Data Security & Privacy

Your client data is
not our training data

Strategic work is confidential by definition — client names, financials, board discussions, deal terms. This page says, in plain English, exactly what data Aavartam touches, where it goes, who can see it, and when it's deleted. No jargon, nothing buried in legal text.

The Plain-English Commitments

Six questions every client's legal team asks — answered up front

We'd rather you read this before your CFO or counsel has to ask. The same commitments are available as a signed one-pager and Data Processing Agreement for your records.

Request the Signed One-Pager Request a DPA

What data does Aavartam touch?

Documents you upload (proposals, transcripts, research, financial packs), project details you enter, and meeting notes you capture. We do not store passwords to your other systems or personal identification documents.

Where does it go?

Your data lives in a managed cloud database, encrypted at rest and in transit. AI processing runs through enterprise APIs from named providers — primarily Anthropic — under terms that prohibit using your data to train their models. No anonymous "AI providers."

Who can see it?

The people on your engagement — and no one else. Your data is never shared with other customers, AI vendor employees cannot read it under their enterprise terms, and our own operational access is restricted and logged.

When is it deleted?

AI requests are processed and not retained for training by our providers. Your project data is retained while your account is active, and deleted on request at any time — with written confirmation within 72 hours.

What legal protections exist?

A Data Processing Agreement signed with each client on request. Our AI providers operate under enterprise terms with no-training guarantees and are independently certified (SOC 2 Type II). A mutual NDA template is ready before any data is shared.

What if a client wants their data removed?

One request, by email or through your account contact. We confirm deletion of the engagement's data — documents, knowledge base, outputs — in writing within 72 hours.

How It's Built

Trust by architecture,
not by promise

The guarantees above hold because of how the platform is built — not because of a paragraph in our terms.

Enterprise AI APIs, zero-training contracts

All AI calls run on enterprise-tier APIs whose terms prohibit training on customer data. We name our providers, and the no-training commitment flows down contractually — we don't train on your data, and neither can they.

Keys never touch the browser

AI requests route through a secure server-side proxy that injects credentials on the server. No API keys in your browser, no keys in page source, nothing for an attacker to lift from the client.

Engagement-level isolation

Each engagement's documents, knowledge base and outputs are tied to that engagement. Deleting an engagement removes its associated data — context never bleeds between clients or sessions.

Logged data flows

We track what data goes to which provider and when. When a client's legal team asks "show us where our data went," the answer is a structured report — not an anxious conversation.

Enterprise Secure Edition

Private cloud, for environments where shared isn't an option

For corporate strategy offices, financial-services clients and regulated environments, Aavartam can be deployed in a dedicated private cloud — your own isolated environment, with nothing shared across tenants.

  • Dedicated virtual private cloud — your deployment runs in its own isolated network, not shared infrastructure
  • Private AI endpoints — model calls stay inside the controlled environment rather than crossing the public internet
  • Per-client encrypted storage — isolated storage with managed encryption keys per engagement
  • Network boundary controls — outbound traffic restricted to approved destinations only, so data cannot leave by accident
  • Immutable audit logging — every data access recorded with who, what and when
Discuss Private Deployment

Available on the Programme plan

Private cloud is a deployment tier, not an add-on checkbox — scoped, priced and security-reviewed per client.

Independent security testing

Private deployments are validated with independent vulnerability assessment and penetration testing before go-live.

Your timeline, our runbook

Standard deployment runbook covering environment setup, data migration and client legal review.

Privacy FAQ

The questions clients
actually ask

No. We never train AI models on your data, and we use enterprise API contracts that explicitly prohibit our model providers from training their models on it either. Your transcripts, documents and outputs are processed to serve your requests — nothing more.
We name them rather than hiding behind "leading AI providers": AI processing primarily runs on Anthropic's Claude models via their commercial API, whose terms prohibit training on customer content. If we add providers, they're held to the same standard and disclosed on request.
No. Data is scoped to your account and your engagements. There is no cross-customer sharing, no shared knowledge pool, and AI answers for your engagement are grounded only in your engagement's own sources.
Yes. We have a standard mutual NDA and a Data Processing Agreement ready to sign, including an explicit clause that your data will not be used for AI model training. We're equally happy to review your paper.
We're honest about this rather than badge-collecting: our underlying AI and cloud providers are SOC 2 Type II certified, and our own controls are built to that standard with certification on our roadmap. Enterprise clients can review our current security posture in detail under NDA.
Standard deployments run on managed cloud infrastructure with encryption at rest and in transit. On the Programme plan with private cloud deployment, you choose the cloud and region — including running entirely within your own controlled environment.
Due Diligence Welcome

Send us your security questionnaire.
We like the hard questions.

Contact Us