Security & compliance

Built for clients who are
audited for a living.

Our clients include government agencies, institutional investors, and organisations working on sensitive strategic questions. We build and operate accordingly — and most engagements never put your data in our hands at all.

Jurisdiction

Australian data residency

Hosting

We host no client data

Encryption

TLS 1.2+ · AES-256

Oversight

Human-in-the-loop

The platform-hosting terms below apply to existing platform clients. Methodology engagements run in client-controlled environments — cloud or sovereign — and Dragonfly hosts no client data.

Data sovereignty

We are an Australian company, committed to keeping client data within Australian jurisdiction. Our infrastructure and data processing are designed to meet the expectations of Australian government and institutional clients on data residency and sovereignty.

Encryption

In transit

TLS 1.2 or higher. All data between your browser and our services is encrypted in transit.

At rest

AES-256 or equivalent cloud-provider encryption for data stored on our platform.

Authentication & access control
  • Platform access requires authenticated accounts with secure credentials.
  • Access to client data is restricted to authorised personnel on a need-to-know basis.
  • Administrative access to infrastructure is protected by multi-factor authentication.
  • Access permissions are reviewed regularly and revoked promptly when no longer required.
Infrastructure security

Our platform runs on enterprise-grade cloud infrastructure with network isolation, automated security patching, and continuous monitoring. We use managed services from providers with established certifications — SOC 2, ISO 27001 — to minimise operational risk.

Application security
  • Secure development practices with code review for all changes.
  • Dependency monitoring and regular patching of third-party libraries.
  • Input validation and output encoding to prevent injection and cross-site scripting.
  • Regular security testing of the platform.
AI model security

Our platform uses large language models as part of its analytical pipeline. We apply the following safeguards:

  • Client data submitted for analysis is never used to train or fine-tune AI models.
  • We use enterprise-tier API agreements with model providers that include data-protection commitments.
  • Analytical outputs include traceable reasoning, so users can verify and audit the basis for any conclusion.
  • Human oversight is a core design principle — the platform supports decisions, it does not make them.
Compliance
  • Australian Privacy Act 1988 and the Australian Privacy Principles.
  • Relevant Australian Government information-security frameworks.

We are actively working toward formal security certifications appropriate for our government and institutional client base. If you have specific compliance requirements, we are happy to discuss how we can meet them.

Incident response

We maintain an incident-response process for identifying, containing, and resolving security incidents. In the event of a data breach affecting your information, we will notify affected parties and the relevant authorities in accordance with the Notifiable Data Breaches scheme under the Privacy Act.