01At a glance
- Customer information is not used to train artificial-intelligence models.
- Customer information is not sold or shared with advertisers or data brokers.
- Information is encrypted in transit and at rest using industry-standard ciphers.
- Customers may request export or deletion of their information at any time.
The remainder of this page sets out the principal categories of measures applied to the Service.
02Cryptographic protection
Information transmitted between client systems and the Service is protected by current industry-standard transport-layer encryption with modern cipher suites and strict transport-security policies. Information at rest is protected by current industry-standard symmetric encryption applied to managed storage media.
Sensitive credentials and tokens are subject to additional layered encryption and are decrypted only within the Service's server runtime for the duration necessary to fulfil a request. Cryptographic keys are managed in accordance with established rotation, custody and revocation procedures.
03Tenant separation
The Service applies logical isolation across customer accounts. Read and write operations are scoped to the requesting account at the application and storage layers, and request context is constrained to the active session. Information from one customer is not accessible to or made available within the context of another customer.
04Controls applicable to artificial-intelligence operations
- Pre-execution validation — operations are subject to multi-layer validation prior to execution.
- Approval gates — operations that create, modify or delete data require explicit user confirmation.
- Risk assessment — operations identified as destructive or unauthorised are blocked and require additional review.
- Audit logging — operations and associated context are recorded for audit and incident-response purposes.
- No training on customer data — customer information is not used to train, fine-tune or adapt artificial-intelligence models, and the Service is configured to ensure that information transmitted to model providers is not retained beyond what is necessary to deliver an immediate response.
05Access governance
- Role-based access controls are applied at the organisation level.
- Modern authentication mechanisms, including multi-factor authentication, are supported.
- Internal access to production environments is restricted to authorised personnel on the principle of least privilege and is subject to logging and review.
- Customer-managed sessions and authorisations may be revoked by the customer at any time.
06Information handling and retention
- Customer information is retained while a customer's subscription remains in effect or as required to comply with applicable law.
- Customers may export information from the Service in standard formats.
- Following a deletion request, information is removed from active production systems within commercially reasonable timeframes; residual copies in routinely cycled backup media are addressed within the standard backup-rotation cycle.
- Aggregated, statistical or otherwise de-identified information may be retained for the operation and improvement of the Service.
07Operational measures
The Service is operated within hardened environments with continuous patching, periodic backups, application monitoring, and structured logging. Security-relevant changes are subject to peer review prior to deployment, and dependencies are continuously screened for known vulnerabilities and addressed in accordance with internal remediation timelines.
08Incident response
In the event the Company becomes aware of a confirmed information-security incident affecting customer information, the Company shall notify affected customers in accordance with applicable contractual and legal requirements and shall provide such further information as is reasonably necessary in the circumstances.
09Compliance posture
The Company's practices are designed to align with prevailing industry frameworks applicable to software-as-a-service providers and with applicable data-protection legislation. The Company periodically reviews and updates its administrative, technical and organisational measures as part of an ongoing programme of improvement.
10Contact
Security-related enquiries from authorised representatives of customers may be directed to the Company through the channels identified in the applicable order documentation.