Legal
PathwAI Data Processing and Subprocessors
1. Purpose
This page explains how data is handled when an organisation (“Customer”) uses our PathwAI product, including our role, our use of subprocessors, and overseas data handling. It supports the privacy and data-protection terms of the Microsoft Marketplace Standard Contract under which PathwAI is offered. For how AI Journey Labs handles personal information in its general business and on its website, see our Privacy Policy.
2. Deployment model: your cloud, no standing access
PathwAI is deployed into the Customer’s own Microsoft Azure subscription (a bring-your-own-cloud model). The platform, its data stores, logs, identity and the AI models it calls all run inside the Customer’s tenant.
As a result:
- Customer data and end-user data are held within the Customer’s own Azure environment and are not transferred to AI Journey Labs. Where the Customer chooses an AI model hosted outside Azure, data for that step is sent to the selected provider under the Customer’s configuration, as described in Section 4.
- AI Journey Labs has no standing access to that data. We do not hold, store or routinely process Customer data as part of running the product.
- The Customer controls access, identity (via Microsoft Entra ID), encryption keys (via Azure Key Vault), and the configuration of the underlying Azure services.
3. Roles
The Customer is the controller of personal data processed through PathwAI. Because the product runs in the Customer’s own tenant and we have no standing access to it, AI Journey Labs does not act as a processor of Customer data in the normal operation of the product.
There are limited situations where we may process a small amount of personal data, and our role in each is set out below:
- Support. If a Customer chooses to share data with us to obtain technical support (for example, log extracts or screenshots), we process that support data only to provide the support requested, on the Customer’s documented instructions.
- Implementation and professional services. If we are engaged to deliver implementation, configuration or adoption services and are granted time-limited access to the Customer’s environment, we act on the Customer’s documented instructions under the relevant services agreement (Master Services Agreement and Statement of Work).
- Account, contract and relationship administration. We process business-contact information of Customer representatives (such as name, work email and role) in order to manage the commercial relationship. This is covered by our Privacy Policy.
4. Subprocessors
Because PathwAI runs in the Customer’s own tenant, the platform services and AI models the product uses are configured by, and operate under the agreements of, the Customer. These are not subprocessors of AI Journey Labs for Customer data. They include:
- Azure platform services the product runs on, such as Azure OpenAI, Azure SQL, Key Vault and Application Insights, under the Customer’s own agreement with Microsoft; and
- AI model providers the Customer selects for a Journey, which may include Microsoft Azure OpenAI, Anthropic (Claude) and Google (Gemini). Use of any model provider is configured and governed by the Customer under the Customer’s own agreement with that provider; PathwAI simply connects to the endpoint the Customer configures, using credentials the Customer provides and manages (for example in Azure Key Vault). AI Journey Labs does not supply, hold or broker these provider credentials. Where the Customer configures a model hosted outside Azure (such as Anthropic or Google), the prompt and context data for that step is sent from the Customer’s environment to that provider under the Customer’s own configuration and agreement.
The subprocessors below are the third parties that may process the limited personal data that AI Journey Labs itself handles (business operations, support and professional services), as described in Section 3.
| Subprocessor | Purpose | Personal data categories | Location |
|---|---|---|---|
| Microsoft (Microsoft 365) | Business email, productivity and file storage | Business contact details, support correspondence | Australia and global Microsoft data centres |
| Bluehost | Hosting of aijourneylabs.com and web enquiry forms | Contact form submissions, website technical data | United States |
| Google (Google Analytics) | Website usage analytics | Online identifiers and website technical data | United States and global |
We currently use no separate customer relationship management (CRM) system. We require each subprocessor to provide a level of data protection consistent with this page and with applicable law, and we remain responsible for their compliance with our obligations.
5. Changes to subprocessors
We may update this list from time to time. In line with the Standard Contract, we will provide at least 14 days’ notice before a new subprocessor begins processing personal data on our behalf, by updating this page. If a Customer has a reasonable objection to a new subprocessor, they may raise it with us using the contact details below.
6. Overseas data handling
Customer data processed through PathwAI stays in the Customer’s own Azure tenant, in the region the Customer selects, and is not transferred to AI Journey Labs.
For the limited personal data that we do handle (Section 3), some of our subprocessors process data outside Australia, including in the United States (our website host and analytics provider). We take reasonable steps to ensure that overseas recipients handle personal information consistently with applicable Australian privacy law. We do not currently offer PathwAI to customers in the European Economic Area or the United Kingdom; if that changes, we will update this page and put appropriate data-transfer mechanisms in place.
7. Security
AI Journey Labs applies security measures consistent with good industry practice, and we align our controls with ISO/IEC 27001:2022 (certification in progress). PathwAI is built on Azure-native controls operating in the Customer’s tenant, including Microsoft Entra ID single sign-on, managed identities, Key Vault for secrets, and Application Insights and audit logging for traceability. Customers may request our current security information, including a security questionnaire response or self-attestation, using the contact details below.
8. Data subject and privacy requests
Because the Customer is the controller and holds the data in its own tenant, requests from individuals to exercise their privacy rights should be directed to the relevant Customer. Where we receive such a request relating to data held by a Customer, we will redirect the individual to that Customer and assist the Customer as reasonably required.
9. Contact
Questions about this page, subprocessor objections, or requests for our security information can be sent to:
AI Journey Labs
Email: [email protected]
Phone: +61 434 290 561