Security at Awa
Security controls are embedded across product, infrastructure, and AI workflows.
🏢Data Hosting
- • Hosted in Sydney, Australia (ap-southeast-2)
- • All data encrypted at rest (AES-256)
- • All data encrypted in transit (TLS 1.3)
🔐Access Control
- • Engagement-level data isolation enforced at database level
- • Row-level security on every table
- • Role-based access for firm users and client portal users
- • Complete audit trail on all data access and modifications
🛡️AI Security
- • Document content treated as untrusted input with multi-layer sanitisation
- • Prompt injection defence with structural separation of instructions and data
- • AI output validation against allowed schemas
- • Entity data anonymised in AI processing
- • AI cannot send data to unregistered email addresses (hardcoded restriction)
- • AI cannot modify permissions, add contacts, or access other engagements
📁Document Integrity
- • SHA-256 file hashing on all uploads
- • Full classification history preserved (AI -> client -> auditor chain of custody)
- • Soft delete only - documents are never permanently removed
- • Engagement locking with controlled unlock reasons for file integrity
✅Compliance
- • Built to SOC 2 Trust Service Criteria from day one
- • SOC 2 Type I assessment targeted within 12 months
- • SOC 2 Type II report targeted within 18 months
- • ISQM 1 aligned engagement file controls