.png){kind=logo}
Sidekick AI Platform – Security & Architecture FAQs (v2)
This document outlines the security, hosting, and data management practices of the Sidekick AI Platform to support client due diligence and regulatory assessments.
1. Platform Architecture & Deployment
Q1: Where is the platform and data hosted?
Deployed in the client’s Azure subscription, typically in Australia East. All services—including storage, databases, and containers—run within the client-controlled environment.
Q2: Which Azure services and models are used?
Sidekick uses Azure VMs or App Services, Azure PostgreSQL, and Azure Blob Storage. The OpenAI models (e.g. GPT-4o, GPT-4.1, o4-mini, o3) are accessed through Azure OpenAI Service. These models are updated within our platform as they become available under Global deployment within the Azure AustraliaEast region and following our own internal testing and validation.
Q3: Is the platform public-facing?
No. There is no public API. Access is restricted to a secure web interface within the client’s Azure environment.
Q4: Does the platform support self-service features?
Yes. Clients can manage uploaded files, documents, and use Assistants via a secure portal.
2. Data Privacy, Storage & Usage
Q5: What data is stored and processed?
Chat transcripts, uploaded documents, indexed knowledgebase files, and logs - all curated and approved by the client and stored in the client’s Azure.
Q6: Does data ever leave the client’s Azure environment?
No. Data never exits the client’s Azure tenant. propella.ai accesses infrastructure only with explicit authorisation.
Q7: Is any data used for training models?
No. Prompts, responses, and files are not used to train or improve any AI models. The following is a statement from the Microsoft Azure website:
"Your prompts (inputs) and completions (outputs), your embeddings, and your training data:
are NOT available to other customers.
are NOT available to OpenAI.
are NOT used to improve OpenAI models.
are NOT used to train, retrain, or improve Azure OpenAI Service foundation models.
are NOT used to improve any Microsoft or third party products or services without your permission or instruction."
Further, the documentation emphasises:
"The models are stateless: no prompts or generations are stored in the model. Additionally, prompts and generations are not used to train, retrain, or improve the base models."
Q8: Are prompts/responses shared with Microsoft/OpenAI?
No. All client data, including chat prompts and files, are not used for model training or improvement by propella.ai, Microsoft, or OpenAI. Data remains within the client’s Azure subscription and is not shared externally.
Q9: How is data encrypted and protected?
Encryption in transit (TLS 1.2+) and at rest (AES-256). Access is controlled with Azure RBAC and logged via Azure Monitor.
Q10: What is the retention and deletion policy?
Backups (e.g. PostgreSQL) retained for up to 7 years. Clients can delete uploaded files at any time.
3. AI Behaviour and Limitations
Q11: Does the platform support real-time internal data access?
For internal data integrated into Assistants, not by default. For example, the Knowledgebase Assistant requires curated datasets that clients upload. The platform does not automatically access or sync with the source systems in real-time, like SharePoint. However, access to external data on the internet (which can be done via the Research Assistant, and specific Assistants like the Tax and Law ones) does occur in real-time.
Q12: How is enterprise data integration handled?
All enterprise data that is made accessible to the Sidekick platform is stored in Azure blob storage. Clients select and upload specific documents (or folders), ensuring they have full control of what data is made accessible. This approach avoids direct integration with platforms like SharePoint, which provide access to ALL documents by default and can cause access permission issues (i.e. documents can be inadvertently shared with unauthorised platform users).
4. Security, Compliance & Recovery
Q13: Has the platform achieved any certifications?
propella.ai leverages Microsoft Azure’s compliance (ISO 27001, SOC 2, etc.). No separate Propella certification at this stage.
Q14: What are the backup and recovery processes?
Daily backups via Azure Backup. PostgreSQL supports point-in-time recovery. Infrastructure can be redeployed using DevOps pipelines.
Q15: Can propella.ai access platform data?
No. propella.ai uses Azure Service Principals for deployment support only and has no visibility into client data.
5. Authentication & Access Control
Q16: How is user access authenticated?
Via Azure Active Directory, with enforced MFA and support for SSO.
Q17: What access control mechanisms are in place?
Access is managed using Azure Active Directory (Entra ID), with enforcement of RBAC, MFA, and logging of all access events in Azure Log Analytics. Role-based permissions follow least privilege principles.
There are two levels of access control:
- Infrastructure Level (Azure):
- Access to the underlying infrastructure is restricted to only necessary personnel, managed through RBAC. Access is granted on a least-privilege basis, and regularly reviewed. All activities are logged via Azure Activity Logs, and permissions are automatically adjusted or revoked based on role changes or HR-driven triggers.
- Platform Level (User Interface):
-
The platform includes a built-in Admin Centre that supports role-based access for different user types, such as Administrator, Analyst, and Standard User, each with varying degrees of access to features and data.Administrators can also:
- Configure user groups
- Assign platform permissions
- Restrict assistant access based on user group membership, ensuring sensitive information is only accessible to authorised users.
-