Data handling
Where your data lives
Your governance data is stored in Cloudflare D1 (SQLite at the edge) and Cloudflare KV, hosted in Cloudflare's global network. Assessment data also lives in your browser's localStorage for offline access.
What we store
- Your email address and profile (role, organisation, sector)
- Assessment scores and evidence status
- AI-generated artifacts (decision records, meeting briefs, vendor reviews, etc.)
- Extracted intelligence from uploaded documents
- Chat session metadata and usage counters
- Audit log of governance actions
- Product usage events from a fixed, allowlisted set (visit, signup, export, checkout steps): session-scoped anonymous id before sign-in, your account id after sign-in, kept 24 months, used only to improve the product
- Weekly digest measurement: a first-party open pixel and click tokens on the digest email, disclosed in the privacy policy, with one-click unsubscribe
What we do NOT store
- Your uploaded documents (text is extracted, then the file is discarded)
- Passwords (we use passwordless email verification)
- Payment card details (handled entirely by Stripe)
- Browsing history, third-party analytics, or advertising trackers. No third-party tracking. First-party measurement only.
Data deletion
You can delete your account and all associated data at any time from the app's security settings. When you delete an uploaded document, you can choose to also delete the extracted intelligence. Account deletion removes all data across all tables.
Data export
You can export all your data (GDPR Art. 15/20) from the app's security settings. The export includes your profile, assessments, artifacts, evidence, actions, sessions, usage, and audit log.
Security
Authentication
- Passwordless 6-digit email verification codes
- Codes generated with cryptographic randomness (Web Crypto API)
- Codes expire after 10 minutes, max 5 attempts per code
- IP-based rate limiting on verification (20 attempts per hour)
- JWT sessions with HMAC-SHA256, HttpOnly Secure SameSite cookies
Infrastructure
- Cloudflare Pages Static assets served from global CDN
- Cloudflare Workers Server-side logic at the edge
- Cloudflare D1 Database with parameterized queries (no SQL injection)
- HTTPS enforced (HSTS 2 years, includeSubDomains, preload)
- Security headers: CSP, X-Frame-Options, X-Content-Type-Options, COOP, CORP, Referrer-Policy, Permissions-Policy
AI security
- Prompt injection detection (regex + semantic refusal policy)
- Client-supplied context marked as untrusted in the system prompt
- Input sanitization: HTML stripping, null byte removal, message length caps
- No user data is used to train AI models (Anthropic API zero-retention)
AI output governance
We advise professionals on defensibility. We hold ourselves to the same standard.
Defensible Position Standard
Every AI-generated output is governed by the Apparens Doctrine: 10 principles covering evidence discipline, vendor neutrality, role relevance, human responsibility, and confidence marking.
What the AI does
- Generates governance advice, meeting preparation, vendor analysis, evidence checklists, and decision support
- Distinguishes between facts, assumptions, inferences, and validation needs
- Marks vendor claims as unverified until evidenced
- Produces role-specific output adapted to CTO, CISO, CDO, DPO, CFO, EA, Procurement, and Legal responsibilities
What the AI does NOT do
- Does not provide legal advice or formal compliance certification
- Does not approve, certify, or guarantee
- Does not browse the live web during a chat. Current awareness comes from a weekly curated intelligence harvest and from research you explicitly request (public-evidence scan, meeting preparation), always with sources listed for your validation
- Does not replace professional judgment, auditors, or legal counsel
Quality controls
- Doctrine check Deterministic overclaim detection on all high-stakes outputs
- Confidence marking Every material claim is classified: fact, assumption, inference, validation needed
- Forbidden language Words like "compliant," "guaranteed," "audit-proof," and "risk-free" trigger warnings
- Quality gate Every AI response is checked server-side for overclaims, confidence markers, accountability handoff, and unqualified regulatory claims. High-severity findings are delivered with a prominent "needs review before reliance" banner, never passed silently
- Low-temperature generation Regulatory content generates with reduced model randomness for consistency and reproducibility
- Source awareness AI explicitly states when it cannot verify current information
Output versioning
Every AI-generated artifact is saved with: generation date, source workflow, doctrine version, model version, and framework version. This means you can trace why a specific recommendation was produced.
Responsible AI statement
The AI Control Index uses Anthropic's Claude API. We selected Claude for its instruction-following reliability, refusal behavior on harmful requests, and Anthropic's commitment to AI safety research.
- Model: Claude Sonnet 4 (claude-sonnet-4-20250514)
- Data retention: zero retention under Anthropic's API terms
- Training: your data is not used to train any model
- Prompt: governed by the Apparens Doctrine (Defensible Position Standard)
For the news intelligence brief, the Public Evidence Brief, and meeting preparation, the app queries the web via Tavily (search, content extraction, site crawl, and deep research) and the free GLEIF legal-entity register, and it fetches the company's own public website. These services receive company names, public website URLs, and (for meeting preparation) the meeting subject line only. They never receive your identity, your messages, the names of meeting attendees, your concerns, or your assessment data. Every evidence brief includes a source ledger showing exactly which services contributed and which did not, so you can see the work and validate it.
Environmental disclosure
AI inference consumes compute energy. We track session-level environmental estimates and display them transparently in the app. We use efficient prompting practices (dynamic token budgets by task type) to reduce unnecessary compute.
Limitations
We believe trust requires honesty about what we cannot do.
- This product is an advisory tool, not a GRC system of record
- AI outputs may contain errors, outdated information, or incomplete analysis
- Legal and regulatory content requires validation by qualified professionals
- The app currently serves individual professionals, not multi-user enterprise teams
- We do not yet offer SOC 2 certification, penetration test reports, or formal security attestation
We practice what we advise: evidence before assurance. As we grow, this page will grow with it.