1300 120 648

Security & Artificial Intelligence FAQ

Last updated: January 2026

This FAQ explains how the Virtual Business Analyst (VBA) handles security, privacy, data access, and the use of artificial intelligence.

What is the Virtual Business Analyst?

The Virtual Business Analyst (VBA) is an AI-assisted digital consultant designed to help organisations capture, clarify, and structure business information.

It supports activities such as:

  • stakeholder interviews and structured conversations

  • requirements and discovery activities

  • synthesis of themes and insights

  • drafting of preliminary outputs (e.g. summaries, epics, or user stories)

The VBA supports human consultants and project teams. It does not replace professional judgement, delivery governance, or decision-making.

How is access to the Virtual Business Analyst controlled?

Access to the Virtual Business Analyst is not public.

  • All users must authenticate using Microsoft Entra ID (formerly Azure Active Directory)

  • Only explicitly authorised users (whitelisted by Joist Consulting or the client) can access the tool

  • Anonymous or unauthenticated access is not permitted

This ensures that only approved individuals can interact with the assistant.

How is my information used?

Information provided to the Virtual Business Analyst is used solely to:

  • facilitate structured conversations

  • generate draft summaries and insights

  • support project discovery, analysis, and documentation

Conversation outputs are treated as working material and are reviewed and validated by the project delivery team before being relied upon.

Is my data used to train AI models?

No.

  • Your data is not used to train public or shared AI models

  • Conversation content remains within the configured project environment

  • Client data is not incorporated into future model training or reused across engagements

Where is my data stored?

Data is stored only within the configured project environment and associated approved systems (such as secure cloud services used for transcripts or summaries).

Storage locations are selected to align with:

  • client contractual requirements

  • applicable data residency expectations

  • industry-standard security controls

No data is stored on personal devices.

Who can access the information?

Access is restricted to:

  • authorised Joist Consulting project team members

  • approved client representatives (where agreed)

Access is enforced using:

  • identity-based authentication

  • role-based permissions

  • environment-level segregation between clients and projects

How is security handled?

The Virtual Business Analyst is designed using defence-in-depth security principles, including:

  • strong identity-based authentication (Microsoft Entra ID)

  • encrypted data in transit and at rest where available

  • segregation of client and project environments

  • restricted network access via browser-level security controls

  • logging and monitoring for operational oversight

The web application enforces a Content Security Policy (CSP) that limits scripts and network connections to approved Microsoft and platform endpoints only.

Security configurations align with modern enterprise SaaS practices.

Is the AI making decisions on behalf of the business?

No.

The Virtual Business Analyst:

  • does not make autonomous business decisions

  • does not execute transactions

  • does not approve, reject, or enforce outcomes

It generates draft insights and suggestions only, which must be reviewed and approved by humans.

How accurate are the outputs?

AI-generated outputs:

  • reflect the information provided by users

  • may contain assumptions, gaps, or ambiguities

  • are intended as starting points, not final artefacts

Human review is required before outputs are used for delivery, decision-making, or governance purposes.

Can the Virtual Business Analyst access my internal systems?

No, unless explicitly configured and approved.

By default, the Virtual Business Analyst:

  • does not connect to ERP, finance, HR, or operational systems

  • does not have live access to internal databases

  • does not retrieve data from client systems

Any integrations are optional, tightly controlled, and agreed in advance.

What happens at the end of a conversation?

When a conversation concludes:

  • a structured summary may be presented for review

  • users may refine or confirm the captured information

  • confirmed summaries can be securely stored as project artefacts

This ensures transparency and accuracy before information is retained.

Is this compliant with privacy and confidentiality obligations?

The Virtual Business Analyst is designed to support compliance with:

  • confidentiality obligations in consulting engagements

  • applicable privacy principles and data-handling expectations

Clients remain in control of what information is shared, reviewed, and retained.

Can sensitive information be excluded?

Yes.

Users are encouraged not to provide:

  • passwords or credentials

  • personal health information

  • highly sensitive or regulated personal data

The Virtual Business Analyst is not intended for handling regulated personal data unless explicitly agreed and configured.

Who owns the outputs?

Unless otherwise agreed contractually:

  • the client owns the project-specific outputs

  • draft materials remain subject to review and validation

The AI does not claim ownership of generated content.

What if we have additional security questions?

We welcome security and IT due-diligence discussions.

Please contact us to:

  • review the security architecture at a high level

  • discuss data handling, retention, and access controls

  • align with your organisation’s risk, compliance, and assurance standards