Our products leverage AI technologies, including leading-edge Large Language Models (LLMs), renowned for their capabilities in natural language processing. A critical aspect of our approach is the prioritisation of privacy and security throughout the model selection process. We commit to transitioning between models only when we can ensure adherence to our rigorous standards of data protection and security compliance.

Not currently. Our products treat inputs verbatim. They may reformat, structure, and re-combine information to improve clarity, however, no new content is "invented" or created.

Not currently. Our products process data and produce predictable outputs. They do not interpret content nor do they function in any advisory, predictive, or recommending capacity.

Organisations primarily use our products to replace manual effort in creating similar outputs, optimising internal workflows and improving overall productivity. Brokernote’s services leverages advanced AI to tackle time-consuming document formatting and processing tasks. By automating these tasks, we enable organisations to concentrate on client service and other strategic activities.

Yes. For creation, enhancement, and testing of our products, we exclusively use data that is either produced internally or acquired from external sources with explicit permissions. Whenever external data is employed, we secure express consent from data owners, ensuring full compliance with IP rights and data protection laws. We have implemented robust measures—including vetting processes and legal compliance checks—to prevent unauthorised use of third-party intellectual property.

We are dedicated to providing outputs of the highest quality. We have established a comprehensive testing process and a robust body of test data that closely simulates real-world scenarios. Regular testing cycles verify the fitness of our models.
However, we recognise the inherent limitations of current AI technologies. To protect against potential inaccuracies, all outputs require review. It should not be directly used or relied upon as a substitute for advice or as a basis for a business, financial or insurance decision. We advocate for a collaborative approach that combines our products with human expertise to achieve the best possible outcomes.

Our policy is built upon several foundational principles:

1. Responsible Use: AI should be beneficial and avoid harm.
2. Bias Mitigation: We strive to develop solutions that are as unbiased as possible and essentially fact-based.
3. Customer-Centric Experience: We ensure solutions are accessible, easy to use, and customised to client needs.
4. Continuous Improvement: We engage with the AI community and keep up-to-date with the latest research in AI ethics.

Our products access documents and text inputs provided by the user via our user interface or API endpoints for the specific purpose of processing that request.

You retain full ownership of all data you upload to Brokernote. We act solely as a data processor.

Access to application data is strictly restricted. Only a limited number of authorised Brokernote engineering staff have access, and only when necessary for maintenance, security, or troubleshooting purposes (Principle of Least Privilege). All access is logged. We do not provide third-party access to your data.

Data processing takes place exclusively in Australia. All infrastructure, including our application logic, databases, and AI models, is hosted in Australian Azure regions (e.g., Australia East). This ensures your data remains within Australian borders to meet data sovereignty requirements.

We operate on a principle of minimal retention.

• Processing Data: Inputs and generated outputs are retained only for the duration necessary to provide the service (maximum 48 hours), after which they are automatically and permanently deleted from our processing systems.
• Account Data: Minimal account information (email, billing history) is retained for active subscriptions in accordance with legal and accounting standards.

No, as the products do not collect any non-essential personal data, there is no need for an opt-out process. We only process data you explicitly submit for processing and minimal account data required to provide the service.

Our system logs capture metadata regarding system performance, error rates, and usage statistics to ensure stability and security. We do not log the contents of your documents or the text inputs you provide for processing.

All data is considered sensitive. It is protected during transmission using HTTPS and SSL protocols. At rest, data is encrypted and decrypted transparently using 256-bit AES encryption (FIPS 140-2 compliant).

Yes. The products undergo regular internal security assessments and automated vulnerability scanning to ensure compliance with industry standards. We also employ continuous monitoring and alerting for potential security issues.

We currently do not hold SOC 2, ISO 27001, or PCI compliance certificates ourselves. However, the technology vendors we work with—Microsoft Azure, Vercel, Clerk, and Stripe—are fully compliant with these standards. You can visit the trust centers of our key technology partners for more information on their certifications.

• Microsoft Azure Trust Center
• Vercel Trust Center
• Clerk Trust Center
• Stripe Trust Center
• Stripe Privacy Center

Our infrastructure is fully serverless, and our deployment practices adhere to modern standards enabling continuous development and deployments. In the event of a significant disruption, we have documented business continuity plans to rapidly redeploy our environment.

Our modern scalable architecture efficiently handles increases in workloads automatically, ensuring stable availability and performance.

We utilise Point-in-Time Recovery (PITR) for our databases, allowing us to restore data to any second within the retention window. Our storage systems are configured for redundancy to protect against hardware failures.

We follow a structured incident response framework:

1. Preparation: Continuous monitoring.
2. Detection & Analysis: Immediate triage of alerts.
3. Containment & Recovery: Isolating systems and restoring service.
4. Post-Incident: Analysis to prevent recurrence. We are committed to providing timely support and transparent communication in the event of an incident.

We utilise a strict Continuous Integration/Continuous Deployment (CI/CD) pipeline. Every code change undergoes automated testing (unit and integration), human and AI powered reviews, and static security analysis before being deployed to a staging environment for final verification.

Users access our products primarily through our secure web-based interface (SaaS) utilising modern web browsers. We also provide secure API endpoints for organisations requiring programmatic integration.

Brokernote provides administrators with granular control through a Hierarchical Settings model and a comprehensive Role-Based Access system. This ensures brand consistency while maintaining security.

Hierarchical Settings Model We use a three-level hierarchy to manage configuration:

• System Default: Sensible defaults (e.g., standard margins) provided out-of-the-box.
• Organisation (Admin): Settings configured by the Org Admin that represent your "Company Brand." These override system defaults. Admins can lock specific settings (e.g., Font Family) to ensure strict adherence to brand guidelines, preventing users from changing them.
• User (Member): Personal preferences. User settings can only override Organisation settings if the Admin has not locked that specific setting.

• Billing Access: Can purchase licenses, view invoices, and update payment methods.
• User Management: Can invite new users and assign/revoke licenses.
• Settings Control: Configures "Organisation Settings" (branding, disclaimers, policy locks).
• Tool Access: Has access to all tools (e.g., Reformatter) provided they have an active license.

• Tool Access: Can use all tools provided they have an active license.
• Personal Settings: Can configure personal preferences, but these may be overridden by locked Organisation settings.
• Restricted: Cannot see billing information, manage other users, or change company-wide branding.

Access is restricted via our authentication provider (Clerk). Administrators can revoke access for specific users within their organisation at any time. Additionally, our API access requires unique, revocable API keys.