Trust Center · Updated April 2026

How we handle your data.

Where your data lives, what we will and will not do, and the principles that govern every system we deploy.

The principles

Your data stays yours.

We do not train any AI model on your data. Ever.

When we deploy an AI system in your business, your data flows through it under standard commercial agreements with the underlying providers - all selected on terms that prohibit training on your data, with zero-retention options used wherever a provider offers them.

We hold no rights to your business data, your customer data, or any output produced by systems we build for you. Everything we touch is yours.

Minimum data, minimum surface area.

Every system we build follows the same rule: collect the minimum data needed to do the job, store it for the minimum time required, and expose it to the minimum number of people. We do not build "AI all the things" architectures. We build narrow, purposeful systems with clear data boundaries.

Australian-first.

NxtLayr operates under Australian jurisdiction. We comply with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs).

Where possible, client data is processed and stored in Australian data regions. Where the chosen AI provider only offers regions outside Australia, we disclose that explicitly during the audit and let you decide.

No black boxes.

We will not deploy a system in your business that we cannot explain. Every workflow, agent, and automation is documented. You receive the architecture, the prompts, the integrations, and the operating instructions. If we walked away tomorrow, your team would understand exactly what is running and how.

Our provider posture

Not loyal to any single provider. We re-evaluate quarterly.

We build on enterprise-grade AI and cloud providers, chosen per engagement on three non-negotiables: your data is never used to train their models, zero-retention options are used wherever available, and Australian data regions are selected where the provider supports them.

We are deliberately not locked to one vendor - we pick the right tool for each job and re-evaluate the stack quarterly as the market moves.

If your industry has compliance constraints (financial services, healthcare, legal), tell us during the audit and we adjust the stack accordingly. The specific providers in your build are documented for you in your engagement - we just don't publish our full stack on a public page.

How we operate

Inside your business.

Access principles

  • We only request access to systems we are actively building in. No "all access" credentials.
  • All credentials held by us are stored in a dedicated, access-controlled password manager, with shared-vault access scoped to the engagement.
  • When an engagement ends, we offboard credentials within 7 days and confirm in writing.

Our team

  • All NxtLayr work is performed by Australian-based contractors and the founder. No offshore data handling.
  • Every contractor signs a confidentiality agreement before being granted access to any client system.
  • Background checks on contractors with access to financial systems or customer PII.

Incidents

If we discover a vulnerability, breach, or data incident in any system we built or operate for you, we notify you within 24 hours of discovery, not 72 hours and not "as soon as practicable." We hold professional indemnity insurance covering the work we deliver.

Hard nos

We will not:

  • Train any AI model on your data
  • Sell, share, or commercially exploit your data
  • Build systems that lack a clear "off switch"
  • Connect a client's system to another client's system without explicit permission from both
  • Use customer voice recordings for marketing without consent
  • Deploy AI in customer-facing channels without your explicit sign-off on the conversation patterns
Compliance

Our standing on the frameworks that matter.

StandardOur position
Australian Privacy Act 1988Compliant. We voluntarily apply APP standards to all engagements regardless of threshold.
GDPR (EU)Aligned. Architectural patterns meet GDPR data-handling principles.
HIPAA (US Healthcare)Not applicable. We do not serve US healthcare clients.
PCI-DSSWe do not handle payment card data. All payments route through Stripe (PCI-DSS Level 1 certified).
ISO 27001Not certified. Targeting alignment by mid-2027.
ACSC Essential EightImplemented at Maturity Level 1; tracking toward Level 2.
Ownership

What's yours. What AI can and can't do.

What you own

Everything we build for you is yours from the moment it is delivered. Source code, configurations, integrations, prompt libraries, documentation, data, and outputs. Yours to keep, modify, or take elsewhere.

If we walked away tomorrow, your team could continue operating every system using the documentation we leave behind. We do not engineer dependence as a retention mechanism.

A word on AI outputs

AI systems are non-deterministic. They occasionally produce incorrect, biased, or unexpected outputs. We design every system with appropriate safeguards (human-review checkpoints, confidence thresholds, conservative defaults) but the responsibility for verifying AI outputs before customer-facing or compliance-sensitive use remains with your business.

We are AI consultants, not lawyers, registered tax agents, medical practitioners, or financial advisors. Where AI systems intersect with regulated domains, the relevant professional standards remain your responsibility. We flag these intersections during the audit and design systems with human-in-the-loop checkpoints where required.

Insurance & engagement terms

NxtLayr AI holds professional indemnity insurance covering work delivered. Specific commercial terms, including any liability provisions, are defined in each client's engagement letter or Statement of Work, not published on this website.

Certificate of currency for our professional indemnity insurance is available to clients on request during procurement.

Trust questions

Ask us anything.

Security, compliance, or trust questions: [email protected]
For incident reporting: same address, subject line beginning "INCIDENT".