Security & Data Handling
How we handle the data you let us see.
Professional services firms run on confidential information. When we come in to deploy AI, that information is the work. This page is the short version of how we protect it. The long version lives in the engagement letter we sign before any work starts.
Enterprise-tier AI, not consumer accounts
Every engagement uses the enterprise tier of whichever AI platform we recommend (Anthropic Claude for Teams/Enterprise, Microsoft Copilot for M365, and similar). These tiers carry contractual guarantees: your prompts and outputs are not used to train models, are isolated from other customers, and are retained only as long as the platform needs to serve the active session.
Data residency
Where the platform supports it, we configure data residency to Canadian regions. Anthropic, Microsoft, and the other major providers we work with all offer Canadian or US-only routing on their enterprise tiers. We pick the option that matches your firm's regulatory posture.
Scoped access, no shadow storage
Access to your data is limited to the two of us and only for the duration of the engagement. We do not store client data on personal devices, in personal cloud accounts, or in shared drives outside your environment. At engagement close, our access is revoked unless a Fractional retainer continues.
Confidentiality first
Every engagement starts with an NDA, scoped to the specific work and the people involved. We're happy to work under your firm's standard NDA, or under ours if you don't have one. Anything we learn about your business stays with your business. We do not reuse client data or insights across engagements.
Inside your IT policies
If your firm has an internal IT or security team, we work within their standards: their device and access rules, their review process, and their approved tooling. We're an extension of your controls, not an exception you have to make.
Your work, your control
Integrations, runbooks, prompts, and documentation we build for you are yours. Source is delivered, IP is assigned in the engagement letter, and there is no lock-in: if you'd rather run the system with your internal IT team or a different vendor, the handoff is clean.
What we don't do
The list of things that stay off the table.
- Fine-tune models on your data
- Host your data in our own infrastructure
- Share or aggregate insights across clients
- Issue subprocessors or subcontractors you haven't met
- Use consumer-tier AI accounts on engagements
Have a specific security or compliance question?
Send us the question with any constraints your firm operates under (PIPEDA, professional regulator requirements, internal IT policy) and we'll send back a plain-English answer.