Security & Privacy

Built for organisations that take AI governance seriously.

Brolli AI is designed from the ground up with privacy by design, Australian data sovereignty, and enterprise-grade security controls. We monitor AI tool usage across your organisation without ever seeing what your people do with those tools.

Our philosophy

We see which sites employees visit. Nothing beyond that.

This is the most important thing to understand about how Brolli AI works. Brolli AI detects when a browser visits an AI tool site. That is the extent of what we observe. We cannot see what an employee types into that tool, what prompts they send, what files they upload, or what responses they receive.

We architecturally prevent individual employee monitoring. Before any data leaves the browser, user identity is replaced with a one-way cryptographic hash. That hash cannot be reversed to identify an individual. Not by your administrators. Not by us.

What we collect

The AI tool hostname (to match against our tool dataset)

Session duration in seconds

Timestamp, rounded to the nearest minute

An opaque, irreversible user hash

Acknowledge nudge responses

What we don't collect

Names, emails, or any other employee identity

Page content, prompts, keystrokes, or anything typed into an AI tool

Full URLs or browsing history

Screenshots or screen recordings

If your employees want to know whether Brolli AI can see what they type into ChatGPT, the answer is no. The extension sees the domain. That's it.

How we protect your data

Enterprise-grade security, without enterprise complexity.

AES-256 encryption at rest

All data is encrypted via AWS Key Management Service in the Sydney region. Encryption keys are Australian-managed and subject to Australian law.

TLS 1.3 encryption in transit

Enforced at infrastructure level across all endpoints. Data in transit is encrypted end to end.

Multi-factor authentication

TOTP-based MFA is required for all admin dashboard access. There is no way to access the dashboard without a second factor.

Argon2id password hashing

Passwords are stored using Argon2id with a unique random salt per hash. This is the current industry standard for password storage.

Per-organisation API key scoping

API keys are scoped to individual organisations, SHA-256 hashed, and compared using constant-time operations to prevent timing attacks.

Role-based access control

Four roles with server-side enforcement on every request. Access rights are not configurable in the browser and cannot be escalated client-side.

Rate limiting

Sliding-window rate limiting per API key prevents abuse and protects against brute-force attacks.

Memory-safe backend

The Brolli AI backend is written in Rust, which eliminates entire classes of security vulnerabilities including buffer overflows and use-after-free errors by design.

Where your data lives

Your data stays in Australia. Full stop.

For government agencies, healthcare organisations, universities, and professional services firms, data sovereignty is not a nice-to-have. It's a hard requirement. Every piece of data that Brolli AI collects is stored and processed in AWS Sydney (ap-southeast-2). There is no offshore processing.

100% Australian-hosted

All data stored and processed in AWS Sydney. No exceptions.

Australian-managed encryption keys

AWS KMS keys in the Sydney region. If a government agency asks where your data is, the answer is Sydney.

IRAP-assessed infrastructure

Brolli AI is hosted on AWS Sydney, which holds an IRAP assessment at PROTECTED level across more than 164 services.

Regulatory fit

Designed with Australian compliance obligations in mind.

Privacy Act 1988 & APPsEssential Eight ML1ISO 27001 (target)IRAP pathNSW Surveillance Act

Privacy Act 1988 and the Australian Privacy Principles

Brolli AI operates on a minimal data collection model. Our privacy policy is aligned to the Australian Privacy Principles. We support employee notification requirements and can provide the documentation your organisation needs to demonstrate compliance.

Workplace surveillance laws

Several Australian states, including New South Wales, have specific requirements around employee notification before computer monitoring begins. Brolli AI's built-in transparency controls are designed to support the 14-day notice requirements under the NSW Workplace Surveillance Act.

Essential Eight Maturity Level 1

Brolli AI currently aligns to Maturity Level 1 of the Australian Cyber Security Centre's Essential Eight framework, covering MFA, role-based access control, patching, and backups.

Notifiable Data Breaches scheme

Our data minimisation approach limits breach impact by design. Because user hashes are irreversible, a breach of Brolli AI's data cannot expose individual employee identities.

A note on our roadmap

ISO 27001 certification and formal IRAP assessment for Brolli AI itself are on our roadmap as the product matures. We're being direct about what we have now versus what we're working toward.

If your organisation has specific compliance requirements that you'd like to discuss, contact us. We'd rather have that conversation early than have you discover a gap after you've deployed.

Talk to the team about your compliance requirements →