How is sensitive data protected?

All documents are encrypted with AES-256-GCM at rest and TLS 1.2+ in transit. A GDPR anonymization layer removes PII before any AI processing. Hosted on Vercel + Supabase (both SOC 2 Type II); Decision Intel’s own product-level audit is targeted for Q4 2026.

How long does integration take?

Less than 30 minutes. Upload documents directly, connect via OAuth for Slack, or use our REST API for bulk processing.

How does outcome tracking work?

Outcomes are detected automatically from follow-up documents, Slack messages, and web intelligence. You confirm with one click. Each reported outcome makes your future analyses more accurate.

How is Decision Intel different from ChatGPT or a general AI assistant?

ChatGPT gives one opinion from one model: ungoverned, untraceable, unaudited. Decision Intel is the reasoning audit platform. Most tools audit your data; we audit your reasoning — and catch the fatal blind spots in strategic memos before the committee does. It measures the noise in your reasoning the same way Kahneman did in the insurance underwriter study, simulates an AI boardroom of CEO, CFO, and board personas, runs what-if interventions against a 143-case public reference library, and compounds every confirmed outcome back into a calibrated Decision Quality Index your audit committee can defend. Not a chatbot; a reasoning audit, checkable from memo to outcome.

Enterprise-grade security posture

Built for the audit committee,
not the afterthought.

AES-256-GCM at rest with keyVersion rotation, TLS 1.2+ in transit, an immutable audit log, and every flag cross-linked to a specific regulatory provision across 19 international frameworks spanning G7, EU, GCC, and African markets. A Fortune-500 security questionnaire finishes in minutes, not weeks.

See the trust spine Privacy policy

Encryption chain

Browser to vault, end-to-end

Browser

TLS 1.2+

API edge

session auth

Anonymize

PII stripped

Pipeline

in-tenant

Vault

AES-256-GCM

Postgres

keyVersion stamp

Every row in the encrypted columns carries a keyVersion stamp so keys can be rotated without bricking historical data.

Trust spine

Five controls a GC actually tests

Every enterprise security questionnaire probes the same five things. This is how Decision Intel answers each one today, with code paths, not aspirations.

AES-256-GCM at rest, with rotation

Strategic memos and Slack bot tokens are encrypted with authenticated AES-256-GCM. Every encrypted row carries a keyVersion stamp so keys rotate without bricking historical data.

GDPR anonymizer runs first

PII is detected and redacted as the literal first node of the analysis pipeline. No analysis LLM ever sees the raw document.

19 regulatory frameworks, provision-level

Every flag we surface carries a citation across SOX §404, GDPR Article 22, EU AI Act Annex III, Basel III, FCA Consumer Duty, SEC Reg D, and LPOA. Your GC can defend each flag against its source.

Immutable audit log

Every sensitive action (exports, decryptions, deletions, recalibrations) writes an AuditLog row with the actor, the resource, and a structured details payload. Admins see the full firehose with filters.

SOC 2 infrastructure

Hosted on Vercel (SOC 2 Type II) + Supabase (SOC 2 Type II, HIPAA). Our own product audit is targeted for Type I completion in Q4 2026, with the Type II observation window opening immediately after. In-flight controls already mirror Type II.

SOC 2 receipts

The audit metadata behind the trust band

What a Fortune 500 vendor-risk register asks for once the technical posture passes review: issue date, auditor identity, observation window, and scope. Decision Intel's product-level Type I is targeted (not yet issued); each sub-processor's Type II report covers the surface that holds customer data, and we name the auditor + the verification path so a reviewer can confirm independently.

Targeted

Decision Intel Ltd. (Processor)

Application + reasoning-audit pipeline

SOC 2 Type I

Window

Targeted Q4 2026 issuance · Type II window opens immediately after

Auditor

Audit firm to be named at engagement (Big-4 or AICPA-listed Tier-1 specialist). In-flight controls already mirror Type II.

Scope

Decision Intel application, analysis pipeline, Decision Provenance Record generation, audit-log immutability, encryption-key rotation, and access control for customer-uploaded documents.

Verify

Status disclosed in writing on every Enterprise pilot agreement.

Attested

Vercel Inc. (Sub-processor)

Application hosting + edge compute

SOC 2 Type II

Window

Continuous · current report covers a rolling 12-month window

Auditor

Insight Assurance · AICPA-registered

Scope

Edge runtime, deployment pipeline, build infrastructure, and the platform on which Decision Intel runs.

Verify

Trust portal · vercel.com/legal/soc2

Attested

Supabase Inc. (Sub-processor)

Postgres + Auth + file storage

SOC 2 Type II + HIPAA

Window

Continuous · current report covers a rolling 12-month window

Auditor

Prescient Assurance · AICPA-registered

Scope

Database, authentication, file storage, point-in-time recovery, and backup infrastructure that holds customer documents and audit logs.

Verify

Trust portal · supabase.com/security · HIPAA BAA available on Enterprise

Attested

Sentry (Sub-processor)

Error monitoring

SOC 2 Type II

Window

Continuous · current report covers a rolling 12-month window

Auditor

Audit firm disclosed in trust portal

Scope

Error capture and runtime telemetry. PII scrubbing is enabled at SDK level so Sentry never receives raw document content.

Verify

Trust portal · sentry.io/trust

Attested

Stripe Inc. (Sub-processor)

Billing

SOC 2 Type II + SOC 1 Type II + PCI-DSS Level 1

Window

Continuous · current report covers a rolling 12-month window

Auditor

Audit firm disclosed in trust portal

Scope

Subscription billing, payment-method storage, and invoicing. No document content flows through Stripe.

Verify

Trust portal · stripe.com/docs/security

Audit log retention

How long every action lives in the audit trail

Every audit log entry is immutable, append-only, and timestamped at write. Entries are queryable via the AdminAuditLog UI inside the customer account and exportable as a single JSON bundle via the account-data export endpoint (Enterprise tier). The retention window starts at the entry write timestamp; expired entries are archived to cold storage for an additional 90 days before cryptographic destruction. When a customer leaves the platform, the active retention window survives the contract end-date so post-departure regulatory queries can still be answered.

Individual

1 year

Legal-defensible floor for individual-buyer accounts.

Strategy (team)

3 years

Mid-market default for team accounts running quarterly board cycles.

Enterprise

7 years

SOX §404 internal-controls aligned. Custom retention (HIPAA, banking, government) negotiable on pilot agreement.

