Data minimisation
We request the least data necessary for the agreed outcome, and challenge scope that asks for more. Synthetic or redacted data is used for development wherever it is viable.
Every engagement begins with a written data map: what we may access, where it may live, who may touch it, and when it must be destroyed. This page summarises the standards that apply to all client data we handle.
We request the least data necessary for the agreed outcome, and challenge scope that asks for more. Synthetic or redacted data is used for development wherever it is viable.
Data is classified on intake — public, internal, confidential, or special category — and each class carries binding handling rules for storage, transfer, and model exposure.
We claim no rights over your data, never use it to train models — ours or anyone else's — and never share it across engagements. Processing follows your documented instructions.
Every engagement has a named data owner on our side, responsible for the data map, the access list, and certified deletion at the end of the retention period.
Access to client environments is granted per engagement, per role, and expires automatically. Privileged actions require just-in-time elevation and are logged in full. No standing administrative access exists to any client environment.
Held only in the engagement's isolated environment for the duration of the work; deleted or returned at handover unless retention is agreed in writing.
Gold datasets built from client cases belong to the client and transfer at handover; our copies are destroyed on a certified schedule.
Operational logs are retained for the period agreed per engagement — long enough for security and audit, no longer — then purged automatically.
Contracts and invoices are retained as required by UK law, held separately from any client operational data.
Automated controls watch for data leaving approved boundaries, unusual access patterns, and configuration drift. Alerts route to a named responder, and clients are informed of anything material to their data — promptly and in plain language.
We maintain a documented list of the cloud and AI providers used in each engagement, assess them against our data standards before use, and flow our obligations down contractually. No new subprocessor touches your data without your visibility.
This page describes the operating framework of Genius AI Solutions Ltd and is provided for information. It is not legal advice, and it does not amend any contract. Engagement-specific terms — including data processing agreements — are agreed in writing before work begins.
Our full data-handling standards and a draft data processing agreement are available to review before you share anything with us.