Security FAQ¶

Where is Oiva data hosted?¶

Australia — AWS ap-southeast-2 (Sydney) primary, ap-southeast-4 (Melbourne) disaster recovery. Customer data does not leave Australia. See Data residency for full details.

Does Oiva hold a SOC 2 attestation?¶

Not yet. We are commencing a SOC 2 Type I readiness assessment in 2026-Q4, with Type II attestation targeted for 2027-Q4. Our current compliance posture is on the Compliance posture page.

How does Oiva use AI?¶

See the AI use disclosure page for full details, including live statistics from our audit log.

How do I report a security vulnerability?¶

See the Vulnerability disclosure policy.

How do I access the full pentest report or IR plan?¶

These are available under NDA via the authenticated portal. The portal requires email verification and a signed non-disclosure agreement.

What sub-processors does Oiva use?¶

See the Sub-processor list for all third parties that process Oiva customer data.

How does Oiva handle a data breach?¶

See the Notifiable Data Breaches process.

Is Oiva IRAP-assessed?¶

Not yet. IRAP readiness preparation is underway; the assessment decision is pending CVO and CTO approval (expected post-2027-03). See Compliance posture.

Does Oiva send data overseas?¶

AI inference is in Australia. Slack is the only non-Australian sub-processor used by Oiva operational systems; no customer personal information is sent to Slack. See Data residency.

How do I contact Oiva about privacy?¶

Email privacy@oiva.com.au. Requests are responded to within 30 days.