Instruo

Data and security

Access should be limited. Risk should be visible. Failure should be planned for.

Every implementation begins with the workflow and the information it genuinely requires. Controls are proportionate to the systems, data, consequences and client obligations involved.

Operating principles

  1. 01

    Minimise

    Collect, transfer, log and retain only what the workflow needs.

  2. 02

    Separate

    Use client-owned accounts and separate test and production configuration where practical.

  3. 03

    Validate

    Treat external inputs and system responses as untrusted until checked.

  4. 04

    Review

    Keep human approval for sensitive or consequential actions.

  5. 05

    Recover

    Document failure behaviour, ownership, fallback and rollback.

How access is handled

  • Least-privilege service or delegated accounts
  • Client-owned credentials where available
  • Revocable, time-bounded access
  • No secrets in source code or ordinary documents
  • Access removal and ownership recorded at handover

Collect and retain less

  • Map where information enters and leaves
  • Avoid unnecessary personal data in logs
  • Define retention with the client
  • Use test data appropriate to the risk
  • Keep sensitive information out of enquiry forms

AI use

AI is a component, not an exemption from control.

AI-assisted extraction, classification, summarisation or drafting may be useful where its uncertainty is visible and errors can be detected. Sensitive or consequential decisions remain subject to human judgement and client approval.

Third-party services are assessed, not silently accumulated.

Provider selection considers purpose, access, data movement, retention, location, contractual terms, failure behaviour and available controls. Project-specific providers and responsibilities are identified before access is granted.

Incident response

Suspected incidents are contained, assessed and communicated according to their potential effect. Report a suspected vulnerability to security@instruo.com.au. Do not send credentials or personal records by email.

Where is client data stored?

That depends on the selected client systems and providers. The data-flow and storage locations are defined for each engagement.

Do you have a security certification?

Instruo does not claim a security certification that has not been independently established.

Do you use client data to train AI models?

Project terms and provider settings define permitted use. Client data is not treated as available for unrelated model training.

How do you handle credentials?

Through delegated access or client-owned service credentials where possible, stored in appropriate secret-management facilities.

Start with the workflow

Find out whether the problem is worth solving.

A 30-minute Automation Opportunity Call is a practical first filter. We will clarify the workflow, its operational effect and whether a paid diagnostic is justified. If the case is weak, we will say so.

No charge. No obligation. Not a free technical audit.