Back
Trust & Security
Last updated: 2025-02-21 ## Overview euaicompliance.net delivers compliance evidence so regulated teams can demonstrate control over LLM quality, risk, and transparency. We still rely on synthetic workloads to stress-test models, but the product we ship is signed Evidence Packs. This page summarizes the safeguards reviewers most often request. ## Regions and Data Residency - Headquarters: EU-based with EU data residency by default. - Hosting: EU-region cloud providers with optional U.S. region workloads when customers request them. - Cross-border transfers: Standard Contractual Clauses (SCCs) with supplementary technical and contractual measures where required. ## Subprocessors We engage a small set of vetted subprocessors for infrastructure, support, and billing; each is bound by data processing agreements, confidentiality, and least-privilege access controls. - Cloud hosting and storage (EU primary region) - Email and support communications - Payment processing (for commercial transactions) An up-to-date list of subprocessors is available under NDA upon request at [email protected]. ## Security Controls - Network segmentation, hardened baselines, and MFA enforced for all administrative access. - Encryption in transit (TLS 1.2+) and at rest using provider-managed keys or customer-provided keys where supported. - Environment separation for development, staging, and production. - Vulnerability management, code review, and dependency scanning before release. - Continuous monitoring with audit logging retained per contractual and regulatory requirements. ## Synthetic Provenance & SB 942 Disclosures - All public datasets, sample evidence, and marketing examples are AI-generated and labeled as synthetic to satisfy California SB 942. - Evidence Packs include provenance manifests (prompts, reviewers, hashes) so downstream teams can surface SB 942 notices wherever the content appears. - Delivery portals and dashboards display “AI-generated” banners and link back to this Trust & Security summary for additional context. ## Privacy and Regulatory Alignment - Synthetic-first: we do not ingest, sell, or share real personal data inside our QA packs or evidence runs. - EU AI Act: safeguards are mapped to Articles 9 (risk management) and 10 (data governance) with change logs captured in Evidence Packs. - NIST AI RMF: Measure and Manage functions guide our metric coverage, mitigation backlogs, and reviewer attestations. - CPRA/CCPA and other in-force U.S. privacy or AI laws: Evidence Packs document rights-handling, disclosure workflows, and contact channels for consumer inquiries. ## Data Retention - Business contact and account data: retained for the duration of the relationship plus standard back-up and legal retention periods (typically up to 24 months after inactivity). - Synthetic datasets and evidence outputs: retained per license terms; evaluation deliveries auto-expire, while enterprise deliveries follow contract-specific retention or destruction instructions. ## Incident Response - Documented incident response plan with 24/7 on-call escalation. - Customer and regulator notification timelines aligned with applicable law and contract requirements. - Root-cause analysis with remediation tracked to closure and summarized in Evidence Packs when relevant. ## Customer Responsibilities - Manage user access, enforce least privilege, and monitor activity in your environment. - Use datasets in accordance with license terms; do not attempt re-identification. - Maintain your own downstream logging, retention, and disclosure processes, including surfacing SB 942 notices where you redistribute synthetic content. ## Rights and Requests - California residents and other users may submit access, deletion, or opt-out requests by emailing [email protected]; we verify identity and respond within CPRA timelines. - Additional privacy details and contact methods are listed in our Privacy Policy (euaicompliance.net/privacy-policy). ## Contact Security questionnaires, DPA/SCCs, or subprocessor lists: [email protected] We aim to respond within 2 business days for enterprise due diligence requests.