Trust Centre · Security & compliance
Compliance, the honest version.
We’re a small Aotearoa team, so here’s the straight version: how we handle your data, and where we land on the questions procurement always asks. The law that governs your data comes first. An honest read on SOC 2 sits below.
01 · Built for Aotearoa first
The compliance that already governs your data.
For a New Zealand buyer, this is the part that matters most. None of it is aspirational — it is how assembl is built and run today.
Privacy Act 2020, including IPP 3A
We are built to New Zealand's Privacy Act 2020. Where personal information arrives indirectly, our workflows let a named human record the source, purpose, and notice — the new IPP 3A obligation in force from 1 May 2026. This is the law your data actually lives under.
Data residency — Sydney region
Customer records are stored in the Sydney (ap-southeast-2) region — the closest major cloud region to Aotearoa — with row-level security, encryption in transit and at rest, restricted service credentials, and audit logging on every access. Model calls are handled separately and covered in our AI use disclosure.
Te Tiriti commitments in the design
Te Tiriti and tikanga values shape how the agents are built — the four pou guide data handling, review, and accountability in the prompt design itself. This is a statement about how we build, not a claim of endorsement by anyone.
Draft-only by design
No external action is sent automatically. Every material output stays a draft until a named human reviews and approves it. Autonomy is not the promise; a reviewed first pass is.
An evidence pack on every output
Each workflow ends in an evidence pack — a downloadable bundle of the sources, assumptions, reviewer decisions, and timestamps behind that specific result. You can hand it to an auditor or a client. It proves the actual decision, not just the company behind it.
Tenant isolation & audit logging
Each customer's data sits in tenant-scoped systems with row-level security and a complete audit trail. The controls that a security review asks about are in production today, not waiting on a certificate.
More detail: Privacy Statement · AI use disclosure · Te Tiriti statement.
02 · SOC 2 — on the roadmap
Honest about where SOC 2 sits.
SOC 2 is on our roadmap, not underway — and we will not pretend otherwise. We are a focused NZ startup; our current posture maps to the AICPA Trust Services Criteria across security, availability, confidentiality, and privacy. We will book the formal audit once a customer deal genuinely calls for it. For New Zealand buyers, the Privacy Act 2020 carries more weight in the meantime.
Worth knowing how SOC 2 actually works: a Type 1 report says that, on one day, the controls were designed appropriately. It does not say they worked over time — a Type 2 says that. So a single Type 1 tick is a narrower claim than it sounds. The per-output evidence pack above gives your auditor something a company-level report cannot: a verifiable record of the actual decision.
03 · For procurement teams
Ask for the security pack.
If you need specifics before signing, we share a security pack under NDA: a control summary, our architecture posture, the sub-processor list, and a data flow diagram. It is specific, signed, and honest about what is in place today.
Request the security pack
Shared under NDA. We reply from security@assembl.co.nz.
Related: Privacy Statement · AI use disclosure · Evidence pack. General queries: assembl@assembl.co.nz.