SAML or OIDC available as a scoped engagement during onboarding
  • Role-based access control: participant, manager, company admin, coach, platform admin
  • Session tokens are short-lived and signed with per-environment secrets
  • Service role key is server-side only and never exposed to client-side code
  • Company-level data isolation — all queries are scoped to organisation
  • Admin endpoints use separate HMAC-signed tokens
  • Audit trails and admin dashboards included in every deployment

AI governance and observability

  • All AI inference is server-side only — never called from the client, never exposing API keys in bundles
  • No delegate input data is used to train or fine-tune models
  • Per-company AI usage limits enforced via atomic database RPC — no runaway spend
  • System prompts enforce professional scope, Australian English and hard boundaries — no unconstrained generation
  • AI responses are structured (non-streaming JSON), so outputs cannot drift into freeform text
  • Coaches refuse topics outside their mandate and redirect delegates to qualified professionals where appropriate
  • AI errors and anomalies captured via Sentry with PII scrubbing (no turn-by-turn conversation logging)

Privacy and data handling

  • Compliant with the Australian Privacy Act 1988 and Australian Privacy Principles
  • No personal data sold or shared with third parties for commercial purposes
  • Delegate assessment data is aggregated and anonymised in intelligence briefings
  • Export and deletion workflows available on request
  • Sentry error tracking configured to scrub PII: Authorization headers, email addresses, passwords, tokens and secrets
  • Session replay enabled on errors only — no continuous recording

Procurement readiness

  • Reference architecture and deployment diagram available on request
  • Service terms and data processing addendum available on request
  • SLA terms available for institutional partners
  • Security questionnaire responses and DPIA templates available on request
  • Reference calls available for qualified prospects
  • Integration pathway confirmed for your specific HRIS, LMS or identity provider during discovery

Request compliance documentation

Security overview, data processing addendum, SLA terms and procurement templates are available for qualified institutional prospects. Submit an enquiry and select “Compliance documentation” as the enquiry type.

Request Documentation