Security & subprocessor register
Pilot disclosure page. Authoritative engineering register: docs/SUBPROCESSORS.md in the Govern repository (v1.2).
Tenant isolation
Each customer organisation has a separate workspace. PIAs, registry entries, assessments, review sessions, and audit events belong to your organisation only — not a shared thread with other customers.
The workspace API checks organisation membership on every request. Tenant data in our database uses row-level security so authenticated users cannot read another organisation’s records.
The regulatory corpus (OAIC excerpts and similar reference material) is platform-wide. It is not your PIA content and is not mixed into other tenants’ workspaces.
Data at rest vs processing
Customer workspace content (PIAs, assessments, review sessions, registry) is stored in Supabase (configure production for Australia Sydney where aligned with platform posture).
Workspace API compute runs on Fly.io in the Sydney region. Static pages and public funnel handlers are delivered via Vercel.
Cross-border processing: PIA drafting, review, governance chat, and the public health-check report send text to Anthropic (United States and other regions per vendor). When regulatory or evidence retrieval is enabled, excerpt text is sent to an embedding provider configured on the workspace API — OpenAI in the current pilot. We do not claim all processing stays in Australia.
Model routing
The workspace API routes completion and embedding calls through a model router (LiteLLM). Providers and model names are set via deployment configuration on Fly.io — they may change between environments without a product code release.
Current pilot: completions → Anthropic (Claude); retrieval embeddings → OpenAI. Alternate providers are supported when configured. Google Gemini is not used in Govern.
AI models — no training on your content
We do not use customer governance documents, questionnaires, or chat content to train Abilitix models.
AI completions use Anthropic commercial APIs (Claude) — including Generate PIA, PIA review, governance chat, and the public readiness funnel. Retrieval embeddings use a separate commercial API provider (currently OpenAI). We do not fine-tune or train models on your workspace content in this product. Retention and subprocessing are governed by our agreements and each vendor’s published API policies — confirm against your DPA before piloting.
See Privacy Policy and Terms of Service.
Subprocessor summary
| Provider | Role |
|---|---|
| Supabase | Database, auth, tenant storage |
| Fly.io (Sydney) | Workspace API |
| Vercel | Static site, Edge funnel APIs |
| Anthropic | Completions & public funnel (cross-border) |
| OpenAI | Retrieval embeddings (cross-border) — current pilot; configurable via workspace API |
Completion and embedding subprocessors are routed via LiteLLM on the workspace API and may differ by deployment. Stripe (billing) is planned — not active in this pilot slice. Listen/Ask subprocessors are separate products (Listen may use Gemini; Govern does not).