Vendor-risk questionnaire

The SIG / VSA / CAIQ rows answered up front

A Fortune 500 vendor-risk register works in question→answer→verification triples and circles every gap in red. Below: the ten rows that recur on every SIG (Standardized Information Gathering), VSA (Vendor Security Assessment) and CAIQ (Cloud Security Alliance Consensus Assessment Initiative Questionnaire) that lands on a CSO or GC desk. Copy answers row-for-row into the questionnaire; each verification path resolves to a public trust portal or a contractual commitment in the pilot agreement.

control

Are SOC 2 Type II reports issued by an independent registered auditor for the platform infrastructure?

Yes. Vercel (application hosting + edge compute) — SOC 2 Type II by Insight Assurance, AICPA-registered, continuous rolling 12-month observation window. Supabase (Postgres + Auth + file storage) — SOC 2 Type II + HIPAA by Prescient Assurance, AICPA-registered, continuous rolling 12-month window. Both reports cover the platform on which Decision Intel runs.

Verify:vercel.com/legal/soc2 · supabase.com/security · trust portals public

control

Does the application processor itself hold a SOC 2 attestation?

Decision Intel’s product-level SOC 2 Type I audit is targeted Q4 2026 issuance, with the Type II observation window opening immediately after. Audit firm to be named at engagement (Big-4 or AICPA-listed Tier-1 specialist). In-flight controls already mirror Type II requirements; the gap between today and Type I issuance is documented in the Enterprise pilot agreement.

Verify:Status disclosed in writing on every Enterprise pilot agreement.

data

Is data encrypted at rest and in transit?

Yes. AES-256-GCM for documents and audit-log content at rest. TLS 1.2+ for every transit hop (browser to platform, platform to AI providers, platform to sub-processors). A GDPR + NDPR anonymization layer strips PII before any AI processing — the LLM provider never sees raw customer content with identifiers attached.

Verify:/privacy data lifecycle section · processor list with sub-processor details

data

What is the audit log retention window?

Individual tier: 1 year. Strategy tier (team): 3 years. Enterprise tier: 7 years (SOX §404 internal-controls aligned). Every entry is immutable, append-only, and timestamped at write. Entries are queryable via the customer-facing AdminAuditLog UI and exportable as a single JSON bundle via the Enterprise account-data export endpoint. Custom retention (HIPAA, banking, government) is negotiable on Enterprise pilot agreement.

Verify:/security audit-log retention SLA section · contractual commitment in pilot agreement.

continuity

What is the disaster recovery posture (RPO / RTO)?

Recovery Point Objective ≤ 15 minutes (Postgres WAL streaming + daily snapshots). Recovery Time Objective < 4 hours. Production region is US (Vercel + Supabase US). EU region is available on Enterprise pilot agreement; multi-region production is on the published roadmap. Annual restore drill is performed and documented; the most recent drill date is disclosed on every Enterprise pilot agreement.

Verify:/security DR/BCP section · drill date in pilot agreement.

incident

What is the security-incident response SLA?

Customer notification within 72 hours of confirmed security incident affecting customer data — mirrors GDPR Art. 33 controller-notification timing as the procurement floor. Faster notification (24 hours / 12 hours) is negotiable on Enterprise pilot agreement when the customer’s own regulatory posture requires it. A written incident report is delivered within 7 days of notification, including root cause, scope of affected records, remediation steps, and the controls hardened to prevent recurrence.

Verify:Pilot agreement · incident report template available on request.

contractual

What is the standard liability cap?

12 months of fees paid by Controller in the 12 months immediately before the claim, excluding (a) breach of confidentiality, (b) wilful misconduct, (c) third-party IP indemnities, and (d) sub-processor data-protection failures where Decision Intel is the engaging Processor. Mutual indemnification cap and uncapped third-party-IP indemnity are negotiable at Enterprise signature.

Verify:Subscription agreement § 12 · Enterprise pilot indemnification schedule.

contractual

Is cyber-liability insurance and errors-and-omissions insurance carried?

On the Q1 2027 roadmap. Until carriage is live, Enterprise customers receive a written disclosure of the insurance gap and the contractual commitments that substitute for it (uncapped breach-of-confidentiality, mutual indemnification, escrowed remediation budget on request).

Verify:Enterprise pilot agreement · insurance gap disclosure clause · roadmap status updated quarterly.

data

Where is customer data trained on for AI improvements?

Customer document content is never used to train, fine-tune, or evaluate any LLM (Gemini, Claude, or otherwise). Provider terms (Google Cloud Platform + Anthropic) explicitly disclaim training on enterprise inputs. The same commitment is mirrored in the DPA and every pilot agreement. Bias Genome cohort signals are derived from outcome METADATA only (bias type, decision-domain class, predicted-vs-realised quality, time-to-outcome window) — never document content, persona names, or deal terms.

Verify:DPA § Bias Genome ownership · provider terms (GCP + Anthropic enterprise DPA).

data

What is the data portability and exit-assistance posture on contract termination?

Customer-owned content (every uploaded artefact + every Decision Provenance Record) is exportable as a single account-data JSON bundle at any time during the contract and within 60 days of termination. Cohort export (anonymised outcome metadata the customer organisation contributed to Bias Genome) is available on quarterly cadence on Enterprise tier. After the 60-day exit window, customer content is cryptographically destroyed; audit log entries follow the retention window above.

Verify:/api/export/account · DPA § 5 · pilot agreement termination clause.

The inflection · why now matters

The audit artefact is becoming compulsory, not optional — and we already produce the artefact your high-stakes decisions need to defend in front of the regulator.

Aviation Crew Resource Management crossed from "exercise" to compulsory practice in 1990 when the FAA Advanced Qualification Program made it the standard. Corporate M&A is at the same inflection — three structural conditions converging: a liability shift in motion (EU AI Act Article 14 enforceable August 2026 + Basel III Pillar 2 ICAAP live + SEC AI disclosure rulemaking), friction collapse unlocked (sub-cent per render via deepseek-v4-flash through the AI Gateway), and the status reframing of structured decision support from "false precision" to "elite operational hygiene." Decision Intel produces the Decision Provenance Record the August 2026 enforcement deadline calls for, today.

EU AI Act Article 14

enforceable August 2026

Human oversight + record-keeping mapped onto the DPR's hashed input + judge variance + meta-verdict trail.

Basel III Pillar 2 ICAAP

live for regulated banks

Qualitative decision documentation requirement satisfied by the DPR — every flagged bias attaches a Basel III provision citation.

SEC AI disclosure (proposed)

evolving through 2026

Model lineage + prompt fingerprint + judge variance documented per the DPR's methodology section.

AI Verify Foundation (Singapore IMDA)

aligned to all 11 principles

Every DPR field maps onto the 11 internationally-recognised AI governance principles.

