How AiBorz handles client data, security and privacy.

Business details

• Entity: AiBorz (sole trader — Alborz Fallah)
• Location: Brisbane, Australia
• Contact: [email protected]
• ABN: To be published upon registration

Data handling principles

1. Client-owned systems. AiBorz prefers to work inside client-owned Microsoft 365, Google Workspace, OpenAI, cloud and SaaS accounts where practical. The client retains administrative control.
2. Least privilege. AI workflows are granted only the minimum access needed for the approved task.
3. Data minimisation. Only the data required to complete a workflow step is sent to AI models.
4. No training on client data. AiBorz uses business-grade AI products where data is not used for model training by default. Where exceptions apply, they are disclosed and approved before use.
5. Data storage. Client documents, prompts and workflow configurations are stored in client-owned systems wherever possible. AiBorz retains only the minimum information needed to operate and improve the service.
6. Australian guidance. AiBorz designs workflows consistent with OAIC privacy guidance, ACSC small-business cyber recommendations and National AI Centre governance recommendations.

Credential handling

• Client credentials, API keys and access tokens are stored in client-owned password managers or secure credential stores where practical.
• AiBorz does not store client passwords, API keys or access credentials in plain text, shared documents or source code.
• Access to client systems is time-limited, scoped and documented.

Incident response

If an AI workflow produces incorrect, misleading or harmful output — or if protected data is accidentally exposed — the incident process is:

1. Stop: pause the affected workflow immediately.
2. Notify: inform the client's AI owner within 24 hours.
3. Document: record what happened, what data was involved and what corrective action was taken.
4. Review: determine whether the workflow, data rules, training or controls need updating.
5. Report: provide a written summary to the client including root cause, impact and remediation.

Subprocessors

AiBorz may use the following in delivery of services:

• AI model providers: OpenAI, Anthropic, Google, DeepSeek or other models selected by task, risk and data requirements. Business-grade accounts are used where client data is involved.
• Automation platforms: Make, Zapier, n8n, Power Automate or equivalent — selected based on client system compatibility and security posture.
• Cloud infrastructure: Railway, Vercel or equivalent for hosting AiBorz tools and APIs.
• Communication: email via the client's existing provider or a configured SMTP service.

Specific subprocessors are confirmed during the AI Readiness & Risk Audit for each client engagement.

Offboarding

If a client discontinues AiBorz services:

• Client-owned systems and accounts remain with the client.
• Workflow documentation, prompts, configurations and operating procedures are handed over in a documented format.
• AiBorz removes its access to client systems within an agreed timeframe.
• Any AiBorz-retained client data is deleted within 30 days unless otherwise agreed or required by law.

For the full governance model, see the Security & Governance page. For the operational launch approach, see the Launch Protocol.