Ming Fang
Back

Case Study

AWSPrivacyAIArchitecture

Building a Privacy-Compliant AI Chatbot on AWS

A Production Architecture for Australian Businesses

February 2026·12 min read·Ming Fang

TL;DR

  • • Building compliant AI chatbots requires careful architecture, not just legal disclaimers
  • • Data residency in AWS Sydney region is table stakes for Australian enterprises
  • • The 2024 Privacy Act amendments introduce new ADM transparency requirements by Dec 2026
  • • Prompt engineering alone isn't enough — you need proper data isolation, encryption, and audit trails
  • • Production-ready architecture costs ~$500-2000/month for medium-scale deployments

The Problem

Every enterprise I've worked with wants an AI chatbot. The use cases are compelling: 24/7 customer support, internal knowledge bases, automated triage. But here's what stops most projects dead in their tracks: privacy compliance.

Australian businesses face strict obligations under the Privacy Act 1988 (as amended in 2024), and companies operating in New Zealand must comply with the Privacy Act 2020. These aren't just checkboxes — serious or repeated interferences with privacy can result in civil penalties up to the greatest of: AUD 50 million; three times the value of any benefit obtained from the contravention; or (if the court cannot determine the benefit value) 30% of the entity's adjusted turnover during the breach turnover period. The 2024 amendments also introduced lower-tier penalties of up to AUD 3.3 million for less serious breaches.

The challenge? Most off-the-shelf chatbot solutions weren't designed with Australian privacy requirements in mind. They process data overseas, lack proper audit trails, and can't guarantee the data residency and security controls that enterprises need.

After building several production chatbot systems for enterprises in finance, retail, and government sectors, I've developed an architecture that actually works. Here's how to do it properly.

The Architecture

This architecture is built entirely on AWS, using the Sydney (ap-southeast-2) region for data residency. It handles 50,000+ conversations per month while maintaining full compliance with both Australian and New Zealand privacy requirements.

High-Level Components

Click any layer to explore details

01

User → CloudFront → API Gateway

Sydney (ap-southeast-2)

02

Lambda

Conversation Handler

03

Bedrock / SageMaker

LLM Inference

04

DynamoDB

Conversation History

05

S3 + KMS

Encrypted Storage

06

CloudWatch + CloudTrail

Audit Logs

Why These Services?

Amazon Bedrock / SageMaker

Why: Both services allow you to keep data within the Sydney region. Bedrock offers Claude, Llama, and other models with no data retention (critical for privacy). SageMaker gives you more control if you need custom models.

Key config: Opt out of AI service data usage via AWS Organizations policy to ensure your customer conversations aren't used for model training.

DynamoDB + Point-in-Time Recovery

Why: Fast, scalable, and stays in Sydney. Point-in-time recovery lets you restore data if needed for compliance investigations.

Schema: Partition by user_id, sort by timestamp. TTL for automatic deletion after retention period (typically 30-90 days for chatbots).

S3 with KMS Encryption

Why: Long-term storage for audit compliance. Customer-managed KMS keys give clients control over their encryption keys (some enterprises require this).

Lifecycle: Archive to Glacier after 90 days, delete after 7 years (or per client retention policy).

CloudWatch + CloudTrail

Why: Complete audit trail. CloudTrail logs all API calls, CloudWatch tracks who accessed what data and when. Essential for breach notification (72-hour deadline in Australia).

Meeting Privacy Requirements

1. Data Minimisation (APP 3 / IPP 1)

The chatbot should only collect what it needs. Here's how I implement this in practice:

// Lambda function - PII detection before LLM
import { detect_pii, redact_pii } from './pii-utils';

export async function handler(event) {
  const userMessage = event.message;

  // Detect PII in user input
  const piiDetected = detect_pii(userMessage);

  if (piiDetected.contains_sensitive_data) {
    // Redact before sending to LLM
    const redactedMessage = redact_pii(userMessage);

    // Log what was redacted (for audit)
    await logPiiRedaction({
      original_length: userMessage.length,
      pii_types: piiDetected.types,
      timestamp: Date.now()
    });

    return processMessage(redactedMessage);
  }

  return processMessage(userMessage);
}

2. Purpose Limitation (APP 6 / IPP 10)

Conversation data can only be used for the stated purpose. This requires architectural enforcement:

// DynamoDB Item with purpose tagging
{
  "user_id": "user_123",
  "timestamp": 1706745600,
  "message": "encrypted_content",
  "purpose": "customer_support",  // Purpose tag
  "consent_id": "consent_789",     // Link to consent record
  "retention_until": 1714521600    // Auto-delete after 90 days
}

// Lambda - enforce purpose before access
function canAccessConversation(conversation, requestedPurpose) {
  if (conversation.purpose !== requestedPurpose) {
    throw new Error('Purpose mismatch - access denied');
  }