Buy the audit before the regulator forces it. The artefact is the same either way; the difference is whether your audit committee is staring at a clean DPR or scrambling to produce one mid-enforcement.

Evidentiary standard · Your EU AI Act Article 14 and Basel III Pillar 2 ICAAP audit trail is constructed on these fingerprints. Any change to the audit standard — methodology version, weight resolution, or scoring engine — produces a different fingerprint and is versioned and disclosed against the prior records. The continuity is the point: once an audit committee has built a multi-year reasoning-provenance trail on a consistent evidentiary standard, moving the same decisions to a different audit method is not a silent switch — it is a documented change of evidentiary standard a regulator can see across the record series. See the fingerprint construction (also bound contractually as Terms §10I + the DPA template).

Regulatory tailwinds · already in motion

The record your AI-augmented decision-making is already supposed to produce.

Three regulatory waves are already in force or on the enforcement calendar. Each one asks for exactly the artifact the Decision Provenance Record produces. The reasoning behind a decision, the model lineage that shaped it, and the evidence that it was reviewed, not just generated. We built for this on purpose.

Procurement window open

days until enforcement · 8 weeks

EU AI Act high-risk decision-support obligations enforce on August 2, 2026. Every F500 GC and audit-committee chair reads vendor materials this summer through one lens: what does this do for our August 2 deadline?

Art. 13

Transparency to the deployer

High-risk AI systems must include instructions describing the system’s capabilities, limitations, accuracy, and the human oversight measures designed in.

DI maps via:Decision Provenance Record cover page · methodology version · validity classification band · feedback adequacy verdict. Every audited memo carries a deployer-facing transparency strip on page 1.

Art. 14

Human oversight obligations

High-risk AI systems must enable natural-person oversight — the deployer must be able to interpret the output, override it, and understand its limits.

DI maps via:Reviewer Decisions / HITL log on page 5 of every DPR · dismissed-flag rationale capture · metaJudge adversarial verdict. Override is a first-class state, not a bypass.

Art. 15

Accuracy + record-keeping

High-risk AI systems must achieve appropriate levels of accuracy and provide automatic logging that allows traceability throughout the system’s lifecycle.

DI maps via:Brier 0.258 calibration baseline (143-case reference corpus) · SHA-256 input hash · prompt fingerprint · judge variance per audit. Every DPR is a tamper-evident lifecycle log.

Annex III

High-risk decision-support classification

Annex III lists the use cases that trigger high-risk obligations — employment, education, essential services, law enforcement, migration, justice, democratic processes.

DI maps via:The 19-framework regulatory map flags Annex III applicability per audit. EU-deployed customers see the specific use-case classification on the DPR Regulatory Crosswalk grid (page 6).

In force · high-risk obligations Aug 2026

EU AI Act

Article 13 (transparency), Article 14 (human oversight), Article 15 (accuracy + record-keeping), Annex III (high-risk decision-support). Every DPR section maps onto one of these by design.

Rulemaking 2024–2026

SEC AI Disclosure

Proposed rules on AI use in investment-adviser decisions require documented oversight of the model’s role. The DPR’s model lineage + prompt fingerprint + judge variance are the documentation.

Live for regulated banks

Basel III · Pillar 2 ICAAP

Banks must document the internal capital-adequacy process including qualitative decisions. Every flagged bias in the DPR carries a Basel III provision reference on the same page.

Principles-based, pre-statutory

UK AI White Paper

Regulator guidance across FCA, ICO, and CMA converges on safety, transparency, fairness, accountability, and contestability. The DPR is the contestable artifact by default.

Live for public companies + private placements

SOX §404 + SEC Reg D

Internal-control documentation and forward-looking-statement disclosure both require evidence of process. The DPR is process evidence your auditor can point at instead of a narrative describing it.

Live since 2018

GDPR Art. 22

Automated-decision rights require the data subject be told meaningful information about the logic involved. DPR citations provide that in one document without exposing platform IP.

Positioning note for CSOs evaluating us: the Decision Provenance Record is the record your AI-augmented decision-making is supposed to produce anyway under these frameworks. We ship it on every audit so your procurement conversation starts at “here is the control” instead of “we’re working on it.”

AI Verify Foundation · Singapore IMDA

Aligned with the 11 internationally-recognised AI governance principles.

Every Decision Provenance Record field maps onto AI Verify’s 11 principles (transparency, explainability, repeatability, safety, security, robustness, fairness, data governance, accountability, human agency & oversight, inclusive growth). Cross-aligned with the EU AI Act and OECD AI Principles. Self-assessment framework; no certification claim, no overclaim.

View the principle mapping

Key rotation

Rotate encryption keys without downtime

Every row in an encrypted column carries an integer keyVersion stamp. Swapping keys is a four-step protocol with no big-bang migration, no data loss, no customer-visible pause.

Provision the new key

Set DOCUMENT_ENCRYPTION_KEY_V2 (64-character hex) in production. The legacy v1 key stays in place, so no downtime, no lockout.

Cut over writes

Bump DOCUMENT_ENCRYPTION_KEY_VERSION=2 and redeploy. New writes stamp keyVersion=2; every existing row still decrypts via v1.

Backfill historical rows

Run npm run rotate:encryption-key. The CLI walks every row where keyVersion != 2, decrypts with v1, re-encrypts with v2, updates the stamp. Batched, resumable, idempotent.

Drop the old key

Once every row is on v2, delete DOCUMENT_ENCRYPTION_KEY (v1) from the production env and redeploy. Rotation complete.

The rotate CLI lives at scripts/rotate-encryption-key.ts. Resumable, batched, idempotent. Dry-run mode available.

Regulatory coverage

19 frameworks, mapped flag-by-flag

Every flag the pipeline surfaces carries a regulatory citation across G7, EU, GCC, and African markets. Your GC doesn't take the tool on faith. They walk into the audit committee meeting with the memo, the flags, and the framework sections attached.

African markets12 EU2 US2 UK / Commonwealth1 Global2

African markets12 frameworks

NDPR Art. 12

Nigeria Data Protection Regulation

Automated-decision rights for Nigerian data subjects (aligned with GDPR Art. 22 via the NDPR 2019 Implementation Framework).

ISA Nigeria 2007

Investment & Securities Act (with 2025 update)

SEC Nigeria capital-markets governance: prospectus disclosure rigor, fit-and-proper directors, AML/CFT controls, market-abuse prohibitions; ISA 2025 update extends coverage to digital-asset issuers.

CBN AI Guidelines

Central Bank of Nigeria

Financial-services AI governance obligations (draft 2024): model governance, explainability, and consumer-protection duties for regulated Nigerian financial institutions.

