TRUST
Security & data handling.
Last updated: 24 April 2026
We're an early-stage firm. We don't have SOC 2 yet. Here's exactly what we do — and don't do — with your data, written plainly so you can decide if it's enough for your security review.
Honest baseline: read-only access by default · no prompt or output content stored · NDA + DPA signed before any data exchange · SOC 2 Type II is on the roadmap, not in hand.
1. What we touch
- Provider invoices & usage exports — OpenAI, Anthropic, AWS Bedrock, Google Vertex AI, Azure OpenAI billing CSVs/JSON.
- Gateway logs — LiteLLM, Helicone, Langfuse, OpenRouter, or your own proxy. Aggregated metadata only (model, token counts, latency, request volume).
- Read-only API keys with billing-export scope, never write keys, never production model keys.
2. What we don't touch
- Prompt content, model output, and end-user PII are not stored in our systems by default.
- If a specific optimization (e.g. semantic cache tuning) needs prompt samples, we ask explicit per-feature approval and scope sampling tightly. You can revoke any time.
- We never use your data to train any model. We never sell or share with third parties.
3. How we handle credentials
- Credentials live in a password manager with hardware-key-protected access. They are never committed to git, never pasted into Slack/email, never embedded in reports.
- You can rotate or revoke at any time without notice. We log every credential use to your engagement audit trail.
- Engagement ends → credentials are revoked by you and purged from our manager within 7 days.
4. Where data lives
- Encrypted databases (AES-256 at rest, TLS 1.2+ in transit). Region selectable EU or US at engagement kickoff.
- Backups are encrypted and retained 30 days.
- Access is limited to operators assigned to your engagement; access is logged.
5. Sub-processors
We disclose every sub-processor in the DPA. Current list (subject to change with notice):
| Cloud hosting | AWS (us-east-1 / eu-west-1) |
| Google Workspace | |
| Analytics (this site) | Google Analytics 4 / Tag Manager |
| Payments | Stripe |
6. Compliance
- GDPR / UK GDPR / CCPA — DPA available on request. EU/UK transfers covered by SCCs.
- HIPAA — not currently set up. Don't send us PHI.
- SOC 2 Type II — on roadmap. We can share our controls memo and pen-test summary under NDA in the meantime.
7. Reporting a vulnerability
Email [email protected]. We acknowledge within 2 business days. See also /.well-known/security.txt.
8. Incident response
Security incidents involving customer data are disclosed to affected customers within 72 hours of confirmation. Post-mortems are shared within 14 days.
← Back to llmcfo.com