  // Check if consent still valid
  const consent = getConsent(conversation.consent_id);
  if (!consent.isValid()) {
    throw new Error('Consent expired or withdrawn');
  }

  return true;
}

3. Security (APP 11 / IPP 5)

The 2024 amendments require both technical AND organisational measures. Here's the technical stack:

  • Encryption at rest: All DynamoDB tables and S3 buckets use AWS KMS with customer-managed keys
  • Encryption in transit: TLS 1.3 enforced at API Gateway, no HTTP allowed
  • Network isolation: Lambda functions run in VPC, no public internet access
  • IAM least privilege: Each Lambda has a dedicated role with only required permissions
  • Secrets rotation: API keys rotated every 90 days via Secrets Manager

4. Individual Rights (APP 12-13 / IPP 6-7)

Users must be able to access, correct, and delete their data. I build this as a separate admin API:

// Data subject access request (DSAR)
async function handleAccessRequest(userId) {
  // Gather all data
  const conversations = await getConversations(userId);
  const metadata = await getUserMetadata(userId);

  // Export in portable format
  return {
    format: 'JSON',
    data: {
      conversations: conversations,
      metadata: metadata,
      data_sources: ['chatbot', 'support_tickets'],
      generated_at: new Date().toISOString()
    }
  };
}

// Right to deletion
async function handleDeletionRequest(userId) {
  // Delete from all systems
  await deleteFromDynamoDB(userId);
  await deleteFromS3(userId);
  await deleteFromCloudWatch(userId);

  // Log deletion for audit
  await logDeletion({
    user_id: userId,
    deleted_at: Date.now(),
    systems: ['dynamodb', 's3', 'cloudwatch']
  });

  return { status: 'deleted' };
}

Automated Decision-Making (ADM) Transparency

This is new. From December 2026, Australian businesses must disclose when they use automated systems to make decisions that significantly affect individuals.

If your chatbot does more than answer questions — for example, if it approves loan applications, routes support tickets, or makes eligibility decisions — you need to log the decision-making process:

// Log AI decisions with explainability
async function logAIDecision(decision) {
  return {
    user_id: decision.userId,
    decision_type: 'loan_approval',
    decision_outcome: 'approved',
    confidence_score: 0.87,
    factors_considered: [
      'credit_score',
      'income_verification',
      'employment_history'
    ],
    model_version: 'v2.3.1',
    human_review_required: false,
    timestamp: Date.now(),
    explanation: 'Application approved based on credit score above threshold and verified income'
  };
}

// Make explanation available to user
function generateUserExplanation(decision) {
  return `Your application was processed by our AI system.
The decision was based on: ${decision.factors_considered.join(', ')}.
If you believe this decision is incorrect, you can request human review.`;
}

Breach Notification Readiness

Australia requires breach notification to OAIC within 72 hours. This means you need automated detection:

// CloudWatch Alarm for unusual access patterns
{
  "AlarmName": "UnusualDataAccess",
  "MetricName": "DataAccessCount",
  "Threshold": 1000,  // Adjust based on normal traffic
  "EvaluationPeriods": 1,
  "ComparisonOperator": "GreaterThanThreshold",
  "AlarmActions": [
    "arn:aws:sns:ap-southeast-2:xxx:security-alerts"
  ]
}

// SNS notification triggers Lambda for assessment
async function assessBreach(event) {
  const accessLogs = await getRecentAccessLogs();

  // Check if personal information was accessed
  const affectedUsers = identifyAffectedUsers(accessLogs);

  if (affectedUsers.length > 0) {
    // Auto-generate breach report
    await generateBreachReport({
      detected_at: Date.now(),
      affected_users: affectedUsers.length,
      data_types: ['name', 'email', 'conversation_history'],
      likely_harm: 'medium',
      notification_required: true,
      deadline: Date.now() + (72 * 60 * 60 * 1000) // 72 hours
    });

    // Alert security team
    await alertSecurityTeam(affectedUsers);
  }
}

Real-World Costs

Here's what this architecture costs for a medium-sized deployment (50,000 conversations/month). These estimates are based on current AWS pricing for the Sydney (ap-southeast-2) region as of February 2026, using Claude Haiku 4.5 on Bedrock for the LLM layer.

ServiceUsageCost/MonthPricing Basis
Bedrock (Claude Haiku 4.5)50K conversations (~300M input / 120M output tokens)$800-1,200$1/MTok in, $5/MTok out + 10% regional endpoint premium
Lambda100K invocations (VPC)$20$0.20/M requests + GB-seconds compute + VPC endpoint costs
DynamoDBOn-demand + PITR$50$1.25/M WRU, $0.25/M RRU + storage + PITR backup
S3 + Glacier100GB storage$15~$0.025/GB Standard + ~$0.005/GB Glacier in Sydney
KMS5 customer-managed keys$5$1/key/month (verified)
CloudWatchLogs + Metrics$30$0.50/GB log ingestion + storage + custom metrics + alarms
API Gateway50K requests$5$3.50/M REST API requests + data transfer
Total~$925-1,325

Monthly Cost Breakdown

Bedrock (Claude)
$1000
Haiku 4.5
DynamoDB
$50
On-demand + PITR
CloudWatch
$30
Logs + Metrics
Lambda
$20
100K invocations
S3 + Glacier
$15
100GB storage
KMS
$5
5 CMK keys
API Gateway
$5
50K requests
Estimated Total~$925–$1325/mo

Key insight: LLM inference (Bedrock) accounts for ~80–90% of total cost. Optimising prompt length, using caching, and choosing the right model tier (Haiku vs Sonnet) has the biggest impact on your monthly bill.