WAEMU

West African Economic and Monetary Union

Cross-border data localisation and financial-sector governance across the eight WAEMU member states.

CMA Kenya

Capital Markets Authority (Kenya)

Listed-company decisioning + prospectus disclosure obligations under the CMA (Conduct of Business) Regulations 2024.

CBK

Central Bank of Kenya · Banking & Digital Lending

Digital-lending licensing, AI/ML model-risk management, and consumer-disclosure obligations under the Banking (Amendment) Act 2024 §33B and CBK Risk Management Guidelines (rev. 2023).

BoG Cyber & ICT Risk

Bank of Ghana · Cyber & Information Security Directive

Cyber, data, and AI/ML model-governance obligations for Ghanaian regulated financial institutions (2018 directive + 2023 update).

FRC Nigeria

Financial Reporting Council of Nigeria

Nigerian Code of Corporate Governance covering board-level decisioning, dissent capture, and risk-management documentation duties for public-interest entities.

CBE AI Guidelines

Central Bank of Egypt

AI/ML model-governance + explainability obligations for Egyptian banks under the CBE 2023 ICT Governance and Risk Management Framework.

PoPIA §71

Protection of Personal Information Act (South Africa)

Automated-decision rights + data-subject access for South African data subjects (PoPIA s.71, in force July 2021).

SARB Model Risk

South African Reserve Bank · Model Risk Governance

Model risk + AI governance obligations for SA-regulated banks (Directive D2/2022 + Joint Standard 2 of 2024 on cybersecurity).

BoT FinTech

Bank of Tanzania · FinTech Regulatory Sandbox

Tanzanian financial-services AI/ML decisioning obligations under the BoT FinTech Regulatory Sandbox Guidelines (2023).

EU2 frameworks

GDPR Art. 22

General Data Protection Regulation

Automated-decision rights for EU data subjects.

EU AI Act · Annex III

EU AI Act

High-risk AI decision-support obligations.

US2 frameworks

SOX §404

Sarbanes-Oxley

Public-company material-statement controls.

SEC Reg D

SEC Regulation D

Forward-looking statements + safe-harbour disclosure.

UK / Commonwealth1 framework

FCA Consumer Duty

Financial Conduct Authority

UK financial-services decisioning.

Global2 frameworks

Basel III

Basel III

Capital-allocation decisions in regulated banks.

LPOA

Limited Partnership Obligations

Fund-level fiduciary dissent documentation.

Decision Provenance Record export

A hashed, tamper-evident 4-page artifact your General Counsel hands to the audit committee or regulator of record, built to the shape EU AI Act Article 14, SEC AI disclosure, and Basel III ICAAP already require. Includes input-document SHA-256 hash, prompt fingerprint, model lineage, academic citations across the 22-bias taxonomy, regulatory mapping across all 19 frameworks, and full pipeline lineage.

Sample DPR · US public-market Sample DPR · Pan-African industrial DPA template · PDF DPA template · DOCX Strategy pricing

Access controls

Who gets in, and who sees what

What is available today across every plan, and what is unlocked on Enterprise.

Available

Google Workspace SSO

Single sign-on via Google Workspace, live today on every plan. No password is ever stored; sessions are signed and rotated server-side.

Enterprise

SAML 2.0 and OIDC single sign-on (coming soon)

Okta, Azure AD, OneLogin, Ping, JumpCloud, and generic SAML / OIDC. Activated as part of every Enterprise design-partner onboarding; the integration code, admin UI, and audit-log wiring are in place today and provisioning takes under 20 minutes from your IdP metadata to first login. Until then, Workspace orgs use Google SSO above.

Enterprise

Org-wide session visibility

Admins see every active session across the organisation, can force-log-out a departing member in a single click, and can set a per-org idle timeout between 15 minutes and 8 hours.

Available

Admin audit log

Org admins review every action taken inside their workspace (who viewed which memo, who exported a Decision Provenance Record, who invited a new member) with filters, date range, and CSV export for downstream compliance tooling.

Available

Per-org data isolation

Every data access scopes on organisation. Your Decision Knowledge Graph, your audit trail, and your outcome history are strictly org-private and are never cross-read by any other tenant.

Incident response

What happens if something goes wrong

The commitment isn't that incidents never happen. It's what you'll hear from us when one does, and in what timeframe.

Within

1h

Internal detection + containment triggered. Customer-visible status posted within the hour when customer data is in scope.

Within

24h

First disclosure to affected customers with the scope, the data classes involved, and the remediation plan.

Within

72h

Regulator notification where applicable (GDPR Art. 33, SEC 8-K item 1.05) with the materiality assessment attached.

Within

30d

Full post-mortem delivered to affected customers. Root cause, timeline, controls added, exposure window. Signed by the founder.

Disaster recovery + business continuity

What happens if production fails

The numbers a Fortune 500 security questionnaire opens with. Recovery objectives, backup cadence, and redundancy posture, sized against what the production-tier infrastructure SLA actually delivers, not what would sound nice.

Recovery Point Objective (RPO)

≤ 15 minutes

Supabase point-in-time recovery operates on a 15-minute checkpoint cadence on the production tier. Any incident is recoverable to within 15 minutes of the failure window.

Recovery Time Objective (RTO)

< 4 hours

Target restoration of the document-analysis pipeline within four hours of confirmed incident. Vercel edge deployment auto-fails-over for the application layer; Supabase recovery is the bottleneck and the 4-hour figure is sized against its published SLA.

Backup cadence

Daily + WAL streaming

Supabase performs daily encrypted snapshots plus continuous write-ahead-log streaming for point-in-time recovery. Backups are stored in the same Supabase-managed S3 region as the production database; cross-region replication is on the Enterprise design-partner roadmap.

Geographic redundancy

US production · multi-region edge

Vercel runs the application across global edge locations; Supabase production database is US-region single-AZ on the standard tier with multi-AZ on Enterprise. EU-region residency is available on Enterprise design-partner configurations. Confirm with the Decision Intel team before signature.

Annual restore drill

Calendared

Backup restore is tested at least annually against a synthetic dataset to validate the RPO/RTO numbers above. Drill outcome is logged to the internal AuditLog and shared with Enterprise customers on request.

Vendor continuity

What happens to your data and your service if the vendor stops

The 16-year-old solo-founder continuity question, answered in the form a Fortune 500 GC or vendor-risk-register reviewer expects. Each provision is documented in the relevant pilot or subscription agreement; nothing here is aspirational.

Key-person provisions

Documented per pilot

Every Design Foundation pilot agreement includes a key-person clause naming the founder + an explicit escalation path. Pilot data export to a customer-controlled S3 bucket is committed to within 30 days of any service interruption longer than 5 business days, regardless of cause.

