Aureum Logo
Aureum Intelligence.
Legal

Data Usage Policy

Effective: January 1, 2026Updated: January 1, 2026

1. Introduction

This Data Usage Policy ("Policy") governs how Aureum Intelligence LLC ("we," "us," "our") collects, processes, stores, and protects data within our enterprise AI security platform. This Policy applies to all customers, users, and partners who interact with our services.

Our commitment to data protection is foundational to our mission of providing secure, compliant, and sovereign AI solutions for enterprise environments.

2. Data Collection Principles

2.1 Purpose Limitation

We collect and process data only for specified, explicit, and legitimate purposes:

  • Providing and maintaining our AI security platform
  • Ensuring regulatory compliance (HIPAA, GDPR, CCPA, etc.)
  • Improving platform functionality and security
  • Responding to customer support requests
  • Conducting necessary business operations

2.2 Data Minimization

We collect only data that is:

  • Adequate, relevant, and limited to what is necessary
  • Directly related to the intended purpose
  • Not excessive in relation to the processing purpose

2.3 No Use for AI Model Training

We do not use customer data, prompts, completions, or any content processed through our platform to train, fine-tune, retrain, or improve our AI models, foundation models, or any machine learning systems. Customer data is processed exclusively to deliver the contracted services.

2.4 Lawful Basis for Processing

We process data based on:

  • Contractual necessity: To fulfill our service obligations
  • Legal obligation: To comply with applicable laws and regulations
  • Legitimate interests: For platform security and improvement
  • Consent: Where explicitly required and obtained

3. Types of Data We Process

3.1 Customer Data

  • Enterprise Configuration Data: System settings, integration parameters, deployment configurations
  • Usage Analytics: Platform interaction data, feature usage patterns, performance metrics
  • Support Data: Ticket information, communication logs, troubleshooting data

3.2 Technical Data

  • System Logs: Infrastructure logs, error reports, security events
  • Performance Metrics: Response times, resource utilization, availability data
  • Security Events: Authentication attempts, access logs, anomaly detection data

3.3 Personal Data (When Applicable)

  • User Information: Names, email addresses, roles, and access credentials
  • Contact Information: Business contact details for account management
  • Technical Identifiers: IP addresses, device identifiers, session tokens

3.4 Special Category Data

We do not process special category data (health, biometric, genetic, etc.) unless:

  • Explicitly required by customer deployment in regulated industries
  • Proper safeguards and consent mechanisms are in place
  • Processing aligns with regulatory requirements (e.g., HIPAA for healthcare)

4. Data Processing Activities

4.1 Data Collection Methods

  • Direct Input: Customer-provided configuration and setup data
  • Automated Collection: System-generated logs and analytics
  • Integration Data: Information from connected enterprise systems
  • Support Interactions: Communications through support channels

4.2 Data Processing Purposes

PurposeData TypesLegal Basis
Service DeliveryCustomer Data, Technical DataContractual necessity
Security MonitoringTechnical Data, Security EventsLegitimate interests
Platform ImprovementUsage Analytics, Performance MetricsLegitimate interests
Regulatory ComplianceAll applicable dataLegal obligation
Customer SupportSupport Data, User InformationContractual necessity
Billing & AdministrationUser Information, Account DataContractual necessity

4.3 Data Retention

We retain data only as long as necessary:

  • Active Customer Data: Retained during active subscription + 90 days post-termination; customers may export data during the 30-day period following termination
  • Technical Logs: Retained for 12 months for security and troubleshooting
  • Support Records: Retained for 3 years from last interaction
  • Compliance Records: Retained as required by applicable regulations (typically 7 years for financial records)
  • Archived Data: Securely archived or deleted per customer request
  • Inference Data: Prompts, completions, and AI agent interaction logs are retained for up to 90 days for debugging and service quality purposes, then automatically purged. Customers may request shorter retention or immediate deletion.

Note: Data within encrypted backups may not be selectively deletable. Backup copies are overwritten according to our backup rotation schedule (30-day cycle), after which deleted data will no longer exist in any form.

5. Data Storage and Security

5.1 Storage Locations

  • Primary Storage: Customer-specified locations (on-premise, private cloud, or sovereign infrastructure)
  • Backup Storage: Encrypted backups in geographically redundant locations
  • Cloud Infrastructure: Aureum's own platform infrastructure runs on major cloud providers (AWS, Azure, GCP) with enterprise-grade security controls. For customers requiring fully on-premise or private cloud deployments, customer data remains entirely within the customer's chosen environment and does not transit Aureum-managed cloud infrastructure without explicit consent.

