Blog

Is Claude Safe for Client Data? A Security Guide for Australian and NZ Accountants

July 2026 · 6 min read · AI Strategy

Notebook illustration of a shield with a keyhole over a client folder, drawn in ink with a terracotta accent
← Back to all posts

It is the first question in every partner meeting about AI, and it deserves a straight answer rather than a vendor brochure. The honest version has three parts: what the vendor actually does with your data, what obligations your firm carries regardless of vendor, and what claims nobody should be making. Here is all three, mapped to the rules an Australian or New Zealand accounting practice actually operates under.

How Claude handles your data

Claude does not train on business-customer data by default. Anthropic holds SOC 2 Type II, ISO 27001 and ISO 42001 certifications, and commercial terms include a data processing agreement. Those are the load-bearing facts, and they are the same class of assurances your practice management vendor and document store already rely on. Everything else that matters is configuration and discipline on your side of the fence.

Mapped to your actual obligations

For Australian firms the relevant frame is the Privacy Act 1988 and the professional rules, not a vague sense of AI risk:

  • APP 6 on use and disclosure: sending client personal information into a prompt is a use, and the data processing agreement is the contractual basis for the processor relationship

  • APP 8 on cross-border disclosure: the firm stays accountable, so document the flow and the reasonable steps taken, meaning the DPA, standard contractual clauses and your privacy policy disclosure

  • APP 11 on security: firm-side controls do the heavy lifting, including access control, scoped folders, prompt minimisation and redacting what the job does not need

  • The Tax Agent Services Act code of conduct and APES 110 confidentiality: consent language in the engagement letter is the clean fix, and most letters need one paragraph added

  • New Zealand firms map the same setup against the Privacy Act 2020 principles, with IPP 12 covering the cross-border leg

Getting this wrong is no longer cheap. Serious or repeated privacy interference now attracts penalties up to $50 million for companies under the amended Australian regime, and the notifiable data breaches scheme means an incident involving client tax data is an OAIC conversation, not a quiet internal memo. The discipline that satisfies the regulator is the same discipline that satisfies your professional indemnity insurer, which makes it doubly worth writing down.

The questions clients will actually ask

Partners worry about regulators; clients ask simpler questions. Will my financials train someone else's model? No, not under commercial terms and defaults. Can your staff put my file into any AI tool they like? Not if the firm has a policy, which is why the policy exists. Where does the data physically go? To the vendor's processing infrastructure under a data processing agreement, the same way it already goes to your cloud practice suite, your document portal and your offshore preparation provider if you use one. Framed that way, most clients relax, because the honest answer is that a properly scoped AI deployment is one of the better-governed places their data travels.

What we do not claim

A consultancy that overpromises on security loses the room, so we are explicit about the boundaries:

  • Anthropic is not IRAP assessed. Firms needing PROTECTED-level assurance run Claude through AWS Bedrock in the Sydney region, which inherits the AWS IRAP assessment

  • Anthropic's direct API is US-hosted. Australian data residency means deploying through Bedrock ap-southeast-2 or an equivalent regional cloud, and pretending otherwise helps nobody

  • No AI vendor certificate makes your firm compliant. Compliance lives in how you scope and run the deployment, in your engagement letters and in your staff habits

Most suburban and mid-market practices do not carry PROTECTED-level workloads and do not need the sovereign options; they need the standard commercial stack configured properly. But knowing where the ceiling is, and saying it plainly, is the difference between a security posture and a sales pitch.

Practical controls for a firm

The controls that satisfy a reviewer are structural and boring, which is the point:

  • One scoped working folder per engagement, never a drive-wide connection

  • Named connectors only, added deliberately, reviewed quarterly

  • Drafts never auto-sent; lodgement and declarations always made by a person

  • A short written AI policy so staff usage is consistent and defensible

  • A one-paragraph consent clause in the engagement letter template

A firm that implements those five controls has a better data story than most firms' current email habits, where full tax files routinely travel as unencrypted attachments. AI adoption done properly is often the moment a practice fixes data hygiene it should have fixed years ago.

Where to take it

If the partners are circling this question, put it on paper before the next tax season peak. A fixed-fee Claude Cowork setup at $3,500 includes the scoped-folder design and the guardrails above, and a brainstorm call is enough to map the controls to your own client base and engagement letters. The firms that settle their AI position calmly, in writing, are the ones that never have to settle it in a crisis.

Ready to move from AI pilot to production?

We help mid-market Australian businesses deploy AI automations that actually reach production and deliver measurable ROI.