Source-code escrow option

Available · Enterprise

Enterprise customers can require source-code escrow with NCC Group or Iron Mountain at signature, releasable to the customer on Insolvency / Service Discontinuation / Material Breach. Standard Strategy + Individual tiers do not include escrow but do include the data-export commitment below.

Data export on termination

Within 30 days

On service termination (customer-initiated, vendor-initiated, or insolvency), every customer can request a complete export of (a) all uploaded documents in original format, (b) all generated DPRs as PDF + JSON, (c) the Decision Knowledge Graph as a JSON snapshot. Export endpoint is /api/export/account; bundle delivered within 30 days, no retention beyond what the active subscription specifies.

Incorporation roadmap

UK Ltd · Q3 2026

Decision Intel operates pre-incorporation through 2026-Q2 by deliberate design — entity registration is deferred until first 1-2 pilot revenues fund the cost. UK Ltd incorporation calendared for Q3 2026 at the latest, immediately after the 5-paid-Individual graduation rule fires. Incorporation status confirmed in writing on every pilot agreement.

Service-continuity insurance

On Enterprise roadmap

Cyber-liability + errors-and-omissions insurance carriage planned for Q1 2027 alongside SOC 2 Type II audit. Until live, Enterprise customers receive a written disclosure of the insurance gap and the contractual commitments that substitute for it.

Indemnification cap

Standard 12 months’ fees · custom mutual on request

Standard subscription contracts cap each party’s aggregate liability at 12 months of fees paid by Controller in the 12 months immediately before the claim, excluding (a) breach of confidentiality, (b) wilful misconduct, (c) third-party IP indemnities, and (d) sub-processor data-protection failures where Decision Intel is the engaging Processor. Enterprise customers may negotiate a mutual indemnification cap and an uncapped third-party-IP indemnity at signature.

Trial-audit data handling

Upload a confidential memo for a 20-minute audit · safely

The data-leak objection M&A and corp-dev professionals raise first. Maximum trial retention, one-click hard-purge, mutual NDA template, and the contractual no-training-on-customer-data commitment, packaged here so a procurement reader can quote the exact guarantee in their vendor-risk register.

Trial-audit max retention

T+7 days

Documents uploaded for free 60-second audits or 20-minute discovery audits are auto-purged 7 days after upload unless the customer signs into a paid tier. The 7-day window covers the founder follow-up + reference-call window; nothing beyond. No exceptions.

Per-document hard-purge

One-click · any time

Every document detail page surfaces a "Purge now" action that immediately deletes the document, its analysis, all derived artefacts (DPR, fingerprints, cache entries), and any pending nudges. Encrypted backup copies are zeroed within 24 hours of the purge call. The action is logged to the customer-visible AuditLog so the purge itself is auditable.

Standard NDA template

Mutual · 7-day default

A standard mutual NDA template covering the 20-minute audit conversation is available at /docs/nda-template.pdf. Default term: 7 days from signature, extending to the active subscription term once a paid tier is signed. Design-partner pilots in our founding cohort use a separate Master Services Agreement with longer confidentiality terms.

No model training on customer data

Contractual

Customer document content is never used to train, fine-tune, or evaluate any large language model: Gemini, Claude, or otherwise. Provider terms (Google Cloud Platform + Anthropic) explicitly disclaim training on enterprise inputs. The same commitment is mirrored in the DPA + every pilot agreement. Bias-genome cohort signals (anonymised, opt-in) are derived from outcome metadata, never document content.

Data ownership

Customer-owned content. Aggregated outcome metadata only.

The cohort-calibration moat (per-org Brier-scored recalibration, the answer to Cloverpop's data-advantage attack vector) requires outcome metadata across consenting organisations. Document content, persona names, and deal terms are NEVER part of the cohort signal. Below is the contractual ownership posture, mirrored in the DPA and every pilot agreement.

Customer-owned: document content

Always · no exceptions

Every uploaded strategic memo, board deck, IC document, and reasoning artefact remains Customer property. Decision Intel processes the content under the DPA and never claims any IP, derived-work, or training right over the source bytes. The same posture applies to Decision Provenance Records: the artefact is Customer-owned, signed by Decision Intel.

Platform-aggregated: outcome metadata only

Anonymised · opt-in

Bias Genome cohort signals are derived exclusively from outcome METADATA: bias type, decision-domain class, predicted-vs-realised quality, time-to-outcome window. Document content, persona names, deal terms, and any text fragments are NEVER part of the cohort signal. Aggregation happens server-side after k-anonymity guards (≥3 contributing organisations per signal). The aggregation is opt-in and can be disabled per organisation in Settings &rsaquo; Org without affecting the rest of the product.

Withdrawal path

One-click · 30-day backfill

A Customer who joins the cohort and later opts out can request that prior outcome-metadata contributions be withdrawn from future Bias Genome computations. Withdrawal completes within 30 days; the backfill is logged to the Customer-visible audit log so the action is auditable. Already-published cohort statistics that incorporated the contribution are not retroactively recomputed (they are timestamped artefacts), but the Customer is excluded from every subsequent computation.

No model training on Customer data

Contractual

Cohort export on Enterprise

On request

Enterprise customers contributing outcome metadata may request a quarterly extract of the cohort signal their organisation contributed to, anonymised, in CSV + JSON. Useful for internal calibration audits and audit-committee briefings.

Retention SLA

How long your documents live, and how to delete them

Documents auto-soft-delete at the end of your tier's window. A 30-day grace window applies before permanent purge: recoverable via support during the grace, irrecoverable after. Self-serve Delete is on every document detail page and on the post-upload reveal card.

Free

30 days

+ 30-day soft-delete grace

Documents auto-soft-delete 30 days after upload. Recoverable via support during the grace window, then permanently purged.

Individual

90 days

+ 30-day soft-delete grace

Documents auto-soft-delete 90 days after upload. Same grace window, same support-recoverable path.

Strategy

12 months

+ 30-day soft-delete grace

Quarter-after-quarter retention for team-level Decision Knowledge Graph. Auto-soft-delete at 365 days; same recoverable grace.

Enterprise

360 days default · configurable

+ 30-day soft-delete grace

Default matches Strategy; per-Order-Form overrides for legal-hold, SEC, or Basel III obligations. Configurable in either direction.

Right-to-delete (GDPR Art. 17) requests are processed within 30 days. Send to privacy@decision-intel.com or use the in-app Delete button on any document.

Sub-processors

Every vendor that touches your data

Transparent processor list with each vendor's certification posture and hosting region. Updated in lock-step with our vendor agreements.

