At ZeroStone, the security and privacy of your data form the cornerstone of our partnership. As we pioneer the future of business with advanced agentic AI solutions, we recognize that our most important responsibility is upholding the trust you place in us to handle your sensitive information with the utmost care, integrity, and confidentiality.
This document outlines our comprehensive data privacy and security framework, which governs every aspect of our engagement. From initial financial analysis leveraging your data, to building solutions within your environment or ours, and through to the continuous managed services of data infrastructure and AI governance—our approach is built upon unwavering principles of security by design, data minimization, and transparent operations. We are committed to providing you with state-of-the-art AI capabilities, backed by a security posture that ensures your data is always protected, and that its use is always limited to the specific purposes you have authorized.
Across our service lines, these principles are rigorously applied:
Financial Analysis
All analyses are conducted within secure, isolated environments typically within your own cloud infrastructure, ensuring your data never leaves your control. We enforce strict access controls and prioritize de-identification and aggregation techniques to protect data while delivering critical insights.
Solution Development
Our development process is governed by strict data security and privacy protocols, regardless of where the solution is built. Whether development occurs within your cloud environment or our own secure labs, our teams operate under the principle of least privilege, ensuring access to your data is limited, role-based, and logged. We employ secure coding practices and data handling procedures throughout the entire development lifecycle to safeguard your information, guaranteeing its integrity and confidentiality are maintained at every stage of creation.
Managed Services
Our commitment to your data's security and privacy is continuous. For our managed agentic AI solutions, we apply the same rigorous security framework whether the solution operates within your cloud environment or ours. This includes continuous monitoring for threats, strict enforcement of access controls, and ongoing governance to ensure the AI solution adheres strictly to your data handling policies and regulatory obligations, guaranteeing its secure and compliant operation over its entire lifecycle.
Our goal is to empower your organization with transformative technology while providing an absolute guarantee of data protection. We view ourselves not just as a service provider, but as a dedicated steward of your data. This policy is our commitment to that stewardship.
This document sets forth the technical and procedural measures employed by ZeroStone AI Inc. (ZeroStone) to protect client data during the machine learning and AI project development lifecycle. The policy applies to all data processing activities undertaken by ZeroStone on behalf of clients.
Client data transfers should occur via one of the following recommended methods, unless alternative arrangements are explicitly authorized in writing by the client:
SFTP utilizing SSH 2.0 or higher. Authentication is performed using public key cryptography with a minimum key length of 4096 bits (RSA) or 256 bits (ECDSA).
Direct upload to enterprise cloud storage services (Azure Blob Storage, AWS S3, or equivalent) using time-limited, write-only access credentials. This method is preferred for large datasets (>10 GB) due to superior performance and resumability. Requirements include:
Data transfers via the following methods are prohibited unless explicitly authorized in writing by the client:
While ZeroStone strongly advises against the use of these methods due to inherent security risks, we may accommodate client-directed transfers if the client provides written authorization acknowledging these risks. Such authorization shall be documented.
All file transfer activities are logged, including timestamp, user identifier, source, destination, and file metadata.
All data transmitted across networks should employ TLS 1.2 or higher with Perfect Forward Secrecy cipher suites. Certificates are issued by recognized Certificate Authorities and monitored for expiration. Alternative encryption standards may be accommodated with explicit written client authorization, where operationally required.
All client data stored on any medium is encrypted using AES-256 symmetric encryption. Encryption keys are managed through industry-standard key management services and are stored separately from encrypted data. Key rotation occurs annually at minimum.
Client data is stored on infrastructure with the following characteristics:
In multi-tenant environments, client data is logically separated by tenant. Technical controls prevent cross-client data access.
When ZeroStone personnel operate within client-controlled cloud environments or on-premises infrastructure, the following protocols apply:
When client data is processed within ZeroStone-controlled environments (subject to client contractual authorization), the following protocols apply:
ZeroStone prioritizes the use of Canadian cloud regions for data storage and processing whenever operationally feasible. This approach aligns with Canadian data protection standards and minimizes cross-border data transfer considerations.
Where specific client requirements, service availability, or operational constraints necessitate the use of infrastructure located outside Canada, the following provisions apply:
Primary Jurisdiction: United States-based cloud services may be utilized as secondary options, subject to client agreement and contractual authorization.
Client Notification: Clients are informed of the specific geographic locations where their data will be stored and processed prior to project commencement. Any changes to data storage locations require written client approval.
Legal Protections: Cross-border data transfers are governed by contractual provisions ensuring that data protection standards equivalent to those required under Canadian privacy legislation are maintained. Service providers are contractually obligated to comply with applicable data protection requirements.
Data Transfer Restrictions: Data shall not be transferred to jurisdictions outside Canada or the United States without explicit written authorization from the client and appropriate legal mechanisms to ensure adequate protection.
Prior to machine learning or AI processing, all client data undergoes automated PII detection using enterprise-grade detection frameworks. The detection process identifies:
ZeroStone employs a risk-based approach to PII handling, recognizing that certain AI applications may require the processing of identifiable information to deliver business value. The specific approach is determined through consultation with the client and documented in the project agreement.
