Sōphie

Security and Compliance

Built for environments where governance isn't optional.

Sophie is designed for regulated service organisations — aged care, healthcare, disability, financial services, education, and government — where the people calling are often vulnerable, the records must be auditable, and the technology must be trustworthy.

This page sets out how Sophie protects your data, governs AI behaviour, and supports your compliance obligations. We're honest about what we have and what's on our roadmap.

Platform security

Enterprise-grade security controls, built in from the start.

Sophie is hosted in Taidotech's Microsoft Azure tenant in the Azure East Australia region. The following security controls are implemented across the platform.

  • Encryption in transit
    All data transmitted between callers, the platform, customer systems, and the Insights Centre is encrypted using TLS 1.2 or higher.
  • Encryption at rest
    All stored data — call recordings, transcripts, structured interaction data, configuration, and audit logs — is encrypted at rest using Azure-managed encryption keys (AES-256).
  • Identity and access
    Microsoft Entra ID for administrative access. OAuth 2.0 token validation for API calls. Role-based access control (RBAC) ensures users only access data and functions appropriate to their role.
  • Multi-factor authentication
    MFA supported and recommended for all Insights Centre and administrative access. SSO integration supported.
  • Least-privilege access
    All Taidotech personnel and automated systems operate under least-privilege principles. Access is scoped to the minimum required for each role or function.
  • Audit logging
    Every administrative action, configuration change, data access, API call, and platform event is logged with timestamps and user attribution. Logs are centrally managed and retained for 18 months.
  • Continuous monitoring
    Platform monitored 24/7 via Azure Monitor and Application Insights. Automated alerting for security events, anomalous activity, and platform health indicators.
  • Secrets management
    Azure Key Vault for secrets, keys, and certificates. Managed identities preferred over stored credentials.
  • Network security
    Platform services isolated within Azure virtual networks. Public endpoints secured with authentication and rate limiting.

Data handling

Your data. Your ownership. Australia.

Sophie is a multi-tenant SaaS platform. Every customer's data is logically isolated at the application layer and is not accessible by other customers. Here's how we handle your data.

  • Data residency
    Taidotech uses commercially reasonable efforts to ensure all customer data is stored and processed within the Azure East Australia region. Data may be accessed from other regions solely for platform support, security incident response, or approved sub-processing activities. We will not intentionally store customer data outside Australia.
  • Data ownership
    You own all your data. Call recordings, transcripts, interaction data, configuration, and audit logs belong to you. Taidotech processes data on your behalf as a data processor under the Privacy Act 1988.
  • Tenant isolation
    Customer data is logically isolated at the application layer. Your data is separated from other customers' data and is not accessible by other organisations using the Sophie platform.
  • Call recordings
    Retained for 2 months from the date of the interaction, then automatically deleted. Extended retention available as an add-on. You can export recordings at any time during the retention period.
  • Transcripts and interaction data
    Retained for 18 months. Includes transcripts, structured summaries, captured interaction fields, alert records, and workflow outcomes.
  • Audit logs
    Retained for 18 months. Includes all platform actions, configuration changes, access logs, and decision records.
  • Data export
    You can request a full export of your data at any time during your subscription — transcripts, interaction data, audit logs, and recordings in standard formats (JSON, CSV, audio files). Fulfilled within 10 business days.
  • Data deletion on termination
    After your subscription ends, you have 30 days to export your data. After that window, or upon your written confirmation that the export is complete, all your data is permanently deleted within 30 days. Written confirmation of deletion is provided.
  • Anonymised use for improvement
    Taidotech may use anonymised, de-identified, aggregated operational data to improve the Sophie platform — for example, improving speech recognition accuracy or conversation effectiveness. No individual customer data, caller-identifiable information, or client records are used without your explicit consent.

Sub-processors

Who we use to deliver the platform.

Sophie relies on third-party services to deliver the platform. These are our current material sub-processors. We maintain this list and will notify customers of material changes with at least 30 days' written notice.

  • Microsoft Azure
    Infrastructure hosting, compute, storage, and platform services. Sophie is hosted in Taidotech's Azure tenant.
    Azure East Australia
  • Azure Communication Services (ACS)
    Call handling, telephony, call routing, and call recording infrastructure.
    Azure East Australia
  • Azure Speech Services
    Real-time speech-to-text (converting caller speech to text) and text-to-speech (converting Sophie's responses to voice).
    Azure East Australia
  • Azure AI Foundry / Azure OpenAI
    AI processing, natural language understanding, and language model inference.
    Azure East Australia (where available; see note below)
  • Azure Monitor and Application Insights
    Platform monitoring, performance diagnostics, security event alerting, and cost tracking.
    Azure East Australia
  • Azure Key Vault
    Secrets, API keys, and certificate management.
    Azure East Australia
  • Telephony carriers
    Inbound phone number provisioning for dedicated customer numbers.
    Australia

Note on Azure AI Foundry / Azure OpenAI: Microsoft's availability of specific AI model inference within Australia East continues to evolve. Taidotech monitors regional availability and will update this disclosure if AI processing requires cross-region routing. We will notify affected customers.