Vendor

Role

Certification

Region

Vercel

Application hosting + CDN

SOC 2 Type II

US + EU

Supabase

Postgres + Auth + Storage

SOC 2 Type II · HIPAA

Google AI

Primary analysis LLM

No-training contract terms

Anthropic

Fallback analysis LLM

No-training contract terms

Stripe

Billing

PCI-DSS Level 1 · SOC 1/2

US + EU

Sentry

Error monitoring

SOC 2 Type II

Found something? We want to hear about it.

Responsible disclosure is a first-class contract with our users. Report vulnerabilities to security@decision-intel.com (first response within 48 hours, every time). For DPA requests, SOC 2 reports, or a security questionnaire response, reach the same inbox and reference your organisation name.

Email security@Privacy policy

Last reviewed · 2026-04-19 · security@decision-intel.com

Enterprise-grade security posture

Built for the audit committee,
not the afterthought.

See the trust spine Privacy policy

Encryption chain

Browser to vault, end-to-end

Browser

TLS 1.2+

API edge

session auth

Anonymize

PII stripped

Pipeline

in-tenant

Vault

AES-256-GCM

Postgres

keyVersion stamp

Every row in the encrypted columns carries a keyVersion stamp so keys can be rotated without bricking historical data.

Trust spine

Five controls a GC actually tests

Every enterprise security questionnaire probes the same five things. This is how Decision Intel answers each one today, with code paths, not aspirations.

AES-256-GCM at rest, with rotation

Strategic memos and Slack bot tokens are encrypted with authenticated AES-256-GCM. Every encrypted row carries a keyVersion stamp so keys rotate without bricking historical data.

GDPR anonymizer runs first

PII is detected and redacted as the literal first node of the analysis pipeline. No analysis LLM ever sees the raw document.

19 regulatory frameworks, provision-level

Every flag we surface carries a citation across SOX §404, GDPR Article 22, EU AI Act Annex III, Basel III, FCA Consumer Duty, SEC Reg D, and LPOA. Your GC can defend each flag against its source.

Immutable audit log

SOC 2 infrastructure

SOC 2 receipts

The audit metadata behind the trust band

Targeted

Decision Intel Ltd. (Processor)

Application + reasoning-audit pipeline

SOC 2 Type I

Window

Targeted Q4 2026 issuance · Type II window opens immediately after

Auditor

Audit firm to be named at engagement (Big-4 or AICPA-listed Tier-1 specialist). In-flight controls already mirror Type II.

Scope

Decision Intel application, analysis pipeline, Decision Provenance Record generation, audit-log immutability, encryption-key rotation, and access control for customer-uploaded documents.

Verify

Status disclosed in writing on every Enterprise pilot agreement.

Attested

Vercel Inc. (Sub-processor)

Application hosting + edge compute

SOC 2 Type II

Window

Continuous · current report covers a rolling 12-month window

Auditor

Insight Assurance · AICPA-registered

Scope

Edge runtime, deployment pipeline, build infrastructure, and the platform on which Decision Intel runs.

Verify

Trust portal · vercel.com/legal/soc2

Attested

Supabase Inc. (Sub-processor)

Postgres + Auth + file storage

SOC 2 Type II + HIPAA

Window

Continuous · current report covers a rolling 12-month window

Auditor

Prescient Assurance · AICPA-registered

Scope

Database, authentication, file storage, point-in-time recovery, and backup infrastructure that holds customer documents and audit logs.

Verify

Trust portal · supabase.com/security · HIPAA BAA available on Enterprise

Attested

Sentry (Sub-processor)

Error monitoring

SOC 2 Type II

Window

Continuous · current report covers a rolling 12-month window

Auditor

Audit firm disclosed in trust portal

Scope

Error capture and runtime telemetry. PII scrubbing is enabled at SDK level so Sentry never receives raw document content.

Verify

Trust portal · sentry.io/trust

Attested

Stripe Inc. (Sub-processor)

Billing

SOC 2 Type II + SOC 1 Type II + PCI-DSS Level 1

Window

Continuous · current report covers a rolling 12-month window

Auditor

Audit firm disclosed in trust portal

Scope

Subscription billing, payment-method storage, and invoicing. No document content flows through Stripe.

Verify

Trust portal · stripe.com/docs/security

Audit log retention

How long every action lives in the audit trail

Individual

1 year

Legal-defensible floor for individual-buyer accounts.

Strategy (team)

3 years

Mid-market default for team accounts running quarterly board cycles.

Enterprise

7 years

SOX §404 internal-controls aligned. Custom retention (HIPAA, banking, government) negotiable on pilot agreement.

Vendor-risk questionnaire

The SIG / VSA / CAIQ rows answered up front

control

Are SOC 2 Type II reports issued by an independent registered auditor for the platform infrastructure?

Verify:vercel.com/legal/soc2 · supabase.com/security · trust portals public

control

Does the application processor itself hold a SOC 2 attestation?

Verify:Status disclosed in writing on every Enterprise pilot agreement.

data

Is data encrypted at rest and in transit?

Verify:/privacy data lifecycle section · processor list with sub-processor details

data

What is the audit log retention window?

Verify:/security audit-log retention SLA section · contractual commitment in pilot agreement.

continuity

What is the disaster recovery posture (RPO / RTO)?

Verify:/security DR/BCP section · drill date in pilot agreement.

incident

What is the security-incident response SLA?

Verify:Pilot agreement · incident report template available on request.

contractual

What is the standard liability cap?

Verify:Subscription agreement § 12 · Enterprise pilot indemnification schedule.

contractual

Is cyber-liability insurance and errors-and-omissions insurance carried?

Verify:Enterprise pilot agreement · insurance gap disclosure clause · roadmap status updated quarterly.

data

Where is customer data trained on for AI improvements?

Verify:DPA § Bias Genome ownership · provider terms (GCP + Anthropic enterprise DPA).

data

What is the data portability and exit-assistance posture on contract termination?

Verify:/api/export/account · DPA § 5 · pilot agreement termination clause.

The inflection · why now matters

The audit artefact is becoming compulsory, not optional — and we already produce the artefact your high-stakes decisions need to defend in front of the regulator.

EU AI Act Article 14

enforceable August 2026

Human oversight + record-keeping mapped onto the DPR's hashed input + judge variance + meta-verdict trail.

Basel III Pillar 2 ICAAP

live for regulated banks

Qualitative decision documentation requirement satisfied by the DPR — every flagged bias attaches a Basel III provision citation.

SEC AI disclosure (proposed)

evolving through 2026

Model lineage + prompt fingerprint + judge variance documented per the DPR's methodology section.

