Compliance

AI inference is provided by named subprocessors. For most inference, Donna routes requests to the same regional Azure deployment as the Customer's data: Australia East, or East US 2 in the case of Azure OpenAI. Where a model is only available from a specific provider region (for example, model versions that have not yet been deployed to Australia East), Donna will route to the nearest in-region deployment of that provider that meets the no-training and no-retention obligations recorded in our agreement with that subprocessor.

Inference data is not used to train the underlying models. Inference data is held by the AI subprocessor only as long as needed to return the response and (for limited providers and limited periods) to support abuse and safety monitoring under their own published terms. The detailed subprocessor list, including the regions in which each subprocessor processes inference data, is maintained at /legal/subprocessors.

Where Donna is required to transfer Personal Information out of the region in which it is anchored, we rely on the framework recorded in the Donna Data Transfers Addendum at /legal/data-transfers-addendum. The principal mechanism is APP 8 reasonable steps and section 16C accountability under the Privacy Act 1988(Cth). The European Commission’s Standard Contractual Clauses (Module 3), the UK International Data Transfer Agreement and the Swiss-adapted EU SCCs are executed on a per-engagement basis where Personal Information subject to those regimes reaches Donna.

Donna handles Personal Information in accordance with the thirteen APPs in Schedule 1 of the Privacy Act 1988 (Cth). Specific operational practices flow from each APP: open and transparent management (APP 1) is supported by this page and the privacy policy; collection of solicited Personal Information (APP 3) is limited to what is necessary to operate the platform; cross-border disclosure (APP 8) is governed by the contractual mechanisms in section 2; and access and correction (APPs 12 and 13) are honoured through the data subject request workflow described below.

Donna acts as a processor for Customer Data under the GDPR. The Donna Data Processing Addendum, available at /legal/data-processing-addendum, records the Article 28 obligations in full, including processing only on the Customer's documented instructions, confidentiality undertakings from staff with access to Customer Data, technical and organisational measures, the audit and inspection rights of the Customer, deletion or return of Customer Data on termination, and the assistance Donna will provide for data subject requests, data protection impact assessments, and prior consultation with supervisory authorities.

Donna is bound by Part IIIC of the Privacy Act and assists Customers with their own obligations under the same scheme. The mechanics are described in section 10.

Where an individual exercises a right of access, correction, deletion, restriction, objection, or portability, the request is logged and routed as follows. If the individual is contacting Donna directly about Personal Information that Donna handles on its own account (for example, marketing data or account data), Donna responds within the statutory window applicable to the requester's jurisdiction. If the individual's information sits inside a Customer's Space, Donna refers the request to the Customer (which is the controller) and assists the Customer in handling it within the same window, including by providing tools to export, redact, and delete information held in that Space.

Privacy enquiries should be directed to privacy@bydonna.ai. The full privacy policy is at /legal/privacy-policy.

Customer Data is encrypted at rest using AES-256 with platform-managed keys held in Azure Key Vault. Customer-managed keys are available on Enterprise plans. Customer Data in transit between the Customer and Donna, and between Donna's services and its subprocessors, is protected by TLS 1.2 or above with modern cipher suites and forward secrecy. Internal service-to-service traffic uses Managed Identity tokens rather than shared secrets.

All Donna personnel access uses single sign-on with phishing-resistant multi-factor authentication. Production access is granted by role through just-in-time elevation, time-bound, and recorded. Customer authentication supports passwordless email OTP and SSO via SAML and OpenID Connect on Enterprise plans. Customers control their own user lifecycle through the admin console, including provisioning, deprovisioning, and session policies.

Application, identity, and platform logs are forwarded to a centralised SIEM with tamper-resistant retention. Security-relevant events trigger alerts to the on-call security engineer. Customers can request export of their tenant's audit log on demand through their account team.

Donna runs continuous static analysis, software composition analysis, and dependency scanning across its codebase. Container images are scanned at build and at runtime. Critical and high-severity vulnerabilities are remediated within defined service-level objectives that are recorded in our internal security policy and provided on request.

Customer Data is backed up to a paired Azure region within the same data residency zone described in section 2. Donna's recovery time objective and recovery point objective for the production platform are recorded in the Donna Support and Service-Level Agreement at /legal/support-and-service-levels. Donna tests the disaster recovery runbook at least annually and provides the latest test summary on request under NDA.

When a user submits a prompt to Donna, the prompt and the relevant context (for example, content from the Space the user is working in) is sent to one of Donna's named AI subprocessors for inference. The subprocessor returns a response. Neither the prompt nor the response is added to a training dataset, used to update model weights, or used to evaluate or improve future models. Donna's contracts with each AI subprocessor flow this prohibition through, and Donna's API integrations are configured to use the no-training, zero-retention or limited-retention modes published by each provider.

Three layers operate together. First, the contract: each AI subprocessor is bound by written terms that prohibit training on Customer Data and require zero or short-duration retention for safety monitoring only. Second, the configuration: the Donna platform's calls to each subprocessor pin the no-training mode and the appropriate regional endpoint, and our integration tests verify that no training-mode calls are made. Third, the audit: we keep a log of the inference endpoints invoked, the mode used, and the region in which the tenancy is hosted, which is reviewed periodically by the Privacy Officer.

