Trust Center

Art. 1 Executive summary

GISTM.ai is an AI assistant for tailings governance built and operated by Data Riders. Our security and privacy commitments apply to GISTM.ai and every Data Riders product. We support two deployment patterns — managed SaaS (with enterprise controls) and private AWS deployment (with customer-controlled KMS keys, VPC isolation and IAM controls).

Art. 2 Deployment options

See the control‑by‑control matrix in the Trust Center.

Art. 3 Data handling

• Uploaded documents are retained for up to 30 days unless contractually shortened or extended.
• Anonymized metadata may be kept beyond 30 days for aggregate analytics, quotas and billing — it never includes document content.
• Documents are not used to train foundation models; tenant‑scoped continuous improvement (corrections, prompts) is contractual opt‑in and isolated to the customer's workspace.
• Ingest sources supported: customer uploads; optional SharePoint via app‑only Graph permissions with Sites.Selected scopes.
• Processing runs via LLM inference with storage in S3 or managed SaaS backends.
• Full data life‑cycle table (file, text, chunks, embeddings, prompts, responses, logs, backups, metadata): /en/security-privacy/#data-lifecycle.

Art. 4 Encryption

• In transit: TLS 1.2+ for all client, service and inter-service traffic.
• At rest: AWS SSE-KMS with customer-managed keys (CMKs) on private deployments.
• Per-tenant isolation and least-privilege IAM for all key operations.

Art. 5 Identity & access

• SaaS: SAML SSO, SCIM provisioning and RBAC.
• Private: AWS IAM, policy-based least privilege and optional customer-managed identity brokering.
• All access is audit-logged and reviewable on request.

Art. 6 Model providers

Underlying models may be served by Amazon Bedrock (preferred for sensitive clients — no training), OpenAI (Enterprise/ZDR or 30‑day retention for abuse detection) and Anthropic (no training by default). Official policies: Bedrock, OpenAI, Anthropic. We choose deployment patterns that prevent client data from being used to train foundation models.

Art. 7 Monitoring

• CloudTrail, GuardDuty, AWS Config, Security Hub, Macie, WAF and Shield deployed where applicable.
• Continuous log aggregation with alerting on anomalous access patterns.
• Quarterly review of rules, alerts and coverage.

Art. 8 Incident response

1. Detect Automated alerts from monitoring tooling and human reports triage into a central incident queue.
2. Contain Revoke credentials, isolate affected systems and stop active threats.
3. Assess Determine scope, data impact and root cause using CloudTrail and application logs.
4. Notify Affected customers are notified within contracted SLA (typically 72 hours for confirmed breaches).
5. Remediate Apply fixes, rotate keys, restore services and verify no residual access.
6. Learn Post-incident review with documented lessons and corrective actions.

Art. 9 Retention & deletion

• Default retention: 30 days for documents; metadata retained per analytics policy.
• Deletion on request: supported by contract; confirmed in writing once complete.
• End-of-engagement data return/deletion follows the contract and can be audited.

Art. 10 Sub-processors

Key sub‑processors include AWS (compute, storage, networking), our managed SaaS platform provider and the model providers listed above. Full public list at /en/sub-processors/; changes are announced ahead of time per the DPA.

Art. 11 Compliance mapping

• LGPD (Brazil) alignment for personal data processing.
• GDPR alignment for European data where applicable.
• Architecture and controls suitable for ISO 27001 and SOC 2 readiness — certifications pursued on demand.

Art. 12 Contact & public controls panel

For questions, incidents or security disclosures write to [email protected] with subject "Security". Explore the public controls panel at Trust Center →. Related documents: Privacy Policy · Cookies · Terms of Use · Sub‑processors.