5.2 Security Measures

  • Encryption: AES-256 encryption at rest and in transit
  • Access Controls: Role-based access, multi-factor authentication
  • Network Security: Firewalls, intrusion detection, network segmentation
  • Physical Security: Secure data centers with biometric access controls
  • Regular Audits: Quarterly security assessments and penetration testing

5.3 Data Sovereignty

We support data sovereignty requirements:

  • Customer determines data residency location
  • No cross-border data transfers without explicit consent
  • Compliance with local data protection laws
  • Sovereign infrastructure options available

5.4 Telemetry and Diagnostics

For on-premise and private cloud deployments, Aureum may collect limited, non-customer-data telemetry for service health monitoring, including: platform version, uptime metrics, error counts (without error content), and resource utilization. This telemetry never includes customer data, prompts, or AI outputs. Customers may opt out of telemetry collection by contacting support@aureumintelligence.com.

5.5 Data Portability

Upon request, we provide customer data exports in standard, machine-readable formats (JSON or CSV). Data export requests are fulfilled within thirty (30) days. There is no charge for reasonable export requests.

6. Data Sharing and Third Parties

6.1 When We Share Data

We only share data in these circumstances:

  • With Customer Consent: Explicit authorization for specific purposes
  • Service Providers: Limited access for necessary technical support (under strict agreements)
  • Legal Requirements: When required by law or regulatory authority
  • Business Transfers: In case of merger, acquisition, or sale (with data protection guarantees)

6.2 Third-Party Restrictions

  • No selling of customer data
  • No marketing use of customer data
  • No sharing with data brokers or advertising networks
  • Strict confidentiality agreements with all service providers

6.3 International Transfers

  • Data transfers only occur with appropriate safeguards
  • Standard Contractual Clauses (SCCs) for EU data
  • Adequacy decisions respected where applicable
  • Customer approval required for cross-border transfers

7. Data Subject Rights

Customers and users have the right to:

7.1 Access and Portability

  • Request copies of their data
  • Receive data in structured, machine-readable formats
  • Access data processing records

7.2 Correction and Deletion

  • Request correction of inaccurate data
  • Request deletion of data (subject to legal retention requirements)
  • Withdraw consent where applicable

7.3 Restriction and Objection

  • Request restriction of data processing
  • Object to specific processing activities
  • Opt-out of marketing communications

7.4 How to Exercise Rights

  • Submit requests via: privacy@aureumintelligence.com
  • Response time: 30 days from request receipt
  • No fee for reasonable requests
  • Identity verification required for sensitive requests

8. Compliance and Regulatory Alignment

8.1 Regulatory Frameworks

We align with:

  • GDPR (General Data Protection Regulation)
  • CCPA/CPRA (California Consumer Privacy Act)
  • HIPAA (Health Insurance Portability and Accountability Act) - for healthcare deployments
  • SOC 2 Type II compliance
  • ISO 27001 information security standards
  • NIST AI Risk Management Framework

8.2 Industry-Specific Requirements

  • Healthcare: HIPAA-compliant data handling, BAAs available
  • Finance: PCI-DSS alignment, financial data protection
  • Government: FedRAMP-ready infrastructure, sovereign options
  • Enterprise: Custom compliance requirements supported

8.3 Audit and Certification

  • Annual third-party security audits
  • Regular compliance assessments
  • Certification maintenance and renewal
  • Customer audit rights per Data Processing Agreement

9. Data Breach Response

9.1 Detection and Response

  • 24/7 security monitoring and incident detection
  • Incident response team on standby
  • Automated alerting and escalation procedures
  • Containment and remediation protocols

9.2 Notification Requirements

  • Internal: Immediate notification to security leadership
  • Customers: Within 72 hours of confirmed breach (or as required by law)
  • Regulators: As mandated by applicable regulations
  • Public: As required or appropriate for transparency

9.3 Breach Management

  • Root cause analysis and documentation
  • Remediation and prevention measures
  • Post-incident review and process improvement
  • Customer support and guidance

10. Policy Updates and Communication

10.1 Updates

  • We may update this Policy periodically
  • Significant changes will be communicated 30 days in advance
  • Continued use of services constitutes acceptance of updated Policy
  • Version history maintained and accessible

10.2 Communication

  • Policy updates posted at: https://aureumintelligence.com/privacy
  • Email notifications for significant changes
  • Customer account dashboard announcements
  • Direct communication for affected customers

11. Contact Information

For questions, concerns, or data rights requests:

Data Protection Officer Aureum Intelligence LLC 5256 Bethel Reed Park, Suite 3 Columbus, Ohio 43220

Email: privacy@aureumintelligence.com Hours: Monday-Friday, 9:00 AM - 6:00 PM EST

Complaints: You may file complaints with your local data protection authority if you believe your rights have been violated.

12. Acknowledgment

By using Aureum Intelligence services, you acknowledge that you have read, understood, and agree to this Data Usage Policy. This Policy is incorporated by reference into our Terms of Service and Data Processing Agreement.

Document Version: 1.0 Next Review Date: January 1, 2027 Approved By: Legal Department, Aureum Intelligence LLC