Skip to main content
assembl

004 — Trust · Kaitiakitanga · Mana Receipts

The receipt is the proof.Every run gets one.

A Mana Receipt is the legible record of one thing assembl did. It says which agent ran. What it read. What it cited. What was checked. What still needs a human. You can download it. You can show it to your auditor. You can show it to yourself in six months when you want to remember what you decided.

See a sample receipt →

A Mana Receipt — downloadable as a signed audit pack

Mana Receipt · MR-2026-0701-AK41

Pānui Parser

● sealed
Agent ran
Pānui Parser
Bundle
Family & Whānau
Review tier
Tier one — light review
What it read
One school newsletter PDF (3 pages) uploaded by the user.
What it cited
  • Term 3 calendar — pages 1–2 of the uploaded notice
  • Permission slip deadline — page 3, paragraph 4
What was checked
  • Tikanga gate (Mead’s five tests) — passed
  • Dates cross-checked against the source text
  • No advice given — extraction only
Needs a human
Confirm the two calendar events before they are added to your phone.
Model called
Anthropic (Claude)
2026-07-01T08:14:22+12:00
text-in / structured-json-out · no training use
Project ref
wurwcrgxjjwqdaxqceey
IPP 3A flagThis output contains personal information about someone other than the user (a named child). IPP 3A may apply. Consider whether notification is required before acting.
SHA-256
9f2c1ab7e5d84c0f3b6a92d1e7c4508fbb1a0d63e29f7c845a1b2e3d4f5061a7
✓ tamper-evident

001 — Data residency

Where your data lives

Your data lives in Sydney, on Supabase, in the AWS ap-southeast-2 region. The project reference is wurwcrgxjjwqdaxqceey. That is the same number we put on every Mana Receipt, so a curious auditor can match the receipt to the database that wrote it.

We chose Sydney for one reason. It is the closest data centre to Aotearoa that meets the residency expectations under the Privacy Act 2020 and the Information Privacy Principles, including the cross-border rule under IPP 12. Hosting inside Aotearoa is what we will move to once Supabase or an equivalent provider runs an Auckland or Wellington region — until then, Sydney is the honest answer.

Three rules apply to your data while it sits there.

One. We do not sell it. We do not share it with advertisers. We do not use your runs to train third-party models. The agents that work on your behalf read the model provider’s API directly (Anthropic, Google, OpenAI) under contracts that exclude your data from training. The Mana Receipt records which provider was called, when, and what the request shape was — so you can audit that claim, not just take our word.

Two. We hold it for as long as it is useful, then we delete it.

Retention windows. Working data — 12 months from last use. Mana Receipts — 7 years (matches IRD record-keeping). Voice call recordings — 30 days, kept only for safety and abuse review. Public demo runs — 7 days, no email, IP only. You can request earlier deletion at any time. We will run it within 20 working days, which is the Privacy Act response window.

Three. Encryption at rest and in transit. AES-256 on disk, TLS 1.3 on the wire. Standard, not novel — that is the point. Novel cryptography is a warning sign, not a feature.

002 — Human-in-the-loop

How the human loop catches the AI

A Mana Receipt is not the same thing as a guarantee. The agent can be wrong. We are not pretending otherwise.

The reason a Receipt exists is because of how we catch the wrong. Every output that touches a regulated surface — medical advice, legal advice, employment law, financial advice, child safety, health and safety — runs through a human review layer before it leaves the agent.

Three review tiers, depending on what is at stake.

Tier one — light review.

The agent flags the output as “draft only” and the user is told, clearly, that a registered practitioner needs to sign off before it counts. This is what runs on Practice (the clinical bundle) and Counsel (the legal bundle) for every routine output. The Receipt records that the flag was raised, that the practitioner-review stamp was applied, and that the output was never delivered as final.

Tier two — kaitiaki review.

Where the output touches tikanga, Te Tiriti, or mana whenua subject matter, the work goes through a kaitiaki review by a kaumātua-validated reviewer before the user sees it. This runs on Counsel-Te Tiriti, on Hearth’s marae-adjacent flows, and on any agent output that references kaitiakitanga, Whakaaē consents involving mana whenua, or rangatiratanga. The Receipt names the reviewer (with consent), the date, and the calls made.

Tier three — full review.

