How we protect your ideas, your documents, and your clients.

You own your content. We only use it to deliver your packs and your private AI assistant.

  1. No selling or ad-tech. We never sell your data or use it for advertising.

  2. No training of public models. Your raw inputs don’t train any shared, public AI model.

  3. Encrypted & time-bound. Data is encrypted in transit and at rest, with limited retention and deletion on request.

    • You own your content.
      All documents, survey responses, and project context you provide remain your intellectual property. We use them solely to deliver your consulting pack(s) and the associated AI business partner.

    • We don’t sell your data.
      We never sell client data, and we don’t share your content with other clients.

    • No training of public models on your raw data.
      Your raw inputs (documents, survey answers, project details) are not used to train any public, general-purpose AI model. Where we rely on third-party AI providers, we configure them so that your data is not used to improve their general models.

    • Anonymized learning (optional, and limited).
      We may use fully anonymized, aggregated patterns (for example, how often certain risk types or governance patterns occur) to improve our internal methods, templates, and automation.

      • Before doing so, we remove names, emails, and project identifiers so no person or organization can be identified.

      • You can request that we exclude your data from this anonymized learning at any time.

    • Encrypted in transit and at rest.
      All data is transmitted over HTTPS/TLS and stored in encrypted-at-rest cloud services.

    • Region-appropriate cloud infrastructure.
      We use reputable, large-scale cloud providers with strong security programs (for example, SOC-style controls and independent audits). We do not host your data on local personal machines.

    • Logical separation by client and project.
      Each client and each initiative is logically separated in our storage and workflow, so content for Project A is not mixed with Project B, and your data is not visible to other organizations.

    If you need more detail (for example, data-residency questions for a procurement process), we’re happy to provide it as part of onboarding.

    • Secure guided intake.
      Your survey answers and document uploads are collected through a secure form and upload system running over HTTPS. We avoid collecting sensitive data over email wherever possible.

      • File types and scanning.
        We restrict accepted file types to standard business formats (PDF, Word, PowerPoint, Excel, etc.) and may scan uploads for malware before they enter our processing pipelines.

      • Minimal data principle.
        We only ask for the information needed to perform high-quality analysis. If something feels over-scoped, you can omit it or redact details before upload.

      • Messy is fine.
        We assume your inputs will be messy, overlapping, and imperfect:

        • spelling mistakes don’t matter

        • half-finished diagrams are fine

        • repetition and tangents are expected

      Our job is to extract and structure the signal, not to judge how polished your material is.

  • Every pack includes a private AI business partner configured specifically for your initiative.

    • Project-scoped context.
      Your AI assistant is powered by your pack’s deliverables and your project context only. It does not “see” other clients’ data.

    • No cross-client training.
      Interactions with your AI business partner do not train any shared, public model. They are used only to answer your questions and improve the experience within your project.

    • Access control.
      You receive a unique link or access method for each initiative. You can share that internally with your team; we recommend limiting access to people who are already authorized for that project.

    • Session logging for quality & safety.
      We may log conversations with your AI assistant for debugging and quality assurance. These logs are protected like other client data and are not used to train public models.

    If you have strict requirements (for example, regulated data or internal SSO), talk to us and we can walk through options.

    • Least-privilege access.
      Internally, only a small delivery team can access raw client data, and only for the purpose of building and validating your deliverables.

    • Role-based access.
      Access is role-based (for example, delivery lead, technical operator). We aim to keep access surfaces small and auditable.

    • Secure workstations.
      Work is performed from secure, authenticated endpoints (for example, full-disk encryption, strong authentication, and screen-lock policies).

    • Confidentiality obligations.
      Everyone who works on your project is bound by confidentiality obligations and internal policies that prohibit misuse or unauthorized disclosure of client data.

    • Working copies vs. final deliverables.
      We keep working copies of inputs and intermediate files only as long as needed to finalize your pack and your AI assistant configuration.

    • Standard retention window.
      By default, we retain your project content for a limited period (for example, 12–24 months) so we can support clarifications, regenerations, or add-ons, unless your contract specifies otherwise.

    • Right to deletion.
      You can ask us to delete project data earlier. Subject to any legal or accounting obligations, we will remove your content from our active systems and backups on a defined schedule and confirm once the process is complete.

    • Specialized infrastructure, tightly controlled.
      We rely on a small set of specialized services for secure forms, cloud storage, and AI infrastructure. Each is selected for strong security practices and contractual data-protection commitments.

    • No ad-tech or tracking junk.
      We don’t use your project content for advertising, and we don’t share your project data with marketing or ad networks.

    • Sub-processor transparency.
      A list of our core sub-processors (infrastructure providers we use to process data on our behalf) is available on request and can be included in your contract if required.

  • Our security controls are designed to align with common best practices, including:

    • Encryption in transit and at rest

    • Access control and least-privilege principles

    • Segregation of client data

    • Logging and monitoring of key systems

    • Documented retention and deletion processes

    We’re happy to answer detailed questionnaires or security addenda as part of your procurement process.

    • Avoid unnecessary personal data.
      Where possible, avoid including highly sensitive personal data (for example, health information or highly confidential PII) in uploads unless it’s essential to the work.

    • Limit internal access.
      Share AI assistant links and deliverables only with colleagues who are authorized for that initiative.

    • Use strong identity controls on your side.
      If you embed our outputs into your own systems, ensure your access controls and identity practices are robust (for example, SSO, MFA, and role-based permissions).

    If you’re unsure whether a specific dataset is appropriate to send, contact us first and we’ll talk it through.