Headline commitment
We do not train any model on client data.
Client data — prompts, retrieval indexes, audit logs, integration data, reviewer decisions — is used only to operate the workflow you engaged us for. We do not train, fine-tune, or aggregate it for any other purpose. We do not sell it. We do not let our model providers train on it (Anthropic Zero-Data-Retention enabled; OpenAI default-no-training honoured).
Retention policy
Client data is retained only for the engagement duration plus 30 days for handover and reconciliation. After this window, data is deleted from our systems and confirmed in writing.
- Operational logsOperational logs retained 12 months (for incident investigation, calibration drift detection, audit defence). Adjustable per client policy.
- Post-engagementLogs deleted 30 days after engagement end unless client requests retention for audit purposes.
- BackupsDaily encrypted backups during engagement; backups deleted within 90 days post-engagement.
Storage regions
EU (default)
EU (eu-west-3 / eu-west-1) for clients with EU data residency requirements.
US (on request)
US regions (us-east-1, us-central1) available on request for US clients.
Client-cloud-only
On-prem / client-cloud-only deployments supported — we never see your data directly.
Every consequential decision the AI workflow produces routes to a human reviewer before action — by default.
Confidence thresholds are calibrated during Build against your labelled test set. Anything below threshold escalates; anything above threshold logs the autonomous decision with full audit trail. Thresholds are client-tunable and reviewed weekly during Run.
PII handling is explicit and minimised.
Prompts and retrieval indexes use redaction layers where the use case permits. PII detection runs on every inference output before downstream action. Optionally, we deploy private inference (Anthropic Bedrock / Azure OpenAI in your VPC) for PHI / regulated workloads.