For outputs going into a regulator’s process — a WorkSafe notification, an Inland Revenue objection, a Disputes Tribunal claim, an Immigration NZ appeal — the agent produces a draft only, and a registered human (LBP, lawyer, immigration adviser, accountant) signs it before it is filed. The agent never files for you. The Receipt records who reviewed, when, what they changed.

Across all three tiers, the agent never pretends to be the human. The receipt is the line between the two.

003 — IPP 3A · From 1 May 2026

Privacy Act 2020 and IPP 3A — what it means for you

The Privacy Act 2020 governs how every NZ business handles personal information. The thirteen Information Privacy Principles set out the rules. Most of them are unchanged from the 1993 Act. One is new.

IPP 3A came into force on 1 May 2026. It says that when a business collects personal information indirectly — meaning, not from the person it relates to — that business must usually notify the person at or before the time of collection. There are exceptions (publicly available information, exemptions where notification is impractical or where another lawful basis applies), but the default is: notify.

What this means for assembl, in plain language:

If you use one of our agents to read someone else’s personal information — a school notice that names a child, an invoice that names a customer, a clinical note about a patient, an HR file about an employee — the agent treats that data with IPP 3A in mind. Where the law requires you to notify the person, the agent flags it on the Mana Receipt: “this output contains personal information about someone other than the user. IPP 3A may apply. Consider whether notification is required before acting.”

We do not file the notification for you. That is your obligation as the data controller. The agent’s job is to make the obligation visible at the moment you might forget it.

The Privacy Commissioner has full guidance at privacy.org.nz. If you would rather talk to a person, their enquiry line is 0800 803 909.

004 — Straight answers

What we are. What we are not.

We promise this page never overpromises. The point of a trust page is to be the place a careful buyer can read everything in one go and decide. Here is the list.

What we are

  • Aligned with the Privacy Act 2020, including IPP 3A from 1 May 2026.
  • Hosted in Sydney (AWS ap-southeast-2) via Supabase. Project ref wurwcrgxjjwqdaxqceey. Sydney chosen for proximity to Aotearoa and Privacy Act compatibility.
  • Encryption at rest (AES-256) and in transit (TLS 1.3).
  • Human-in-the-loop reviewed on every regulated output (three tiers — see §2).
  • Tikanga gate on every output (Mead’s five tests run silently by our Kahu compliance layer — Tika, Pono, Aroha, Tikanga, Mana).
  • Built in Aotearoa, by a small team based here. Not a reseller of an overseas product.

What we are not (yet, or by design)

  • Not SOC 2 certified. We will pursue SOC 2 Type II when our enterprise pipeline justifies the audit cost. Until then, we tell you so.
  • Not ISO 27001 certified. Same reasoning.
  • Not HIPAA certified. HIPAA is a US framework — we run under the NZ Health Information Privacy Code 2020 instead, which is the right one for NZ clinicians.
  • Not a substitute for a registered professional. Every clinical, legal, financial or regulatory output is a draft for a human to review. We are emphatic about this.
  • Not training a foundation model on your data. We use Anthropic, Google, and OpenAI APIs under contracts that exclude your data from training. The Mana Receipt records the call.

005 — Kaitiakitanga · Whakapapa

Built in Aotearoa

assembl was built in Aotearoa, by a small team here. We are a New Zealand company. Our agents are designed around Aotearoa’s regulatory shape — not adapted from a US product after the fact. The te reo Māori names on some agents are not decoration. They are signals that the agent was designed with tikanga in mind from the first line of code.

The Mana Receipt name is not borrowed marketing. Mana is the standing of a thing — its weight, its credibility, what it carries. A receipt that carries mana is one that an auditor, a kaumātua, a regulator or a customer can read and trust. That is what we are building toward. The standard is not “the AI got it right.” The standard is “you can show the receipt to anyone who needs to see it, and the answer holds.”

If you would like to talk to us about any of this — what we do with your data, how the review layer works, why we chose Sydney, what we are doing about SOC 2 — write to us at trust@assembl.co.nz. A real person reads that inbox.

See your data on a receipt →

Quiet intelligence · Woven · Built in Aotearoa

Last reviewed 2026-06-29 · Next review 2026-09-29 · Kaitiaki: assembl Trust Kaupapa