Trust and Security
At Elf Works Pty Ltd (ACN 678 538 086), we are dedicated to safeguarding the privacy and security of personal and sensitive information collected and processed through our platform-as-a-service (PaaS) software, which supports professionals and organisations with advisory, research, and knowledge-generation tasks. Our platform integrates with third-party Large Language Models (LLMs) such as ChatGPT, Claude, Gemini, and Grok to enhance these capabilities.
This Trust and Security page serves as a centralised resource outlining our commitments, practices, and measures to protect your data, ensure compliance, and build trust. We comply with the Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs). Our security practices are designed in alignment with ISO 27001 and SOC 2 control objectives, with formal certification planned as we scale.
For our terms and conditions, visit www.elfworks.ai/trust-centre/terms-and-conditions
For our AI product terms, visit www.elfworks.ai/trust-centre/ai-product-terms
For our acceptable use policy, visit www.elfworks.ai/trust-centre/acceptable-use-policy
For our privacy policy, visit www.elfworks.ai/trust-centre/privacy
Our Commitment to Trust
We prioritise transparency, data protection, and empowering your rights as a digital service user.
We do not allow any user data passed to Large Language Models (LLMs) to be used for training or retained beyond immediate processing needs—all data is handled ephemerally and deleted promptly after use, as enforced through contracts with providers.
We regularly review and update our practices to address emerging threats, regulatory changes, and feedback.
Our services and data centres are Australia-based, with no offshore transfers without lawful basis and safeguards like Standard Contractual Clauses.
Security Measures
We implement robust safeguards to protect data across our platform, development environment, and integrations:
- Infrastructure Security: Hosted on Australian-based AWS infrastructure in Sydney, NSW, with ISO 27001-certified vendors. We use firewalls, intrusion detection systems, real-time logging, monitoring, and quarterly-tested disaster recovery protocols with AES-256 encrypted backups.
- Data Encryption: All data in transit is encrypted using TLS 1.3, and data at rest uses AES-256 encryption.
- Access Controls: Guided by principles of Least Privilege (PoLP), Role-Based Access Control (RBAC), Separation of Duties (SoD), and Need-to-Know. Access levels include:
- For the Platform: System Admin (full access, including API integrations), Advisor (create/export advice using LLMs), Professional User (view-only, no LLM interaction).
- For Development Environment (AWS-hosted, including Streamlit.io and MongoDB): System Admin (full access), Developer (project-specific access to tools and API credentials).
Multi-factor authentication (MFA/2FA) is required for all access, using Microsoft for the platform (extracting only email and username), AWS IAM for development and MongoDB, and secure mechanisms for API keys stored in AWS Secrets Manager.
- Application Security: Network segmentation via AWS VPCs and firewalls limits lateral movement.
- Monitoring and Logging: All access attempts (successful/failed) to the platform, development environment, MongoDB, and API credentials are logged with user ID, timestamp, and resource details. Logs are reviewed monthly, with real-time alerts for anomalies like failed logins or unauthorised access using AWS CloudTrail and MongoDB tools.
- Physical Security: For AWS data centres, refer to the AWS Trust Center for details on physical controls.
Compliance and Certifications
- Regulatory Compliance: We comply with the Privacy Act 1988 (Cth), SOC 2 Type II (in alignment), ISO 27001, GDPR, and other standards. Data processing agreements (DPAs) are available to eligible users.
- Employee Training: All employees receive annual training on access controls, phishing awareness, data protection, and secure handling of the platform, development environment (including Streamlit.io, MongoDB), and LLM API credentials. New hires complete onboarding within their first week.
Vendor Management and Data Sharing
We share data under strict controls with vetted third parties for authorised purposes only:
- Cloud hosting/infrastructure (e.g., AWS).
- Payment processors (e.g., Stripe, which handles/stores payment details; see Stripe Trust Center).
- Government authorities when legally required.
All vendors comply with our standards and are restricted via contracts. For the full vendor list, visit www.elfworks.ai/trust-centre/vendors.
This list is subject to updates as we add or change vendors. We notify users of material changes via our Privacy Policy at www.elfworks.ai/trust-centre/privacy. If you have questions or wish to exercise your data rights, please contact us at info@elfworks.ai.
We recommend reviewing each vendor's privacy policy for additional insights into their practices.
Incident Response
We have a documented incident response plan, reviewed annually, to handle breaches or unauthorised access swiftly:
1. Contain the incident.
2. Notify affected users and the OAIC (if required) within 72 hours for confirmed breaches.
3. Provide remedial support.
4. Conduct root-cause analysis and implement improvements.
Suspected incidents trigger immediate investigation by our technical team. We participate in responsible disclosure and encourage vulnerability reporting via info@elfworks.ai.
International Data Transfers
Currently Australia-based. Future expansions will include safeguards like Binding Corporate Rules or Standard Contractual Clauses.
Continuous Improvement
Policies are reviewed annually or after significant changes. Employees and customers can submit feedback on practices via info@elfworks.ai.
Contact Us
For questions about our trust and security practices, contact our Data Protection Officer or Technical Team at info@elfworks.ai. We respond within 30 days.
This page was last updated on November, 2025. We notify users of significant changes via email, with a summary and 30 days' notice before enforcement.