Sovereign by default. Evidence-ready by design.

Every output runs the same five steps: Kahu → Iho → Tā → Mahara → Mana. Kahu takes the request and masks the personal details first. Iho picks the right agent and model. Tā drafts the work with every source cited inline. Mahara is where someone in your team reads it and decides. Mana seals the receipt with their name on it. The personal details are masked before any model call — the model never sees a real name.

Your data lives in Sydney today. Not in the US. It is the closest major cloud region to Aotearoa, and an NZ-resident option is on the way — we are confirming the region with our infra team now. Models may sit offshore, but they only ever see masked content. Your raw data stays put.

Here is every company that can touch your data — where they sit, what they do, and the contract that binds them. We check this list every week. Every change shows up in the log below.

What is true today, not what we hope for. If a certification is not done, we say so. We would rather tell you we are on the way than pretend we have arrived.

• Privacy Act 2020 (NZ)

  Live

  This is the law your data actually lives under. We run to the Privacy Act 2020, including the new IPP 3A rules from 1 May 2026. Our Privacy Statement spells out what we collect and how to complain.

• NZISM alignment

  In progress

  We line our controls up against the NZ Information Security Manual. It is our own honest read, not a government tick.

• SOC 2 Type 1

  Planned

  Not done yet, and we won't pretend otherwise. We are scoping a SOC 2 Type 1 readiness check. The moment we engage an auditor, their name and the date land right here.

  Auditor and date: coming.

• ISO 27001

  Planned

  Not certified. It is next after SOC 2. We won't claim it until an auditor has signed off — full stop.

  Lined up after SOC 2.

Every output ends in an evidence pack — a downloadable bundle of PDFs. Sources, decisions, who signed off, and when. Show it to a regulator, an auditor, or a client, and they don’t have to take your word for anything.

Under the hood we call it a Mana Receipt. It’s Ed25519-signed, so any tampering shows. Paste one into our public verifier and check it yourself.

• At rest

  Stored data is encrypted with AES-256. A stolen disk reads as noise.

• In transit

  Every connection runs on TLS 1.3. Nothing travels in the clear.

• Key management

  Our infra providers hold the keys, kept apart from the data they unlock. The app code never sees them.

72 hours, not “eventually.” The Privacy Act 2020 asks for notice “as soon as practicable.” We hold ourselves tighter: you and the Privacy Commissioner hear from us within 72 hours of us knowing.

You decide how long we keep things. By default, evidence packs stay as long as your contract needs — usually to match your own tax or audit rules. Ask us to delete your data and we do, unless a law makes us hold it.

• • By default: kept as long as your contract and record-keeping rules need.
• • Your call: dial the window up or down per workspace.
• • Deletion: ask, we remove it, then confirm it’s gone.

• Row-level security

  Every record is fenced to its tenant. One customer simply can't read another's.

• Role-based access

  Inside your workspace, people see what their role allows — and nothing past it.

• Founder allowlist

  The riskiest outputs wait behind a named person. Nothing sensitive ships without them.

The agents draft. People decide. Te Tiriti commitments and tikanga values shape how we build them and how they handle your data.

• Draft-only. No agent sends, posts, or files anything on its own.
• A named person reads every draft and accepts, edits, or bins it.
• Nothing leaves your workspace until someone signs it off.
• Your data never trains a public model. Ever.

• 17 Jun 2026First publication of this Trust Centre and the sub-processor list.