Responsible AI
We think the AI industry has a transparency problem. Too many companies bury their data practices in legal boilerplate and trust you won't read it. Here's what we actually do — in plain English.
How we build
These aren't aspirational values. They're build decisions that apply to every client, every project, without exception.
When we integrate with API-based AI providers (OpenAI, Anthropic, Google), your data is sent to generate a response and discarded — it doesn't enter their training pipeline. For highly sensitive use cases, we deploy open-source models that never leave your infrastructure.
All data in transit is encrypted via TLS 1.3. Data at rest is encrypted with AES-256. We don't offer an unencrypted option. This isn't a feature you pay extra for — it's the baseline.
We write plain-language documentation for every automation we build: what it monitors, what triggers it, what decisions it makes, and what it does with the result. Your team always understands what's running in the background.
Every automation includes escalation thresholds. When the AI encounters ambiguity, unusual input, or a scenario outside its confidence range, it hands off to a human rather than guessing. We define those thresholds with you during the build.
Every tool we build can be paused, adjusted, or disabled by your team without contacting us. We don't build black boxes. We build systems you understand well enough to operate yourself if needed.
We only request the minimum data and API permissions each tool needs to function. Access credentials are stored in encrypted vaults, rotated regularly, and revoked immediately at project end. We don't retain copies of your data after a project closes.
Our limits
Responsible AI means declining work that conflicts with our ethics — regardless of budget or who's asking. These are firm limits, not negotiable on a case-by-case basis.
Every client project includes a signed Data Processing Agreement (DPA) documenting exactly what data we process, why, how long we retain it, and how we delete it. This isn't optional paperwork — it's our commitment to you in writing.
Compliance by jurisdiction
Canada
PIPEDAPersonal Information Protection and Electronic Documents Act
All client projects are PIPEDA-compliant by default. We follow Canadian principles for consent, data minimisation, and purpose limitation.
United States
CCPACalifornia Consumer Privacy Act
For US clients, we design for CCPA alignment — data subject rights, opt-out mechanisms, and data inventory documentation.
United Kingdom
UK GDPRUK General Data Protection Regulation
For UK clients, we implement lawful basis documentation, data processing agreements, and retention schedules aligned with UK GDPR.
Australia
Privacy Act 1988Australian Privacy Principles
For Australian clients, we follow the APPs — transparency, data quality, and security requirements for personal information.
We are not lawyers and this is not legal advice. For specific compliance questions, consult a qualified privacy professional in your jurisdiction.
Still have data questions?
We're happy to share our full security documentation, walk you through our build process, or connect you with our DPA before you decide to work with us.