How Core Nova handles AI risk and data disclosure.

This page underwrites every AI claim we make. Read it before you sign anything. We map to NIST AI RMF and ISO/IEC 42001, name our configuration choices, and disclose what data leaves which environment.

Configuration choices

We deploy AI under one of four configurations. Each engagement names which one applies in the SOW.

A. Cloud, frontier API

Public frontier-model API. Lowest cost, broadest capability, data leaves the buyer's environment. We name this clearly. Specific providers are named in the model register and SOW, not on the marketing site. Used where data sensitivity allows.

B. Australian-jurisdiction cloud, VPC

Model hosted in Australian cloud region inside a virtual private cloud. Data residency satisfied. Used where regulator or insurer requires Australian-jurisdiction processing.

C. Client VPC, isolated tenancy

Model deployed inside the buyer's own AWS, Azure, or GCP tenancy. No third-party SaaS access to data. Used where customer-data isolation is the controlling requirement.

D. On-prem, isolated

Model deployed on-premises inside the buyer's environment with no outbound network path. Used where confidentiality of IP, content, or client data is the controlling requirement and the data cannot leave the building under any vendor T&Cs.

Frameworks we align to

  • NIST AI RMF, Govern, Map, Measure, Manage functions overlay our engagements.
  • ISO/IEC 42001, AI management system controls applied where buyers require certifiable alignment.
  • OWASP LLM Top 10. Security testing reference for AI security testing and agentic red team engagements.
  • MITRE ATLAS. Adversarial tactics catalogue for agentic system threat modelling.

Disclosure standards

  • AI model register. Every engagement specifies which models, which versions, which providers. Maintained in our internal playbook and disclosed in the SOW.
  • Configuration disclosure standard. Each deliverable includes a disclosure document naming the configuration in use, what data left the environment, and which retention applies.
  • AI sub-processing posture. NDA clauses covering AI sub-processing are signed per engagement before Day 1.

What we do not do

  • We do not publish numerical outcome claims on the internet without signed client consent. The engineering and medical proof points referenced elsewhere on this site are described qualitatively only.
  • We do not name vendor or model providers on the marketing site. The model register and SOW name them.
  • We do not run a chatbot on this website that learns from your inputs. There is no AI on the marketing surface.

Frequently asked

Named per engagement in the configuration disclosure standard delivered with the work. Configuration A and B involve external API calls; Configuration C and D do not. The SOW specifies which applies before we start.

Yes, mapped to the specific engagement scope. We do not claim full certification on the marketing site; we claim alignment evidenced through delivered artefacts (governance scaffold, evaluation harness, runbook). Specific alignment evidence is available on request.

No. The configurations we deploy do not include training-feedback loops on client data unless the engagement specifically scopes one and the buyer agrees in writing. Default position is no training feedback.

Named on the SOW. For First Workflow engagements, Matt Breuillac is the primary deliverer; paired delivery with named team members from engagement four onward. Any subcontractor involvement is disclosed, named in the SOW, and covered by signed AI sub-processing clauses.