Security & Data-Handling Overview
Last updated: [Date]
Scope: PD Insights is an independent consultancy (Pete Dunn). This overview describes the operating practices used on engagements. It is not a formal security certification (such as SOC 2 or ISO 27001) and is not legal advice. Specifics are set per engagement in the Statement of Work and Data Processing Addendum.
The goal is simple: use the least data needed, keep a human in front of anything that matters, and never put your information somewhere it can leak or be used to train someone else's model.
How data is handled
- Access — least-privilege, engagement-scoped; accounts use multi-factor authentication and working devices use full-disk encryption.
- Data minimization — only data required for the workflow is used; the rest is excluded or redacted.
- Encryption — in transit, and at rest where the underlying platform supports it.
- AI tools — only approved tools are used, recorded in an AI Tool Approval Matrix; vendor retention, training-use, and hosting terms are reviewed first.
- Model training — your data is not used to train public or third-party models unless you expressly agree in writing.
- Untrusted input — external content (files, emails, web pages) is treated as data, not instructions, and sanitized before tool use.
- Human review — AI outputs pass a named human-review point before high-impact or external use; deterministic code handles exact rules.
- Logging — for high-impact workflows, inputs, sources, outputs, reviewer, and final action are logged.
- Retention & deletion — data is returned or deleted on completion or request, except copies required for legal, archival, or backup purposes.
- Incident notice — if a data incident affecting your information is identified, you are notified without undue delay (target within 72 hours where feasible).
Continuity
Code and accounts are client-owned, runbooks are documented, and a backup/handoff path is defined for retainer clients — so a delivered workflow is recoverable and supportable without depending on one person.
Compliance boundary
This overview describes operating practices, not a certification or legal determination. You remain the owner of regulatory decisions for your data and industry; PD Insights supports reasonable diligence and adapts controls per engagement.
Contact
Need a security questionnaire completed? Contact Pete Dunn — pete@pdinsights.ai.