Where technically feasible and aligned with business requirements, detected PII is replaced using industry-standard pseudonymization techniques with the following methods:
| PII Type | Anonymization Method |
|---|---|
| Names | Pseudonymization with realistic replacements |
| Email addresses | Domain-preserving pseudonymization |
| Phone numbers | Format-preserving tokenization |
| Addresses | Geographic region-preserving replacement |
| Dates | Date shifting with interval preservation |
| Numeric identifiers | Format-preserving encryption |
Where business requirements necessitate the processing of identifiable information, the following enhanced controls apply:
Following automated anonymization (where applied), a manual review is conducted on a sample of the processed data (minimum 10-20 records) to verify complete PII removal. An anonymization report is generated documenting detected entity types, methods applied, and validation results.
Where the de-identification approach is employed, raw data containing PII is securely deleted following successful anonymization and validation. Only de-identified data is used for subsequent ML/AI operations.
When utilizing third-party LLM services, the following requirements apply:
Service Tier: Only business or enterprise tier API services are utilized. Consumer-grade services are prohibited for client data processing.
Data Retention: Third-party providers must contractually guarantee maximum data retention of 30 days, after which all inputs and outputs are automatically deleted.
Training Prohibition: Third-party providers must contractually guarantee that client data will not be used to train or improve AI models.
Security Certifications: Third-party providers must maintain recognized security certifications (SOC 2 Type II, ISO 27001, or equivalent).
As a default policy, all data sent to third-party LLM providers shall have undergone PII removal as described in Section 3. However, with explicit written authorization from the client, PII may be processed through a third-party LLM provider, provided the service meets the requirements for business/enterprise tier, data retention, and training prohibition as set out in this section.
Access to client data is governed by the following principles:
Least Privilege: Personnel are granted the minimum access necessary to perform assigned duties.
Role-Based Access Control: Access is assigned based on predefined roles rather than individual user grants.
Access Reviews: All access permissions are reviewed quarterly. Any unnecessary access is revoked immediately.
Termination Procedures: Upon separation from employment or contract termination, access is revoked within one hour.
All personnel accessing client data must utilize:
All access to client data is logged with the following information:
Logs are retained for 90 days (security-relevant logs retained for one year) and stored in tamper-evident systems with restricted access.
Each AI agent or automated system is assigned a unique non-human identity, such as a service principal or managed identity, within the operating environment. These identities are subject to the same principles of least privilege and role-based access control as human users.
Continuous monitoring of AI agent activities is performed to ensure operational integrity and detect anomalous behavior.
ZeroStone shall conduct regular risk assessments to systematically identify, analyze, and evaluate risks to client data and the supporting information systems. The risk assessment process includes:
Risk assessments are conducted periodically as part of our managed services, or upon significant changes to the environment, such as the introduction of new technologies or changes in the threat landscape.
For risks identified as unacceptable, a risk treatment plan is developed. Treatment options include:
The selection of security controls is based on the results of the risk assessment and is aligned with the requirements of ISO/IEC 27001:2022, Annex A.
| Data Category | Retention Period | Rationale |
|---|---|---|
| Raw client data | Per client agreement or immediate deletion post-anonymization | Contractual obligation or operational requirement |
| Anonymized ML datasets | 3 years following project completion | Model reproducibility and validation |
| System logs (operational) | 90 days | Troubleshooting and diagnostics |
| System logs (security) | 1 year | Security forensics and compliance |
| Backup data | 30 days | Disaster recovery |
Data deletion is performed using one of the following methods:
Clients may request deletion of their data at any time. Deletion requests are processed within 30 days, and written confirmation of deletion is provided. Minimal metadata may be retained for legal or audit purposes, as documented in the client agreement.
In the event of a confirmed data breach or unauthorized access to client data:
The organization's data handling practices are designed to align with Canadian privacy legislation, including:
Data processing activities incorporate principles of consent, limited collection, appropriate use, and individual access rights consistent with Canadian privacy standards.
Data security practices are informed by internationally recognized security frameworks and standards, including ISO/IEC 27001:2022. The organization's Information Security Management System (ISMS) is designed to be consistent with the principles and controls of ISO 27001 and SOC 2. While formal third-party certification has not yet been pursued, our security controls are designed to address:
Subject to confidentiality agreements and operational constraints, the organization may provide documentation regarding:
Clients may exercise the following rights regarding their data:
Access: Request copies of data held by the organization
Rectification: Request correction of inaccurate data
Erasure: Request deletion of data (subject to legal retention obligations)
Portability: Request data in a structured, commonly used format
Restriction: Request limitation of data processing activities
Objection: Object to specific data processing activities
Requests are acknowledged within 5 business days and completed within 30 days of receipt.
.jpg)
Google Cloud (GCP)is a leading public cloud platform, enabling organizations to build and manage systems that scale infinitely. Amongst public clouds, Google Cloud is a leader is AI/ML and data warehousing, bringing the best-in-class products from Google and the open-source community. Companies choose GCP for a modern and cutting edge cloud experience.
.svg){kind=spacer}
.svg){kind=spacer}