AI Verify Foundation (Singapore IMDA)

aligned to all 11 principles

Every DPR field maps onto the 11 internationally-recognised AI governance principles.

Regulatory tailwinds · already in motion

The record your AI-augmented decision-making is already supposed to produce.

Procurement window open

days until enforcement · 8 weeks

Art. 13

Transparency to the deployer

High-risk AI systems must include instructions describing the system’s capabilities, limitations, accuracy, and the human oversight measures designed in.

Art. 14

Human oversight obligations

High-risk AI systems must enable natural-person oversight — the deployer must be able to interpret the output, override it, and understand its limits.

DI maps via:Reviewer Decisions / HITL log on page 5 of every DPR · dismissed-flag rationale capture · metaJudge adversarial verdict. Override is a first-class state, not a bypass.

Art. 15

Accuracy + record-keeping

High-risk AI systems must achieve appropriate levels of accuracy and provide automatic logging that allows traceability throughout the system’s lifecycle.

DI maps via:Brier 0.258 calibration baseline (143-case reference corpus) · SHA-256 input hash · prompt fingerprint · judge variance per audit. Every DPR is a tamper-evident lifecycle log.

Annex III

High-risk decision-support classification

Annex III lists the use cases that trigger high-risk obligations — employment, education, essential services, law enforcement, migration, justice, democratic processes.

DI maps via:The 19-framework regulatory map flags Annex III applicability per audit. EU-deployed customers see the specific use-case classification on the DPR Regulatory Crosswalk grid (page 6).

In force · high-risk obligations Aug 2026

EU AI Act

Article 13 (transparency), Article 14 (human oversight), Article 15 (accuracy + record-keeping), Annex III (high-risk decision-support). Every DPR section maps onto one of these by design.

Rulemaking 2024–2026

SEC AI Disclosure

Proposed rules on AI use in investment-adviser decisions require documented oversight of the model’s role. The DPR’s model lineage + prompt fingerprint + judge variance are the documentation.

Live for regulated banks

Basel III · Pillar 2 ICAAP

Banks must document the internal capital-adequacy process including qualitative decisions. Every flagged bias in the DPR carries a Basel III provision reference on the same page.

Principles-based, pre-statutory

UK AI White Paper

Regulator guidance across FCA, ICO, and CMA converges on safety, transparency, fairness, accountability, and contestability. The DPR is the contestable artifact by default.

Live for public companies + private placements

SOX §404 + SEC Reg D

Internal-control documentation and forward-looking-statement disclosure both require evidence of process. The DPR is process evidence your auditor can point at instead of a narrative describing it.

Live since 2018

GDPR Art. 22

Automated-decision rights require the data subject be told meaningful information about the logic involved. DPR citations provide that in one document without exposing platform IP.

AI Verify Foundation · Singapore IMDA

Aligned with the 11 internationally-recognised AI governance principles.

View the principle mapping

Key rotation

Rotate encryption keys without downtime

Every row in an encrypted column carries an integer keyVersion stamp. Swapping keys is a four-step protocol with no big-bang migration, no data loss, no customer-visible pause.

Provision the new key

Set DOCUMENT_ENCRYPTION_KEY_V2 (64-character hex) in production. The legacy v1 key stays in place, so no downtime, no lockout.

Cut over writes

Bump DOCUMENT_ENCRYPTION_KEY_VERSION=2 and redeploy. New writes stamp keyVersion=2; every existing row still decrypts via v1.

Backfill historical rows

Run npm run rotate:encryption-key. The CLI walks every row where keyVersion != 2, decrypts with v1, re-encrypts with v2, updates the stamp. Batched, resumable, idempotent.

Drop the old key

Once every row is on v2, delete DOCUMENT_ENCRYPTION_KEY (v1) from the production env and redeploy. Rotation complete.

The rotate CLI lives at scripts/rotate-encryption-key.ts. Resumable, batched, idempotent. Dry-run mode available.

Regulatory coverage

19 frameworks, mapped flag-by-flag

African markets12 EU2 US2 UK / Commonwealth1 Global2

African markets12 frameworks

NDPR Art. 12

Nigeria Data Protection Regulation

Automated-decision rights for Nigerian data subjects (aligned with GDPR Art. 22 via the NDPR 2019 Implementation Framework).

ISA Nigeria 2007

Investment & Securities Act (with 2025 update)

SEC Nigeria capital-markets governance: prospectus disclosure rigor, fit-and-proper directors, AML/CFT controls, market-abuse prohibitions; ISA 2025 update extends coverage to digital-asset issuers.

CBN AI Guidelines

Central Bank of Nigeria

Financial-services AI governance obligations (draft 2024): model governance, explainability, and consumer-protection duties for regulated Nigerian financial institutions.

WAEMU

West African Economic and Monetary Union

Cross-border data localisation and financial-sector governance across the eight WAEMU member states.

CMA Kenya

Capital Markets Authority (Kenya)

Listed-company decisioning + prospectus disclosure obligations under the CMA (Conduct of Business) Regulations 2024.

CBK

Central Bank of Kenya · Banking & Digital Lending

Digital-lending licensing, AI/ML model-risk management, and consumer-disclosure obligations under the Banking (Amendment) Act 2024 §33B and CBK Risk Management Guidelines (rev. 2023).

BoG Cyber & ICT Risk

Bank of Ghana · Cyber & Information Security Directive

Cyber, data, and AI/ML model-governance obligations for Ghanaian regulated financial institutions (2018 directive + 2023 update).

FRC Nigeria

Financial Reporting Council of Nigeria

Nigerian Code of Corporate Governance covering board-level decisioning, dissent capture, and risk-management documentation duties for public-interest entities.

CBE AI Guidelines

Central Bank of Egypt

AI/ML model-governance + explainability obligations for Egyptian banks under the CBE 2023 ICT Governance and Risk Management Framework.

PoPIA §71

Protection of Personal Information Act (South Africa)

Automated-decision rights + data-subject access for South African data subjects (PoPIA s.71, in force July 2021).

SARB Model Risk

South African Reserve Bank · Model Risk Governance

Model risk + AI governance obligations for SA-regulated banks (Directive D2/2022 + Joint Standard 2 of 2024 on cybersecurity).

BoT FinTech

Bank of Tanzania · FinTech Regulatory Sandbox

Tanzanian financial-services AI/ML decisioning obligations under the BoT FinTech Regulatory Sandbox Guidelines (2023).

EU2 frameworks

GDPR Art. 22

General Data Protection Regulation

Automated-decision rights for EU data subjects.

