Security you can put in front of your board.
Diolog is governance-first AI for investor communications, purpose-built for IR. The security, privacy and AI governance behind it are documented here, with the full policy set available on request.

Certified · ISO/IEC 27001:2022
Where your data lives, and how it is protected.
The controls a security or diligence reviewer asks about first.
| Certification | ISO/IEC 27001:2022 certified (Global Compliance Certification). |
|---|---|
| Hosting | All Diolog servers are located in Australia. |
| Encryption at rest | All customer data and backups are encrypted at rest by default with MongoDB Atlas. |
| Encryption in transit | Data is encrypted in transit using SSL/TLS. Bring-your-own-key encryption is supported. |
| Investor communication privacy | All investor communication is private to the company it is sent to. Diolog personnel have no access to any investor communication submitted or transferred via the mobile application. |
| Model training | Your content is never used to train AI models. It is transmitted to model providers only to the extent necessary to perform the task, over secure, authenticated APIs. |
Five categories of controls, continuously monitored.
Diolog’s controls are maintained and monitored under an ISO 27001 information security management system.
Infrastructure security
The systems the workspace runs on - scoped, hardened and monitored under the information security management system.
Organizational security
Policies, roles and responsibilities, and the internal governance that keeps the security programme accountable.
Product security
How the application itself is built and protected - authentication, access, and the controls around your workspace.
Internal security procedures
The operating procedures staff follow, from onboarding and access reviews to incident response.
Data and privacy
How personal information is handled, minimised and protected, in line with the Privacy Act and the APPs.
AI that is grounded and answerable to you.
The drafting and review agents are useful precisely because they are constrained.
| Grounded in approved sources | Outputs draw from your knowledge base, your public record and the regulatory feeds you approve - nothing else. |
|---|---|
| Never claims certainty | Diolog surfaces risk and uncertainty rather than asserting a compliance call is settled. Judgement stays with your team. |
| A human signs off | Every AI output is a draft for review. Nothing reaches the market without your team's approval. |
| On the record | Every draft, edit, approval and send is logged against the person who made it, with a full per-user audit trail. |
Who we rely on.
The third parties in scope for the service, and what each is used for.
| Amazon Web Services | Cloud provider · Australia · aws.amazon.com |
|---|---|
| MongoDB Atlas | Data storage and processing · cloud.mongodb.com |
| Jira | Collaboration · atlassian.com |
| Slack | Collaboration · slack.com |
The personal information we handle.
Handled under the Privacy Act and the Australian Privacy Principles, minimised to what the service needs.
Customer personally identifiable information
Employee personally identifiable information
Personal health information
Common questions.
Where are your servers located?
All Diolog servers are located in Australia.
Do you encrypt data at rest?
All customer data and backups are encrypted at-rest by default with MongoDB Atlas.
Who sees incoming investor communication?
All investor communication is private to the respective company of which it is being sent to. Diolog personnel do not have any access to any investor communication that is submitted or transferred via the mobile application.
Does Diolog use my company data to train AI models?
No. We configure our AI providers (such as Gemini) via enterprise APIs with zero-retention policies where applicable. We explicitly do not opt-in to sharing your data for the training of public Large Language Models (LLMs). Your proprietary data remains isolated to your workspace.
How does Diolog handle “hallucinations” or inaccurate AI outputs?
Diolog uses a technique called Retrieval-Augmented Generation (RAG). Instead of letting the AI guess, we force it to reference only your uploaded documents (announcements, policies, ASX releases) before generating an answer. If the answer isn’t in your documents, the system is designed to alert you rather than make something up.
Request our security documentation.
Our policies and reports are available to customers and prospects under review.
- Information Security Policy (AUP)
- Risk Management Policy
- Asset Management Policy
- Third-Party Management Policy
- Human Resource Security Policy
- Physical Security Policy
- Information Security Roles and Responsibilities
- Code of Conduct
Or email hello@diolog.com.au