AI & Enterprise Data Security Standards
This Data Processing Agreement ("DPA") forms part of the Master Services Agreement or Statement of Work between VAZE Agency ("VAZE," "Processor," "we") and the Client ("Controller," "you") and governs the processing of personal data carried out by VAZE on behalf of the Client. VAZE acts exclusively as the Data Processor; the Client remains the Data Controller and determines the purposes, scope, and means of processing. This DPA applies to all personal data processed in connection with our software engineering, AI development, cloud deployment, and related services, whether such data is stored on-premise, in the cloud, or within AI inference pipelines.
Client data is never used to train foundational, public, or shared AI models unless the Client provides explicit, documented opt-in consent for a specific use case. All custom large language model (LLM) deployments, retrieval-augmented generation (RAG) systems, and fine-tuned models built for a Client operate within fully compartmentalized environments. Vector databases, embedding stores, and prompt caches are logically and, where applicable, physically isolated per Client. No cross-pollination of data between Client projects occurs at any layer of the AI stack—from ingestion and preprocessing through inference and output caching. Upon request, we will provide architecture documentation demonstrating data isolation boundaries.
VAZE implements enterprise-grade technical and organizational measures designed to protect Client data against unauthorized access, alteration, disclosure, or destruction. These include: AES-256 encryption at rest and TLS 1.3 encryption in transit for all data flows; SOC 2 Type II compliant infrastructure for production workloads; role-based access control (RBAC) enforced across all environments, with principle-of-least-privilege defaults; multi-factor authentication (MFA) for all personnel with access to Client systems; continuous vulnerability scanning and periodic penetration testing; and audit logging with tamper-evident storage for all access events. Security controls are reviewed and updated at least annually, and upon request, we will share relevant compliance certifications and audit summaries under NDA.
VAZE may engage vetted sub-processors to deliver services. Our current approved sub-processors include Amazon Web Services (AWS) and Google Cloud Platform (GCP) for infrastructure and compute, and OpenAI for inference APIs where specified in the project scope. All third-party AI API integrations (e.g., OpenAI, Anthropic) operate under zero-data-retention policies: no prompts, completions, or Client data are stored or used for model improvement by the sub-processor. We will notify the Client of any material change to the sub-processor list at least thirty (30) days in advance, and the Client may object to any new sub-processor in writing within that period. If a reasonable objection cannot be resolved, the Client may terminate the affected services without penalty.
In the event of a confirmed personal data breach, VAZE will notify the Client without undue delay and in no case later than seventy-two (72) hours after becoming aware of the incident. The notification will include the nature and scope of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to mitigate the breach. VAZE will cooperate fully with the Client's incident response and regulatory notification obligations, and will provide follow-up reports as the investigation progresses. We maintain a documented incident response plan that is tested at least annually.
Upon completion or termination of the engagement, or at the Client's written request, VAZE will return all Client data in a standard, machine-readable format and permanently delete all copies from our systems—including backups, staging environments, vector databases, embedding stores, fine-tuned model weights derived from Client data, and AI memory or context caches—within thirty (30) calendar days. Deletion is performed using cryptographic erasure or multi-pass overwrite methods consistent with NIST 800-88 guidelines. We will provide written certification of deletion upon request. Retention beyond the deletion period occurs only where required by applicable law, and such retained data will remain subject to the confidentiality and security obligations of this DPA.