EU AI Act · Annex III

EU AI Act

High-risk AI decision-support obligations.

US2 frameworks

SOX §404

Sarbanes-Oxley

Public-company material-statement controls.

SEC Reg D

SEC Regulation D

Forward-looking statements + safe-harbour disclosure.

UK / Commonwealth1 framework

FCA Consumer Duty

Financial Conduct Authority

UK financial-services decisioning.

Global2 frameworks

Basel III

Basel III

Capital-allocation decisions in regulated banks.

LPOA

Limited Partnership Obligations

Fund-level fiduciary dissent documentation.

Decision Provenance Record export

Sample DPR · US public-market Sample DPR · Pan-African industrial DPA template · PDF DPA template · DOCX Strategy pricing

Access controls

Who gets in, and who sees what

What is available today across every plan, and what is unlocked on Enterprise.

Available

Google Workspace SSO

Single sign-on via Google Workspace, live today on every plan. No password is ever stored; sessions are signed and rotated server-side.

Enterprise

SAML 2.0 and OIDC single sign-on (coming soon)

Enterprise

Org-wide session visibility

Admins see every active session across the organisation, can force-log-out a departing member in a single click, and can set a per-org idle timeout between 15 minutes and 8 hours.

Available

Admin audit log

Available

Per-org data isolation

Every data access scopes on organisation. Your Decision Knowledge Graph, your audit trail, and your outcome history are strictly org-private and are never cross-read by any other tenant.

Incident response

What happens if something goes wrong

The commitment isn't that incidents never happen. It's what you'll hear from us when one does, and in what timeframe.

Within

1h

Internal detection + containment triggered. Customer-visible status posted within the hour when customer data is in scope.

Within

24h

First disclosure to affected customers with the scope, the data classes involved, and the remediation plan.

Within

72h

Regulator notification where applicable (GDPR Art. 33, SEC 8-K item 1.05) with the materiality assessment attached.

Within

30d

Full post-mortem delivered to affected customers. Root cause, timeline, controls added, exposure window. Signed by the founder.

Disaster recovery + business continuity

What happens if production fails

Recovery Point Objective (RPO)

≤ 15 minutes

Supabase point-in-time recovery operates on a 15-minute checkpoint cadence on the production tier. Any incident is recoverable to within 15 minutes of the failure window.

Recovery Time Objective (RTO)

< 4 hours

Backup cadence

Daily + WAL streaming

Geographic redundancy

US production · multi-region edge

Annual restore drill

Calendared

Vendor continuity

What happens to your data and your service if the vendor stops

Key-person provisions

Documented per pilot

Source-code escrow option

Available · Enterprise

Data export on termination

Within 30 days

Incorporation roadmap

UK Ltd · Q3 2026

Service-continuity insurance

On Enterprise roadmap

Indemnification cap

Standard 12 months’ fees · custom mutual on request

Trial-audit data handling

Upload a confidential memo for a 20-minute audit · safely

Trial-audit max retention

T+7 days

Per-document hard-purge

One-click · any time

Standard NDA template

Mutual · 7-day default

No model training on customer data

Contractual

Data ownership

Customer-owned content. Aggregated outcome metadata only.

Customer-owned: document content

Always · no exceptions

Platform-aggregated: outcome metadata only

Anonymised · opt-in

Withdrawal path

One-click · 30-day backfill

No model training on Customer data

Contractual

Cohort export on Enterprise

On request

Retention SLA

How long your documents live, and how to delete them

Free

30 days

+ 30-day soft-delete grace

Documents auto-soft-delete 30 days after upload. Recoverable via support during the grace window, then permanently purged.

Individual

90 days

+ 30-day soft-delete grace

Documents auto-soft-delete 90 days after upload. Same grace window, same support-recoverable path.

Strategy

12 months

+ 30-day soft-delete grace

Quarter-after-quarter retention for team-level Decision Knowledge Graph. Auto-soft-delete at 365 days; same recoverable grace.

Enterprise

360 days default · configurable

+ 30-day soft-delete grace

Default matches Strategy; per-Order-Form overrides for legal-hold, SEC, or Basel III obligations. Configurable in either direction.

Right-to-delete (GDPR Art. 17) requests are processed within 30 days. Send to privacy@decision-intel.com or use the in-app Delete button on any document.

Sub-processors

Every vendor that touches your data

Transparent processor list with each vendor's certification posture and hosting region. Updated in lock-step with our vendor agreements.

Vendor

Role

Certification

Region

Vercel

Application hosting + CDN

SOC 2 Type II

US + EU

Supabase

Postgres + Auth + Storage

SOC 2 Type II · HIPAA

Google AI

Primary analysis LLM

No-training contract terms

Anthropic

Fallback analysis LLM

No-training contract terms

Stripe

Billing

PCI-DSS Level 1 · SOC 1/2

US + EU

Sentry

Error monitoring

SOC 2 Type II

Found something? We want to hear about it.

Email security@Privacy policy

Last reviewed · 2026-04-19 · security@decision-intel.com

Built for the audit committee,not the afterthought.

Five controls a GC actually tests

The audit metadata behind the trust band

How long every action lives in the audit trail

The SIG / VSA / CAIQ rows answered up front

The audit artefact is becoming compulsory, not optional — and we already produce the artefact your high-stakes decisions need to defend in front of the regulator.

The record your AI-augmented decision-making is already supposed to produce.

Rotate encryption keys without downtime

19 frameworks, mapped flag-by-flag

Who gets in, and who sees what

What happens if something goes wrong

What happens if production fails

What happens to your data and your service if the vendor stops

Upload a confidential memo for a 20-minute audit · safely

Customer-owned content. Aggregated outcome metadata only.

How long your documents live, and how to delete them

Every vendor that touches your data

Found something? We want to hear about it.

Built for the audit committee,not the afterthought.

Five controls a GC actually tests

The audit metadata behind the trust band

How long every action lives in the audit trail

The SIG / VSA / CAIQ rows answered up front

The audit artefact is becoming compulsory, not optional — and we already produce the artefact your high-stakes decisions need to defend in front of the regulator.

The record your AI-augmented decision-making is already supposed to produce.

Rotate encryption keys without downtime

19 frameworks, mapped flag-by-flag

Who gets in, and who sees what

What happens if something goes wrong

What happens if production fails

What happens to your data and your service if the vendor stops

Upload a confidential memo for a 20-minute audit · safely

Customer-owned content. Aggregated outcome metadata only.

How long your documents live, and how to delete them

Every vendor that touches your data

Found something? We want to hear about it.

Built for the audit committee,
not the afterthought.

Built for the audit committee,
not the afterthought.