Keep the AI layer inside the controls you already run in Australia.
In Australia, “data sovereignty” is usually shorthand for a bundle of concerns, not one statute. Privacy Act obligations. Australian Privacy Principles. Cross-border disclosure under APP 8. Notifiable Data Breaches. Consumer Data Right in regulated sectors. Government hosting expectations. Procurement questions about offshore support access. Invisibles is designed to keep that answer simple. The software deploys into your own AWS or Azure account, under your IAM and security boundary. If your organisation already runs in AWS Sydney or Azure Australia East, Invisibles can run there too. Your logs, secrets, and control plane stay in your environment. Your existing APP-aligned controls, retention rules, and access-review processes can continue to apply.
APP 8 and cross-border disclosure.
For many Australian buyers, APP 8 is the first real pressure point. If personal information is disclosed overseas, what accountability follows? What due diligence is required? What contractual and technical safeguards exist? AI tools often create this problem by default because the product itself is hosted offshore and the customer has little visibility into where data goes next.
Invisibles reduces that uncertainty. The application runtime sits in your own AWS or Azure account, in the region you choose. You can keep the primary AI application layer in Australia if that is the policy requirement. Cross-border analysis may still be needed depending on the model provider or sub-processors you enable, but the architecture avoids creating an unnecessary second perimeter outside your control. That is a materially better starting point for APP 8 review.
APP 11 and reasonable security steps.
APP 11 requires organisations to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. In practice, security teams want to see concrete controls, not only policy language.
Invisibles provides those controls at the application layer. Field-level masking uses AWS Comprehend on AWS or Microsoft Presidio on Azure before data reaches the model. Structured tokenization replaces values with ephemeral handles stored with a 15-minute TTL in DynamoDB or Cosmos DB. Prompt-injection defenses help prevent unsafe tool invocation and data leakage. Immutable audit records every run and can be exported to CSV, S3, or Splunk. Those are the kinds of technical measures Australian privacy and security teams expect to see when they ask how an AI system is actually governed.
Data sovereignty is also a procurement and government question.
Australian enterprises, universities, and public-sector-adjacent organisations often use “sovereignty” more broadly than the Privacy Act alone. They may need local hosting, local control of keys, restricted support access, or alignment with cloud environments already used in government or regulated settings. Some buyers will ask about IRAP-assessed environments or hosted government cloud concerns even if the project itself is not a government deployment.
The right answer here is careful, not inflated. Invisibles is designed to run inside your own AWS or Azure account, including Australian regions such as AWS Sydney or Azure Australia East, under your own IAM and security controls. Customers already operating in APP-aligned, regulated, or government-sensitive environments can extend those controls to the AI layer. Invisibles itself does not claim a government certification or assessment it does not have.
Consumer Data Right and sector-specific sensitivity.
In sectors touched by the Consumer Data Right or other sectoral obligations, the issue is often not whether AI is allowed. It is whether the organisation can prove that access, use, and disclosure stayed within the rules of the program. That requires more than a chatbot. It requires a governed application layer.
Prompts, Skills, Data Context Mappings, Agents, and Audit give you that structure. A Prompt can be limited to the exact fields needed. A Skill can be restricted to approved users or channels. Audit can show what happened. That matters in financial services, energy, and other sectors where data handling needs to be demonstrable, not merely asserted.
Breach notification and operational readiness.
Australia’s Notifiable Data Breaches regime means organisations need to know when something happened, what data was involved, and how quickly they can investigate. AI systems become a problem when they are opaque. If a user pasted data into an unmanaged tool, the investigation starts with guesswork.
Invisibles is designed to avoid that opacity. The system runs in your own environment. Audit records runs and actions. Access is governed by your IAM. Logs can be exported into your existing monitoring and incident-response stack. That does not replace your own breach-assessment obligations, but it gives security teams a much better evidentiary base when they need to act quickly.
Australian privacy law continues to evolve — the Privacy and Other Legislation Amendment Act 2024 introduced a statutory tort for serious invasions of privacy and expanded children’s privacy protections, and more reforms are expected. Customers should assess this architecture against current Privacy Act provisions and any sector-specific rules that apply to their environment.
Australian obligation to product mechanism.
APP 8 cross-border concerns map to customer-region deployment and customer choice over sub-processors. APP 11 security obligations map to masking, tokenization, prompt-injection defenses, and immutable audit. Government and procurement concerns map to customer-cloud deployment, customer IAM, and no standing access for Invisibles. Consumer Data Right and sectoral governance concerns map to pinned Data Context Mappings, permissioned Skills, and exportable evidence. NDB breach readiness maps to audit as a control plane and to logs that can flow into your own incident-response environment.
Questions Australian buyers ask.
Can Invisibles run in Australia-only cloud regions?
Yes. You deploy in your own AWS or Azure account in Australian regions such as AWS Sydney (ap-southeast-2) or Azure Australia East, subject to your own cloud architecture choices.
Does Invisibles eliminate APP 8 cross-border disclosure concerns?
No, but it reduces them materially. The main application layer can stay in your own Australian cloud environment, and any remaining cross-border analysis focuses on the specific sub-processors or model providers you enable.
How does Invisibles support APP 11 security obligations?
With concrete technical controls: field-level masking via AWS Comprehend or Microsoft Presidio, structured tokenization with a 15-minute TTL, prompt-injection defenses, and immutable audit exportable to your own S3 or Splunk.
Is Invisibles suitable for government-sensitive or IRAP-conscious environments?
It is designed to support customers operating in those environments. The software runs in your own cloud boundary and under your controls. Invisibles itself does not claim any government certification or IRAP assessment.
What about breach notification readiness under the NDB scheme?
Invisibles improves evidentiary readiness. Audit logs, customer-controlled deployment, and exportable records help security teams investigate and assess incidents faster — which is what the NDB assessment actually requires.
Does Invisibles have standing access to our data?
No. Invisibles has no standing access to customer data because the software runs in your own AWS or Azure account under your IAM. Any support access would need to be explicitly granted by you and is logged in the audit trail.
This page is for informational purposes only and is not legal advice. A Data Processing Addendum is available on request; email security@invisibles.app. Customers should review their specific obligations with their own privacy, legal, and compliance counsel.
Running a procurement or APP 11 review?
Book 30 minutes. We walk through AWS Sydney or Azure Australia East deployment, APP 8 and APP 11 alignment, and the evidence pack your security team will need.