Trust — Data Policy & Standards

Your data, governed like it's ours to lose.

Every engagement begins with a written data map: what we may access, where it may live, who may touch it, and when it must be destroyed. This page summarises the standards that apply to all client data we handle.

Governance & classification

Four rules that govern every byte.

01

Data minimisation

We request the least data necessary for the agreed outcome, and challenge scope that asks for more. Synthetic or redacted data is used for development wherever it is viable.

02

Classification before access

Data is classified on intake — public, internal, confidential, or special category — and each class carries binding handling rules for storage, transfer, and model exposure.

03

Client data stays client data

We claim no rights over your data, never use it to train models — ours or anyone else's — and never share it across engagements. Processing follows your documented instructions.

04

Named accountability

Every engagement has a named data owner on our side, responsible for the data map, the access list, and certified deletion at the end of the retention period.

Access controls

Least privilege, verified quarterly.

SSO with enforced MFA on all systems
Role-based access, least privilege
Quarterly access reviews & recertification
Immediate revocation on role change

Access to client environments is granted per engagement, per role, and expires automatically. Privileged actions require just-in-time elevation and are logged in full. No standing administrative access exists to any client environment.

Retention & deletion

Data has a lifecycle. We enforce the end of it.

Working data

Held only in the engagement's isolated environment for the duration of the work; deleted or returned at handover unless retention is agreed in writing.

Evaluation datasets

Gold datasets built from client cases belong to the client and transfer at handover; our copies are destroyed on a certified schedule.

Logs & telemetry

Operational logs are retained for the period agreed per engagement — long enough for security and audit, no longer — then purged automatically.

Contractual records

Contracts and invoices are retained as required by UK law, held separately from any client operational data.

Continuous monitoring

Automated controls watch for data leaving approved boundaries, unusual access patterns, and configuration drift. Alerts route to a named responder, and clients are informed of anything material to their data — promptly and in plain language.

Subprocessors & vendors

We maintain a documented list of the cloud and AI providers used in each engagement, assess them against our data standards before use, and flow our obligations down contractually. No new subprocessor touches your data without your visibility.

This page describes the operating framework of Genius AI Solutions Ltd and is provided for information. It is not legal advice, and it does not amend any contract. Engagement-specific terms — including data processing agreements — are agreed in writing before work begins.

Want the detail behind the summary?

Our full data-handling standards and a draft data processing agreement are available to review before you share anything with us.