Trust Center · Updated April 2026
Where your data lives, what we will and will not do, and the principles that govern every system we deploy.
We do not train any AI model on your data. Ever.
When we deploy an AI system in your business, your data flows through it under standard commercial agreements with the underlying providers - all selected on terms that prohibit training on your data, with zero-retention options used wherever a provider offers them.
We hold no rights to your business data, your customer data, or any output produced by systems we build for you. Everything we touch is yours.
Every system we build follows the same rule: collect the minimum data needed to do the job, store it for the minimum time required, and expose it to the minimum number of people. We do not build "AI all the things" architectures. We build narrow, purposeful systems with clear data boundaries.
NxtLayr operates under Australian jurisdiction. We comply with the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs).
Where possible, client data is processed and stored in Australian data regions. Where the chosen AI provider only offers regions outside Australia, we disclose that explicitly during the audit and let you decide.
We will not deploy a system in your business that we cannot explain. Every workflow, agent, and automation is documented. You receive the architecture, the prompts, the integrations, and the operating instructions. If we walked away tomorrow, your team would understand exactly what is running and how.
We build on enterprise-grade AI and cloud providers, chosen per engagement on three non-negotiables: your data is never used to train their models, zero-retention options are used wherever available, and Australian data regions are selected where the provider supports them.
We are deliberately not locked to one vendor - we pick the right tool for each job and re-evaluate the stack quarterly as the market moves.
If your industry has compliance constraints (financial services, healthcare, legal), tell us during the audit and we adjust the stack accordingly. The specific providers in your build are documented for you in your engagement - we just don't publish our full stack on a public page.
If we discover a vulnerability, breach, or data incident in any system we built or operate for you, we notify you within 24 hours of discovery, not 72 hours and not "as soon as practicable." We hold professional indemnity insurance covering the work we deliver.
| Standard | Our position |
|---|---|
| Australian Privacy Act 1988 | Compliant. We voluntarily apply APP standards to all engagements regardless of threshold. |
| GDPR (EU) | Aligned. Architectural patterns meet GDPR data-handling principles. |
| HIPAA (US Healthcare) | Not applicable. We do not serve US healthcare clients. |
| PCI-DSS | We do not handle payment card data. All payments route through Stripe (PCI-DSS Level 1 certified). |
| ISO 27001 | Not certified. Targeting alignment by mid-2027. |
| ACSC Essential Eight | Implemented at Maturity Level 1; tracking toward Level 2. |
Everything we build for you is yours from the moment it is delivered. Source code, configurations, integrations, prompt libraries, documentation, data, and outputs. Yours to keep, modify, or take elsewhere.
If we walked away tomorrow, your team could continue operating every system using the documentation we leave behind. We do not engineer dependence as a retention mechanism.
AI systems are non-deterministic. They occasionally produce incorrect, biased, or unexpected outputs. We design every system with appropriate safeguards (human-review checkpoints, confidence thresholds, conservative defaults) but the responsibility for verifying AI outputs before customer-facing or compliance-sensitive use remains with your business.
We are AI consultants, not lawyers, registered tax agents, medical practitioners, or financial advisors. Where AI systems intersect with regulated domains, the relevant professional standards remain your responsibility. We flag these intersections during the audit and design systems with human-in-the-loop checkpoints where required.
NxtLayr AI holds professional indemnity insurance covering work delivered. Specific commercial terms, including any liability provisions, are defined in each client's engagement letter or Statement of Work, not published on this website.
Certificate of currency for our professional indemnity insurance is available to clients on request during procurement.
Security, compliance, or trust questions: [email protected]
For incident reporting: same address, subject line beginning "INCIDENT".