Trust and security

The page you can forward internally. Dense, honest, calm.

Every serious buyer forwards this page to their security and compliance teams before inviting us into a procurement. We wrote it for that person. No marketing varnish, no claims we cannot defend on a reference call.

Certifications and frameworks

We hold ourselves to the frameworks our customers are audited against. As of May 2026, Datablooz is certified to both ISO/IEC 42001 and ISO/IEC 27001, and operates GDPR-compliant by default.

  • ISO/IEC 42001 Artificial Intelligence Management System Certified badge
    ISO/IEC 42001
    Certified

    AI management system. The international standard for responsible AI management. Certified May 2026, one of the few AI implementation teams to hold it.

  • ISO/IEC 27001 Certified badge
    ISO/IEC 27001
    Certified

    Information security management system. Certified May 2026, with scope and controls audited by an accredited body.

  • GDPR Compliant badge
    GDPR
    Compliant

    Data processing agreement template available. EU data residency available on request. DPO contact on request.

Responsible and governed AI

Every model we ship has a documented evaluation report, a failure-mode analysis, and a governance owner on the customer side. Human-in-the-loop review is the default wherever the stakes are real.

Bias testing, drift monitoring, and retraining policy are scoped during delivery, not negotiated after an incident.

  • Data handling

    Minimum necessary data, customer-owned, never used to train foundation models.

  • Model evaluation

    Measured baselines, failure modes, and acceptance thresholds agreed before go-live.

  • Bias testing

    Scoped per use case. Documented in the model card.

  • Human-in-the-loop

    Review queues where decisions affect people or regulated outcomes.

  • Red-teaming

    For GenAI and agentic systems, adversarial testing is part of acceptance.

Data protection

US and EU data residency available. Customer data is processed under a written DPA, with sub-processor disclosures and right-to-audit language for enterprise engagements.

  • DPA template

    Available on request. Customer redlines welcomed.

  • Sub-processor list

    Current list shared under NDA during procurement.

  • Data residency

    US and EU regions available. Alternative regions supported where the engagement requires it.

  • Encryption

    Encryption in transit and at rest. Customer-managed keys available where the platform supports it.

IP and deliverable ownership

Clients own the custom models, code, and deliverables we build for them. We retain rights only to generic frameworks, patterns, and pre-existing Datablooz platform components that we explicitly identify before the engagement begins.

  • Custom models

    Owned by the customer. Weights, artifacts, and training configuration transferred on request.

  • Source code

    Delivered to the customer-controlled repository at every milestone.

  • Training data

    Customer-owned. Never reused across engagements without explicit written approval.

  • Datablooz platform primitives

    Licensed to the customer for the scope of the engagement, with options for longer-term use.

Insurance

We carry professional indemnity (E&O) and cyber liability cover appropriate for the engagements we take on. Certificates of insurance and current limits are shared during procurement.

  • Professional indemnity

    Current certificate available on request.

  • Cyber liability

    Current certificate available on request.

Incident response

A security or privacy incident is not a surprise we absorb quietly. Notification, triage, and customer communication are defined up front.

  • Notification SLA

    Customer notification within 72 hours of confirmed incident.

  • Escalation path

    Named security contact on both sides before the engagement starts.

  • Post-incident review

    Written within 10 business days of containment. Shared with customer.

  • Security contact

    Reach us at info@datablooz.com.

Vendor assessment pack

Procurement questionnaires (CAIQ Lite, SIG Lite, custom frameworks) can be completed on request. Most responses are pre-prepared for the frameworks we see repeatedly.

  • CAIQ Lite

    Pre-prepared. Shared under NDA.

  • SIG Lite

    Pre-prepared. Shared under NDA.

  • Custom questionnaires

    Completed within 5 business days during active procurement.

Contact for security, privacy, and procurement
info@datablooz.com

One address for DPA requests, sub-processor lists, vulnerability disclosures, incident reports, and vendor-assessment questionnaires. Response within one business day.

Talk to us