Note: Costs scale with usage. Using Claude Sonnet instead of Haiku would increase the Bedrock cost by ~3x. High-volume deployments (1M+ conversations/month) can optimise by using SageMaker endpoints with reserved capacity, or Bedrock batch processing for 50% token discount. Sydney regional endpoints carry a 10% premium over global endpoints for Claude 4.5 models — a necessary trade-off for data residency compliance. All prices verified against official AWS pricing pages as of February 2026.

Lessons Learned from Production

1. Don't Skimp on Audit Logs

Every privacy investigation I've been involved with required detailed audit trails. CloudTrail costs are minimal compared to the cost of not being able to answer "who accessed this data and when?" during a breach investigation.

2. Test Deletion Workflows Early

Data deletion is harder than it looks. You need to handle: backups, logs, caches, and replicated data. Test your deletion pipeline before you have your first GDPR-style deletion request.

3. Bedrock's No-Retention Policy is Gold

Unlike some LLM APIs, Bedrock doesn't retain your prompts or responses for model training (when properly configured). This simplifies your data processing agreements significantly.

4. Prompt Engineering Can't Fix Architecture

I've seen teams try to solve privacy with prompts like "don't store PII." That's not compliance — that's hope. You need technical controls: encryption, access policies, audit trails.

5. Data Residency Isn't Optional

For Australian enterprises, especially in finance and government, data must stay in Australia. Sydney region is non-negotiable. Don't even pitch architectures that rely on US/EU regions.

Deployment Options: AWS Cloud vs Self-Hosted

While this article focuses on AWS-managed infrastructure, we offer two deployment models to meet different enterprise requirements:

AWS Managed (Recommended)

  • ✅ Data residency in Sydney (ap-southeast-2)
  • ✅ ISO 27001/27017/27018 certified
  • ✅ Automatic scaling & updates
  • ✅ 99.9% SLA with AWS support
  • ✅ Lower upfront cost (~$500-2K/month)

Best for: Most enterprises, rapid deployment, managed operations

Self-Hosted

  • ✅ Complete infrastructure control
  • ✅ On-premise or your cloud account
  • ✅ Air-gapped deployment option
  • ✅ Custom security hardening
  • ✅ No third-party data processing

Best for: Government agencies, highly regulated industries, specific compliance requirements

Both Options Include

Regardless of deployment model, our implementation provides:

  • • Privacy by Design architecture (APP/IPP compliant)
  • • Encryption at rest and in transit (AES-256, TLS 1.3)
  • • Automated audit trails and access logs
  • • Individual rights management (access, correction, deletion)
  • • ADM transparency framework (2026-ready)
  • • Breach detection and notification workflows
  • • Full source code and infrastructure-as-code
  • • Technical documentation and runbooks

We've built privacy-compliant AI systems for enterprises across both deployment models. If you need to evaluate which approach suits your compliance requirements and risk profile, we can provide a detailed assessment.

Conclusion

Building privacy-compliant AI chatbots isn't about avoiding innovation — it's about building trust. Australian and New Zealand privacy laws exist to protect consumers, and enterprises that treat compliance as a feature (not a burden) will win customer confidence.

The architecture outlined here is production-tested, powering chatbots that handle millions of conversations, process sensitive customer data, and pass enterprise security audits. Whether deployed on AWS with Sydney region data residency or self-hosted on your infrastructure, the compliance framework remains consistent: encryption, access controls, audit trails, and individual rights management built in from day one.

As Australia's ADM transparency requirements take effect in December 2026 and New Zealand's IPP 3A indirect collection notifications become mandatory in May 2026, the window for compliance preparation is closing. Enterprises that architect privacy into their AI systems now will avoid costly retrofits and regulatory exposure later.

Need Help Implementing This?

We deliver privacy-compliant AI agent development for Australian and New Zealand enterprises. Our implementations cover:

  • • Chatbots, document processing, and workflow automation
  • • AWS-managed and self-hosted deployment options
  • • Full APP/IPP compliance framework
  • • Production-ready architecture with technical documentation

Get in touch at contact@mingfang.tech to discuss your compliance requirements and deployment options. We provide detailed assessments and implementation support for both greenfield builds and existing system upgrades.

Further Reading