It is the first question in every partner meeting about AI, and it deserves a straight answer rather than a vendor brochure. The honest version has three parts: what the vendor actually does with your data, what obligations your firm carries regardless of vendor, and what claims nobody should be making. Here is all three, mapped to the rules an Australian or New Zealand accounting practice actually operates under.
How Claude handles your data
Claude does not train on business-customer data by default. Anthropic holds SOC 2 Type II, ISO 27001 and ISO 42001 certifications, and commercial terms include a data processing agreement. Those are the load-bearing facts, and they are the same class of assurances your practice management vendor and document store already rely on. Everything else that matters is configuration and discipline on your side of the fence.
Mapped to your actual obligations
For Australian firms the relevant frame is the Privacy Act 1988 and the professional rules, not a vague sense of AI risk:
APP 6 on use and disclosure: sending client personal information into a prompt is a use, and the data processing agreement is the contractual basis for the processor relationship
APP 8 on cross-border disclosure: the firm stays accountable, so document the flow and the reasonable steps taken, meaning the DPA, standard contractual clauses and your privacy policy disclosure
APP 11 on security: firm-side controls do the heavy lifting, including access control, scoped folders, prompt minimisation and redacting what the job does not need
The Tax Agent Services Act code of conduct and APES 110 confidentiality: consent language in the engagement letter is the clean fix, and most letters need one paragraph added
New Zealand firms map the same setup against the Privacy Act 2020 principles, with IPP 12 covering the cross-border leg
Getting this wrong is no longer cheap. Serious or repeated privacy interference now attracts penalties up to $50 million for companies under the amended Australian regime, and the notifiable data breaches scheme means an incident involving client tax data is an OAIC conversation, not a quiet internal memo. The discipline that satisfies the regulator is the same discipline that satisfies your professional indemnity insurer, which makes it doubly worth writing down.
The questions clients will actually ask
Partners worry about regulators; clients ask simpler questions. Will my financials train someone else's model? No, not under commercial terms and defaults. Can your staff put my file into any AI tool they like? Not if the firm has a policy, which is why the policy exists. Where does the data physically go? To the vendor's processing infrastructure under a data processing agreement, the same way it already goes to your cloud practice suite, your document portal and your offshore preparation provider if you use one. Framed that way, most clients relax, because the honest answer is that a properly scoped AI deployment is one of the better-governed places their data travels.
What we do not claim
A consultancy that overpromises on security loses the room, so we are explicit about the boundaries:
Anthropic is not IRAP assessed. Firms needing PROTECTED-level assurance run Claude through AWS Bedrock in the Sydney region, which inherits the AWS IRAP assessment
Anthropic's direct API is US-hosted. Australian data residency means deploying through Bedrock ap-southeast-2 or an equivalent regional cloud, and pretending otherwise helps nobody
No AI vendor certificate makes your firm compliant. Compliance lives in how you scope and run the deployment, in your engagement letters and in your staff habits
Most suburban and mid-market practices do not carry PROTECTED-level workloads and do not need the sovereign options; they need the standard commercial stack configured properly. But knowing where the ceiling is, and saying it plainly, is the difference between a security posture and a sales pitch.
Practical controls for a firm
The controls that satisfy a reviewer are structural and boring, which is the point:
One scoped working folder per engagement, never a drive-wide connection
Named connectors only, added deliberately, reviewed quarterly
Drafts never auto-sent; lodgement and declarations always made by a person
A short written AI policy so staff usage is consistent and defensible
A one-paragraph consent clause in the engagement letter template
A firm that implements those five controls has a better data story than most firms' current email habits, where full tax files routinely travel as unencrypted attachments. AI adoption done properly is often the moment a practice fixes data hygiene it should have fixed years ago.
Where to take it
If the partners are circling this question, put it on paper before the next tax season peak. A fixed-fee Claude Cowork setup at $3,500 includes the scoped-folder design and the guardrails above, and a brainstorm call is enough to map the controls to your own client base and engagement letters. The firms that settle their AI position calmly, in writing, are the ones that never have to settle it in a crisis.



