Deployment options

Two ways to deploy. Both Australian. Both audit-ready.

Obsidia runs on managed cloud infrastructure in Sydney — or, for organisations with the strictest data sovereignty requirements, inside a dedicated private AWS environment. Same product, same workflow packs, same audit trail. The choice comes down to where your data sits and which compliance frameworks you need.

Choose your tier

Same platform. Different infrastructure posture.

Most private-sector firms run on the Standard Tier — modern managed infrastructure in Sydney that satisfies the Australian Privacy Act. Government, defence, and IRAP-regulated organisations run on the Compliance Tier — dedicated AWS infrastructure with full network isolation.

Standard Tier

Managed Cloud

A dedicated managed-cloud deployment per client, hosted in Sydney. Fast to set up. Right for most private-sector organisations.

Dedicated Supabase project & Netlify site per client

Hosted in Sydney (ap-southeast-2)

SOC 2 Type II certified platforms

Australian Privacy Act compliant

Operational within ~2 business days

Best for organisations without IRAP, APRA, or government-data obligations.

Compliance Tier

Dedicated AWS

A dedicated private AWS VPC per client, hosted in Sydney with no public database exposure. Required for government, defence, and APRA-regulated firms.

Dedicated AWS VPC in Sydney

IRAP up to PROTECTED, ISO 27001, SOC 1/2/3

No public database endpoint

WAF, DDoS mitigation, bot protection at the edge

Full penetration testing rights

Required for government, defence, IRAP-regulated, and APRA-regulated organisations.

Standard Tier · Managed Cloud

Production-grade AI on modern managed infrastructure — no platform team required.

Each Standard Tier deployment is its own dedicated Supabase project and Netlify site — provisioned per client, never shared with another organisation. All data — documents, conversation logs, embeddings — is hosted in Sydney (ap-southeast-2) at rest and in transit. Generation runs on Anthropic Claude; retrieval uses Voyage AI embeddings.

It's the right choice for legal firms, accounting practices, professional services, and general enterprise customers who need reliable AI-powered search across their internal knowledge — without taking on the overhead of running infrastructure themselves.

Hosting

Dedicated Supabase + Netlify, Sydney

A Supabase project and Netlify site provisioned for your organisation alone. PostgreSQL with pgvector for retrieval; Netlify Functions for application logic. Both regions confirmed at ap-southeast-2.

Models

Anthropic Claude + Voyage AI embeddings

Claude Sonnet 4.6 for generation. Voyage AI voyage-3 (1024-dim) for retrieval. Neither vendor trains on your data.

Compliance

Privacy Act + SOC 2 Type II

Australian Privacy Act data residency satisfied. Underlying platforms hold SOC 2 Type II. ISO 27001 available on request.

Setup time

~2 business days

Project provisioning, SSO configuration, first connector setup. Live and indexing your content within two business days.

Compliance Tier · Dedicated AWS

Private AWS infrastructure for organisations that need full network isolation.

The Compliance Tier runs entirely inside a private AWS environment in Sydney — your own VPC, your own database, your own ECS services. The database has no public endpoint. All traffic flows through private subnets behind a managed WAF and CloudFront.

Both tiers give you a deployment that is yours alone — the difference is the infrastructure model. The Compliance Tier is the required choice for government agencies, defence, IRAP-assessed sectors, and APRA-regulated firms, and the right choice for any enterprise that needs physical network isolation and full penetration testing rights across the entire stack.

Network isolation

Dedicated VPC, no public DB endpoint

RDS PostgreSQL with pgvector inside private subnets. Multi-AZ in production. Outbound via NAT gateway only.

Edge security

WAF + CloudFront + rate limiting

AWS WAF with OWASP managed rule set, IP reputation blocking, and rate limits at the edge before traffic reaches your origin.

Models

AWS Bedrock — Claude + Titan

Claude Sonnet via Bedrock for generation. Titan embeddings for retrieval. Inference stays within the AWS region — no third-party API calls.

Compliance

IRAP, ISO 27001, SOC 1/2/3

IRAP-aligned to PROTECTED. Privacy Act with dedicated infrastructure. Penetration testing within your own environment, no shared scope.

Audit + observability

VPC Flow Logs, CloudWatch, full audit trail

90-day CloudWatch log retention. VPC Flow Logs to S3. Every query, document, and admin action recorded against the originating identity.

Setup time

3–4 business days

Includes Terraform provisioning, certificate issuance, network validation, schema initialisation, and a first crawl of your content.

Which tier is right for you

Four questions decide the answer.

If you answer yes to any of the first three, you need the Compliance Tier. If you answer no to all of them, the Standard Tier is the right starting point.

Do you work with Australian government data at any classification?

Government data has specific residency, isolation, and assessment obligations that go beyond Privacy Act compliance.

If yes → Compliance Tier

Are you subject to IRAP requirements?

Standard Tier supports content up to OFFICIAL. Compliance Tier is IRAP-aligned and supports content up to PROTECTED.

If PROTECTED → Compliance Tier

If OFFICIAL → Standard Tier

Are you APRA-regulated, or does your security framework require private network architecture?