Donna publishes a description of the kinds of decisions for which our AI features are, or are likely to be, used in a way that has a significant effect on an individual. Donna's role is to surface analysis to the lawyer; the lawyer is the principal and makes the legal decision. Donna does not present its outputs as legal advice and does not act autonomously on a user's behalf. The transparency statement is maintained in the privacy policy.

Donna is built for use by qualified legal professionals. Outputs are presented as drafts, summaries, and analyses for the user to review, accept, edit, or reject. The platform records the user action that ultimately resolves an output (for example, the lawyer accepting a suggested clause into a draft), so the chain of authorship runs through the user, not through the model.

Donna is a deployer and a downstream provider in the language of the EU AI Act. We do not develop the foundation models that power Donna; we use them under contract from their providers. Donna does not operate any of the use cases prohibited under Article 5 of the EU AI Act (for example, social scoring of natural persons, predictive policing based on profiling, or biometric categorisation in real time in publicly accessible spaces). Where the EU AI Act characterises a use as high-risk under Annex III, Donna's assessment is that legal practice support, as offered through the Donna platform, does not fall within the listed high-risk use cases. We monitor the technical standards and secondary acts as they are issued and will adjust this posture if and when required.

Donna treats all Customer Data in a Space as if it were potentially privileged. Operationally, this means three things. We do not use Customer Data for our own purposes. We do not give support or engineering staff broad access to Customer Data; access is by case, just-in-time, logged, and limited to the minimum required to resolve a support request, and only with the Customer's authorisation unless an emergency makes authorisation impractical. And we contractually prohibit any AI subprocessor from using Inputs or Outputs to train models. Our position on legal professional privilege is recorded in the Donna Platform Agreement.

Rule 31 of the Legal Profession Uniform General Rules requires a principal of an Australian law practice to ensure reasonable supervision of legal services provided on the practice's behalf. Donna is not a law practice and does not provide legal services. The lawyer using Donna remains the principal and remains responsible for supervising the work product the platform helps to produce. Donna's outputs are clearly marked as drafts and are not represented as advice. The platform records the user actions that accept, edit, or reject an output so a principal can audit the supervision trail.

Donna's role is to host Spaces in which firms hold and discuss client information. Donna does not disclose information from a Customer's Spaces other than as instructed by that Customer or as required by law. Donna's staff are bound by written confidentiality undertakings as a condition of employment, and our subprocessors are bound by equivalent written terms.

Donna is one platform serving many firms. Customer tenants are isolated from one another at the application, storage, and search-index layer. We do not move data between tenants. The lawyer-side conflict-of-interest analysis remains a matter for the firm; Donna provides the technical guarantee that one Customer's Space does not leak into another's.

Donna provides software. Donna does not provide legal services and is not a legal services provider. Nothing in our materials, including this page, should be read as legal advice or as creating a lawyer-client relationship between Donna and a user of the platform.

In scope: the production Donna platform served from app.bydonna.ai, the Donna API at api.bydonna.ai, the Donna marketing site at bydonna.ai, and Donna-published official client libraries. Out of scope: third-party services and infrastructure that we do not control, social engineering of our staff, denial-of-service tests, automated scanning that creates load problems for other Customers, and any testing that involves accessing data that is not yours without express written authorisation from Donna.

Donna will not pursue legal action against, or report to law enforcement, security researchers who, in good faith, comply with the scope and the rules of engagement above; make a reasonable, good-faith effort to avoid privacy violations, destruction of data, and disruption of services; and give Donna a reasonable opportunity to fix the issue before disclosing it publicly. If you are unsure whether a particular activity is permitted, ask first at security@bydonna.ai.

Donna's Standard plan targets 99.5% monthly uptime for the production platform. The Enterprise plan targets 99.9% monthly uptime, with service credits, a dedicated technical account manager, and faster response and resolution objectives for severity-1 and severity-2 incidents. The full SLA, including the calculation method, exclusions, and credit mechanics, is at /legal/support-and-service-levels.

For an incident affecting Customer Customers, Donna posts an initial public update to the status page within 30 minutes of detection, follows with substantive updates at least every 60 minutes while the incident is unresolved, and publishes a post-incident review for severity-1 incidents within ten business days. Severity-1 customers also receive a direct email from the on-call engineering manager.

Suspected incidents are triaged immediately by the on-call security engineer. The Privacy Officer and General Counsel are notified within four hours where the incident involves Personal Information. A formal incident is opened, with a single owner and a running timeline.

Where Donna becomes aware that there are reasonable grounds to suspect that there may have been an eligible data breach, Donna will carry out a reasonable and expeditious assessment within 30 days, as required by section 26WH of the Privacy Act, to decide whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach. We will typically aim to complete this assessment well inside the 30-day statutory window.

Where, after assessment, there are reasonable grounds to believe that there has been an eligible data breach affecting Personal Information that Donna holds in its own right, Donna will notify the Office of the Australian Information Commissioner and the affected individuals as soon as practicable, using the OAIC's prescribed statement. Where the affected information sits within a Customer's Space (and the Customer is the controller), Donna will support the Customer in making its own notifications and will not pre-empt those notifications without the Customer's instruction or unless required by law.

Where Donna acts as a processor and becomes aware of a personal data breach affecting Customer Data, Donna will notify the affected Customer without undue delay and in any event within 48 hours of becoming aware of the breach, in line with our DPA commitment. The notification will include the information specified in Article 33(3) of the GDPR to the extent then known, and Donna will provide updates as the assessment progresses.