Ethnobot is built for research in regulated industries, including government. This page gives procurement, security, and legal teams a clear view of our data sovereignty posture, security controls, sub-processors, and compliance documentation — without needing a sales call.
Last updated: 24 April 2026
ap-southeast-2, Sydney).Ethnobot operates with an Australia-only storage posture. Participant transcripts, analysis outputs, and profiles are all stored in Sydney. No warm backup outside Australia is part of the active operating configuration.
| Component | Provider | Location |
|---|---|---|
| Database (transcripts, analysis, profiles) | Supabase (managed PostgreSQL) | Sydney — AWS ap-southeast-2 |
| File storage | Supabase Storage | Sydney — AWS ap-southeast-2 |
| Application hosting | Vercel | Global edge CDN; data processing in Sydney |
If a contract requires an alternative storage arrangement (for example, a self-hosted deployment in a government-controlled cloud), that can be negotiated up front.
Ethnobot uses Anthropic's commercial Claude API to conduct interviews and analyse transcripts. Anthropic operates API infrastructure in the United States, which means customer inputs and outputs transit US-based infrastructure during processing.
Anthropic's commercial and consumer products have different privacy terms. Announcements about extended retention (up to five years) or opt-in model training on the consumer Claude web or app service do not apply to Ethnobot traffic. We use only the commercial API.
Under Anthropic's commercial terms, customer inputs and outputs from the Anthropic API are not used to train Anthropic's foundation models by default. We have not opted into any training or data-sharing program. Anthropic may retain limited data transiently for safety, abuse monitoring, and legal compliance, as set out in their Privacy Center.
Anthropic offers bespoke Zero Data Retention arrangements to qualifying enterprise customers. Ethnobot does not currently operate under a ZDR arrangement. Where a client requires ZDR to be in place before contract execution, we can approach Anthropic to request qualification — please raise this before contract signing.
If a contract requires that participant content must not transit outside Australia even transiently, that requires an alternative processing arrangement and should be negotiated up front.
Ethnobot is self-assessed at Essential Eight Maturity Level 1 across every applicable strategy. Several controls exceed the ML1 baseline — notably the use of phishing-resistant passkey authentication, which is an ML2/ML3-aligned control.
| Multi-factor authentication | Phishing-resistant passkey on every production-path service. Federated SSO via Google or GitHub where applicable; upstream identity providers enforce passkey. Admin dashboard requires password + TOTP. Passkeys stored in 1Password with offline recovery kit. |
| Encryption in transit | TLS 1.2+ on every external connection. |
| Encryption at rest | AES-256 via Supabase managed PostgreSQL. |
| Database access control | Row Level Security enforced on every table. Supabase service-role key is server-side only; never exposed to the client. |
| Application control | Vercel managed serverless runtime. SAST (Semgrep) runs on every push to main and every pull request. Dependencies pinned in package-lock.json; `npm audit` fails CI on high or critical findings. |
| Defensive HTTP headers | X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and X-XSS-Protection configured via next.config.js. Content-Security-Policy rollout is scoped in the next compliance-hardening sprint. |
| Secret scanning | Gitleaks runs on every push to main and every pull request. Any committed secret fails the CI pipeline. |
| Patch management | Vercel and Supabase managed runtimes are patched by provider SLA. Dependency vulnerabilities tracked weekly. |
| Backups | Supabase automated daily backups retained in the Sydney region. Code and schema are version-controlled in GitHub; the database can be rebuilt from migrations. |
| Access register | Every admin account is documented with MFA status and review date. Reviewed quarterly. |
| Vulnerability monitoring | Sentry for application errors (PII masked). Internal security audits recorded in the repository. |
The following providers process data on our behalf. For participant-facing detail, including which data is shared with each, see our privacy policy.
| Provider | Purpose | Location |
|---|---|---|
| Anthropic | AI interview engine and analysis (commercial API) | United States (transient) |
| Supabase | Database and file storage | Sydney, Australia |
| Vercel | Application hosting and edge CDN | Global edge; data processing in Sydney |
| Resend | Transactional email delivery | United States |
| PostHog | Product analytics (anonymised usage events) | United States (EU option available) |
| Sentry | Error monitoring (PII masked) | United States |
| Axiom | Structured logging (no transcript content) | United States |
For a client-specific engagement, we can disable non-essential sub-processors (for example, PostHog, Sentry, or Axiom) on request.
The following documents are maintained internally and available to security, procurement, or legal reviewers on request. Email privacy@ethnobot.ai.
For suspected data incidents affecting a client engagement, the client is notified within 24 hours of detection, and a written report is provided within 5 business days. Where an incident engages the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth), the Office of the Australian Information Commissioner is notified in line with statutory obligations.
Privacy, security, and compliance enquiries: privacy@ethnobot.ai
Procurement and commercial discussions: suhit@anantula.com
Privacy Officer: Suhit Anantula, Director, The Helix Lab Pty Ltd. Adelaide, South Australia.