What is Endiqo?
Endiqo is a project discovery and delivery platform that helps organisations capture stakeholder input, understand project needs, and turn evidence into practical delivery outputs.
It is designed for consulting and enterprise delivery contexts where accuracy, traceability, privacy, and human review matter.
What data does Endiqo collect?
Endiqo collects the information needed to provide and secure the service.
This may include user sign-in details, project access information, stakeholder input, submitted summaries, uploaded project documents, generated project outputs, support records, privacy requests, operational logs, and security records.
Endiqo does not collect Microsoft passwords.
How do users sign in?
Users sign in with their Microsoft work account.
Endiqo uses the signed-in identity to determine what projects and features the user is allowed to access.
How is project access controlled?
Access is controlled by the user's authenticated identity and their authorised role for a project.
Users can only access projects they have been invited to or authorised for. Project administrators can manage their own projects, while broader platform administration is restricted to separately authorised Platform Admins.
What is the main security boundary?
Endiqo does not rely on the browser alone to protect customer data.
Access to project data and administrative functions is checked by Endiqo's server-side services before information is returned or actions are performed.
Can one client or project access another project's data?
No. Endiqo is designed around project-scoped access.
A user authorised for one project cannot access another project unless they have also been explicitly authorised for that project, or they hold an approved platform administration role.
Where is data hosted?
Endiqo uses Microsoft Azure and prefers Australian Azure regions for core product data where the relevant Azure service supports Australian hosting.
Some supporting services may process or store limited operational, authentication, telemetry, support, web-hosting, or safety-review information outside Australia. Where this occurs, Endiqo treats it as a disclosed data-residency exception and uses appropriate contractual, technical, and organisational safeguards.
Is customer data used to train AI models?
No. Endiqo does not use stakeholder input or customer project data to train public AI models.
Microsoft states that Azure OpenAI prompts and completions are not used to train foundation models without permission or instruction. Microsoft may process prompts and completions for service operation, content filtering, abuse monitoring, and safety purposes under its Azure service terms.
What data is sent to AI?
Endiqo sends only the information needed to support the relevant project task.
This may include stakeholder discovery input, project context, summaries, reviewed evidence, or project-specific document excerpts. Endiqo is designed to avoid sending broad cross-client data to AI services.
How is AI knowledge retrieval controlled?
Endiqo limits AI knowledge support to the relevant project context.
When project documents are used to support AI-assisted answers or outputs, access remains project-scoped. Citations and document access are checked so users can only open documents they are authorised to access.
Are uploaded documents public?
No. Document access is project-scoped and available only to users authorised for that project.
How does Endiqo reduce prompt-injection risk?
Endiqo uses layered safeguards to keep AI interactions focused on the intended project context. These include project scoping, controlled use of customer-provided information, safety checks on content used for AI assistance, and testing designed to detect unsafe or out-of-scope behaviour.
Endiqo is designed so AI is not simply given unrestricted access to customer data. AI assistance is bounded to the relevant project and supporting evidence.
Are AI outputs automatically authoritative?
No. AI-generated outputs are treated as draft or reviewable material.
Endiqo is designed to support consultants and customers, not replace human judgement. Important outputs can be reviewed, edited, accepted, rejected, or refined before they are relied on.
Can AI output affect delivery decisions without human review?
No. Endiqo's operating model is human-in-the-loop.
AI helps organise, summarise, and suggest patterns from project evidence. Delivery decisions remain with authorised people, including consultants and customer stakeholders.
Are AI runs auditable?
Yes. Endiqo keeps structured evidence about AI-assisted generation so outputs can be reviewed later.
This includes information such as what project evidence was used, when the output was generated, what type of output was produced, and whether it passed validation and review steps. Endiqo avoids using operational audit records as a place to store raw prompts, transcripts, or unnecessary sensitive content.
What does Endiqo log?
Endiqo logs operational and security metadata needed to operate, support, and protect the service.
Logs are intended to help answer questions such as what action occurred, when it occurred, for which project, whether it succeeded, and how to trace a support or security investigation. Logs are not intended to store stakeholder transcripts, AI prompts, AI completions, document contents, tokens, or secrets.
Are secrets exposed to the browser?
No. Endiqo is designed so long-lived service secrets and backend credentials are not delivered to the browser.
The browser receives only the information needed for the current signed-in user experience. Sensitive service credentials are kept server-side.
How does Endiqo handle privacy requests?
Privacy requests can be sent to privacy@endiqo.com.
Endiqo supports requests for access, correction, deletion or de-identification, privacy complaints, and general privacy questions. Requests are triaged, identity is verified where required, and actions are recorded so Endiqo can evidence how the request was handled.
Can a client request project deletion?
Yes. Clients can request deletion or de-identification of project data.
Because project records may include delivery evidence, audit history, generated artefacts, and contractual records, deletion is handled through a controlled approval process. Endiqo first identifies the relevant data, confirms scope and approvals, and then performs deletion only through authorised administrative controls. Deletion is not automatic.
Does Endiqo have retention review controls?
Yes. Endiqo supports retention review so data can be identified when it is due for review.
Retention review is a governance control, not an automatic deletion engine. It helps Endiqo and customers decide whether data should be retained, corrected, archived, deleted, de-identified, or reviewed further.
How does Endiqo handle suspected data breaches?
Endiqo has an internal data breach response process aligned to Australian privacy obligations, including the Australian Privacy Principles and the Notifiable Data Breaches scheme.
The process covers escalation, containment, evidence preservation, assessment of likely harm, customer or regulator notification where required, remediation, and closure.
How are environments separated?
Endiqo separates development, test, and production environments.
Production systems are managed through controlled deployment processes and environment-specific configuration. Test and development environments are not intended to be mixed with production customer data or production service configuration.
Can Endiqo support a security review?
Yes. Endiqo can support customer security reviews with appropriate documentation and evidence.
This may include security architecture information, data flow explanations, privacy and retention processes, AI governance controls, deployment evidence, and targeted demonstrations of access control, project isolation, document access, logging discipline, and lifecycle handling.