Changes to sub-processors: Taidotech will provide at least 30 days' written notice before adding or replacing a material sub-processor. If you have objections to a proposed change, contact us at info@taidotech.com.au.

Governance

Sophie does not self-modify in production.

In regulated environments, controlled change is not optional — it's a governance requirement. Every change to Sophie's behaviour follows a structured process.

Controlled configuration

All changes to conversation flows, prompts, business rules, triage logic, alerting rules, and integration configuration are managed through a controlled process: proposed, tested in a non-production environment, reviewed, and deployed. Sophie does not learn, adapt, or change her behaviour autonomously.

Version control and rollback

All configuration changes are versioned. Every change records what was changed, when, by whom, and why. Previous versions can be restored if a change produces unintended results. No change is irreversible.

Change visibility

Change history is visible to customers through the Insights Centre, including timestamps, the person who made the change, and the reason. You always know what changed and when.

Deterministic triage

Sophie classifies interactions by urgency using configured rules — not unsupervised AI judgements. Every classification traces to a rule. Ambiguous cases are flagged for human review rather than auto-resolved.

AI governance

Honest about what AI does — and what it doesn't.

  1. 1.Probabilistic outputs require validation

    Sophie uses artificial intelligence, speech recognition, and natural language generation technologies. These technologies are probabilistic and may occasionally produce inaccurate, incomplete, or unintended outputs. Customers remain responsible for validating operational decisions based on platform outputs.

  2. 2.No clinical or professional decision-making

    Sophie is an operational support platform. She does not provide clinical, medical, legal, financial, or emergency decision-making services. Customers retain full responsibility for all operational, clinical, care, welfare, and escalation decisions.

  3. 3.Triage is operational, not clinical

    Where Sophie classifies interactions by urgency, raises alerts, or routes escalations, these are operational support signals based on configured rules. They are not clinical or professional judgements.

  4. 4.Sophie does not replace emergency services

    Sophie is not intended to replace emergency services, emergency response systems, or crisis intervention services. Appropriate emergency escalation procedures must remain in place independent of the platform.

  5. 5.Every AI decision is traceable

    Every interaction classification, escalation trigger, and action Sophie takes is traceable to a configured rule and reviewable in the Insights Centre. There are no black-box decisions.

Regulatory alignment

Designed to support your compliance obligations.

Sophie is designed to support organisations operating under Australian regulatory frameworks. We use careful language throughout: "designed to support" and "aligned to" — not "certified against." Taidotech does not warrant compliance with any specific regulatory standard on behalf of the customer. Customers remain responsible for their own regulatory obligations.

  • Privacy Act 1988 (Cth)
    Designed to support organisations operating under the Privacy Act and the Australian Privacy Principles. Data minimisation, purpose limitation, consent management, and data residency controls are built into the platform.
  • Aged Care Act 2024
    Designed to support providers meeting the Strengthened Quality Standards — particularly governance (Standard 2), documentation, incident management, SIRS-related escalation, and audit trail requirements.
  • NDIS Practice Standards
    Designed to support NDIS providers with incident management, structured documentation, escalation controls, and governance aligned to the NDIS Code of Conduct and Practice Standards.
  • My Health Records Act 2012
    Data handling and access controls are designed to support organisations with My Health Record obligations where applicable.
  • APRA CPS 234 (Information Security)
    Platform security controls — encryption, access control, audit logging, incident reporting — are aligned to the intent of CPS 234. A formal compliance evidence pack is available for Enterprise tier financial services customers on request.
  • ASD Essential Eight
    Platform architecture is designed with Essential Eight strategies in mind, including application control, patching, MFA, and restricting administrative privileges. Formal maturity assessment is on the roadmap.
  • ISO 27001
    Security controls are informed by ISO 27001 principles. Formal certification is on the Taidotech roadmap but not yet achieved.
Important: Formal certifications (ISO 27001, IRAP, SOC 2) are on the Taidotech roadmap and will be communicated as they are achieved. For procurement, risk, or governance review, request our Security and Compliance Summary at info@taidotech.com.au.