ComplyIQ360

Privacy & Security

Privacy & Data Security Statement

Effective Date: 23-May-2025

Last Updated: 20-July-2025

At ComplyIQ360, we are committed to protecting your data privacy and maintaining robust data security standards. This statement outlines how we collect, process, store, and protect your data when you use our services, including the handling of files submitted for compliance checking and analysis. Our current production workflow uses AWS Bedrock-hosted foundation models for AI inference and is designed to keep customer files, generated outputs and AI processing within the AWS Australia region controls available to our service.


📂What Data We Collect

  • Files uploaded by users for standard and report validation
  • Associated metadata (e.g., filename, MIME type, byte size, upload timestamp)
  • Technical usage logs (e.g., timestamps, request IDs)
  • Access audit records (who accessed which file, action taken, timestamp, service context/IP)

We do not access or store any personal or sensitive information beyond what is submitted explicitly via file uploads or user inputs. We recommend not loading any personal information into the app unless it is strictly required for your own compliance objectives.


🔐How We Protect Your Data

  • Regional data residency: All persistent customer files and generated compliance outputs are stored solely in AWS Sydney (ap-southeast-2).
  • Secure uploads via HTTPS: File uploads occur through pre-signed S3 URLs, ensuring encrypted transmission over TLS.
  • Least-privilege & path isolation: Files are stored in isolated, job-specific paths. Access is restricted to the processing functions required to complete the requested analysis.
  • Comprehensive audit logging: Every access event (upload, internal read, model processing preparation, deletion) is logged with a timestamp, actor/service identity and action type.
  • Retention under user control: Uploaded files remain stored until you explicitly delete them via the application or request deletion.

🤖AI Processing via AWS Bedrock

ComplyIQ360 currently uses AWS Bedrock-hosted foundation models for compliance analysis. We do not directly send customer files or prompts to separate external AI provider API accounts from the application workflow. File content is processed through our AWS-hosted backend and submitted to AWS Bedrock only for the purpose of performing the compliance analysis requested by the user.

  • AWS-hosted processing: AI inference is invoked through AWS Bedrock from our AWS environment. Our current configuration is designed around Australian data residency requirements, with persistent files and generated outputs stored in AWS Sydney (ap-southeast-2).
  • No model training on your data: Customer prompts, uploaded files and model outputs submitted through AWS Bedrock are not used to train the underlying foundation models.
  • Transient inference only: Raw file content or textual representations are submitted for model inference only as needed to complete the requested compliance analysis. We do not store full prompt/response transcripts beyond what is necessary to assemble, display, audit and manage the compliance result.
  • Minimisation & scoping: We submit only the content required for the specific compliance analysis you initiate. We do not transmit unrelated stored assets, audit logs, access credentials or encryption keys to the model.
  • Access controls: AI processing is performed by least-privilege backend services. User files remain isolated by job-specific storage paths and are not accessible to other customers.

If our AI processing architecture changes in the future, including use of additional model providers or non-Australian processing locations, this statement will be updated before those changes are applied to production workflows.

AWS Bedrock security & compliance posture

The AI inference layer we rely on is provided by AWS, and the following attestations are held by Amazon Bedrock / AWS rather than by ComplyIQ360. They describe the security posture of the underlying infrastructure our service is built on:

  • Independent audits & reports: Amazon Bedrock is included in the scope of AWS's SOC 1, SOC 2 and SOC 3 reports, supported by extensive third-party audits of AWS controls.
  • ISO certifications: Bedrock is covered under AWS's ISO 9001, 27001, 27017, 27018, 27701, 22301 and 20000 certifications.
  • Other frameworks: Bedrock is in scope for FedRAMP Moderate, is HIPAA eligible, supports use in compliance with the GDPR, and is CSA STAR Level 2 certified.
  • No training on your content: AWS states that content submitted to Amazon Bedrock is not used to improve the base models and is not shared with any model providers.

These are AWS's certifications for the Bedrock service and do not by themselves represent certifications of ComplyIQ360. For the authoritative and current list, refer to AWS's own compliance documentation.


🌍Data Location

Persistent storage: All customer-uploaded files and generated compliance outputs are stored exclusively in AWS Sydney (ap-southeast-2).
AI processing: Our current production workflow performs AI inference through AWS Bedrock from our AWS-hosted backend and is designed to support Australian data residency requirements. We do not directly route customer files to separate external AI provider API accounts outside this Bedrock-based workflow.


⏱️Retention & Deletion

  • User-initiated deletion: When you delete a file (or request deletion) the primary object is queued for secure removal from S3. Deletions propagate through internal caches/process queues.
  • Post-deletion residual metadata: After file deletion we retain only minimal operational metadata (job ID, anonymised or hashed file name, size, MIME type, processing timestamps, model usage metrics, and audit log references) for billing, security forensics and capacity planning. This metadata is decoupled from file contents and contains no recoverable original content.
  • Audit logs: Access audit entries (without file content) are retained up to 12 months, then purged or anonymised.
  • AWS Bedrock inference: Customer prompts, uploaded file content and model outputs submitted through AWS Bedrock are used for transient inference and are not used to train foundation models. Our retained copies are governed by the user-initiated deletion, metadata and audit-log rules described above.

📜Your Rights and Choices

You may request:

  • Deletion of your uploaded content
  • An access summary (audit log) of actions taken on your files
  • Clarification about data processing & regional handling

Please contact info@complyiq360.com for any privacy-related concerns or to exercise your rights.

Note: This statement describes the current ComplyIQ360 production workflow. It is intended as a plain-English privacy and security summary and should be reviewed by a qualified legal/privacy adviser before being relied on as a formal legal policy.