APRA-regulated entities (banks, insurers, superannuation funds) and any organisation whose security framework mandates a private network with no public database endpoint need the dedicated AWS VPC and full-stack pen-testing scope of the Compliance Tier.

If yes → Compliance Tier

Are you a private firm with Privacy Act obligations only?

Most private-sector legal, accounting, and professional services firms fall into this group — Standard Tier is the recommended starting point.

If yes → Standard Tier

Side-by-side

Feature comparison.

Both tiers ship with the same product — the same chat experience, the same workflow packs, the same audit trail. The differences are at the infrastructure layer.

Feature

Standard

Compliance

Dedicated deployment per client

✓

Data location

Sydney (AU)

Australian Privacy Act

✓

SOC 2 Type II

Inherited (Supabase, Netlify, Cloudflare)

Inherited (AWS)

ISO 27001

Inherited (Supabase, Cloudflare)

Inherited (AWS)

IRAP

up to OFFICIAL

up to PROTECTED

Network isolation

Per-project + Cloudflare WAF

Dedicated AWS VPC

Database

Supabase Pro (managed Postgres)

Dedicated AWS RDS

Penetration testing

Application only

Application + AWS infrastructure

Setup time

~2 business days

3–4 business days

Built for procurement

The controls IT and security teams ask about — across both tiers.

The deployment model is just the start. These controls apply to every Obsidia deployment regardless of tier — the things procurement and IT typically need clear answers on before sign-off.

🔑

Four-tier role model

Platform Admin, Admin, Workspace Admin, and Member roles — separating organisation-wide controls from workspace-level access from individual user permissions, so the right people see the right data.

🛡️

IP allowlist

Restrict platform access to specific IP ranges — your office network, your VPN, your designated remote-access service. Admin-configurable per organisation.

👥

Bulk team onboarding

Onboard your entire team in a single CSV upload — no manual one-by-one user creation. Pairs with SSO (Azure AD) for streamlined provisioning at deployment.

Your prompts are yours

The prompts your team authors are your firm's intellectual property — not ours.

A senior lawyer spending weeks building a "settlement position paper" prompt has encoded years of methodology into that text. An AMLCO crafting a suspicious-matter analysis workflow has embedded proprietary risk-scoring criteria. That content is your firm's IP. We make this commitment explicit — contractually, technically, and operationally.

📄

You own it — we don't

Every prompt template, workflow configuration, and generated output you create on Obsidia remains your exclusive intellectual property. Our Terms of Service grant us only a narrow operational licence: store it, retrieve it, serve it to your users. Nothing more.

🚫

No training. No analytics. No exceptions.

Your prompts are never used to train or fine-tune AI models, improve our product, build internal benchmarks, or run cross-customer analytics — not even in aggregated or de-identified form. This is contractual, not a setting you need to toggle.

👁️

No staff read access

Obsidia staff cannot read your prompt library. The only exception is a direct support scenario — a user-reported issue, with that user's explicit consent on record. Every such access is audit-logged and reviewed monthly.

🏢

Prompts stay with the firm

When an employee leaves, their authored prompts stay with your firm — not their account. Authorship is updated to reflect the former employee; your workspace administrator can reassign it. Your firm's methodology doesn't walk out with a departing staff member.

These commitments are backed by explicit clauses in the Terms of Service (Section 3), the Data Processing Addendum, and the Sub-processor Register — not buried in generic boilerplate.

The promise

Production infrastructure — not a pilot.

Whichever tier you choose, Obsidia is built and supported as a production system from day one. Encryption at rest and in transit, audit trail on every query, no training of external models on your data.

Your data stays in Australia. Every deployment — Standard or Compliance — is provisioned for your organisation alone, never shared with another client.

That's not a feature — it's the foundation.

🇦🇺

Hosted in Sydney

Both tiers. Data at rest and in transit stays in Australia.

🔒

No external model training

Anthropic, OpenAI, and Bedrock contracts confirm no training on your data.

📄

Your prompts are your IP

Prompt templates and workflow configs are your firm's intellectual property. No training, no staff-read, no product-improvement use. Backed by explicit Terms of Service clauses — not generic boilerplate. Terms of Service →

📋

Full audit trail

Every query, document, and admin action logged against an identity.

👤

Users can view their own query history

Every user has a self-service activity log — search, filter, and export your own records at any time. No admin involvement required. User guide →

🛡️

Edge security on both tiers

WAF, DDoS mitigation, bot protection, and rate limiting.

🔐

Metadata treated as content

For legal clients, who acts for whom is itself privileged. Workspace names, query logs, and notification subjects carry the same protections as document content — no matter identifiers egress to third-party services.

🧹

Scrubbed error telemetry

Application errors are reported with stack traces only. Request bodies, navigation history, auth headers, and user-supplied content are stripped before any data leaves your environment. Session replay is off by default — your screen is never recorded without explicit opt-in.

♿

WCAG 2.2 AA — automated compliance gate

Axe-core accessibility scanning runs on every pull request. No critical or serious violations in any primary flow. Accessibility statement →