Skip to content

Draft — pending counsel

Data processing addendum

Last updated — pending counsel

1. Scope and roles

You are the controller of your organisation's data; Praxis is the processor, acting on your documented instructions to provide the service. This is a pre-launch stub of the decided governance posture — final wording is prepared with counsel, and no warranties are made beyond the posture set out here.

2. Purpose of processing

Praxis processes your data only to provide the security-advisory service you have signed up for — running the advisor, maintaining your security-program records, and operating the application. We do not process it for any other purpose, and we do not sell it.

3. AI processing — zero retention, no training

Your data sent to the Praxis advisor is processed by Anthropic under two locked terms: zero data retention (prompts and completions are not retained beyond what is needed to return a response) and no training on API data (Anthropic does not use it to train its models). All AI usage runs through a single platform key, metered per organisation; there are no per-customer keys. Consent to this AI processing is recorded per organisation at onboarding, with a timestamp and policy version.

4. Sub-processors

Praxis engages a defined set of sub-processors to deliver the service, each handling a specific function (hosting, database, authentication, AI, email, error tracking, analytics). They are named in full — with what each one does — in the Trust Center. Anthropic, the AI sub-processor, operates under the zero-retention / no-training terms described above.

5. Retention and deletion

On offboarding, access is revoked immediately and your data is soft-deleted, then purged after a roughly 30-day window kept for accidental-cancellation recovery and a final export. We honour GDPR / CCPA deletion requests (support-assisted at launch). The full lifecycle is set out in the Praxis data retention & deletion policy.

6. Security and data-subject assistance

Access is role-scoped (RBAC), privileged and data-affecting actions — including consent and deletions — are recorded in an audit log, and we assist with data-subject requests as described in the retention & deletion policy. Technical and organisational measures are finalised with counsel before launch.