Data Processing and Security Policy

Last updated: 19 May 2026

1. Purpose

This policy supports the Privacy Policy and Terms. It is written for clients and prospects who may share business workflow information, tool details, integration requirements, customer-support samples, lead process notes, or other operational data with Staffable AI.

2. Roles

For website visitors, audit applicants, and direct enquiries, Staffable AI usually decides why and how personal data is used. For paid client projects, the client may remain responsible for its own customer, employee, prospect, and operational data, while Staffable AI processes selected data only to provide the agreed setup, integration, documentation, and support work.

3. Client instructions

For paid projects, Staffable AI will process client-provided data according to the accepted written scope, documented project instructions, support requests, legal requirements, and actions needed to deliver the project. Staffable AI should not be asked to process data that the client is not authorized to share.

4. Data minimization

Clients should share the minimum data needed for the project. Sample records should be anonymized where practical. Full customer databases, regulated data, payment information, government IDs, employee records, health data, children's data, or highly sensitive records should not be shared unless the written scope specifically requires it and a secure handling process is agreed.

5. Access and credentials

Access to client systems should be limited to the minimum needed, time-limited where practical, and revoked when no longer required. Clients should use role-based access, temporary accounts, OAuth access, shared admin controls, or secure credential tools where possible. Passwords, API keys, tokens, and secrets should not be sent through public forms, plain chat, or unsecured email.

6. Approved processors and tools

Staffable AI may use processors and tools needed for delivery, including hosting, Google services, email, calendar, AI providers, automation tools, logging, monitoring, documentation, communication, payment, and project management providers. Tools should be selected for practical reliability, security, and fit for the project. A client may ask for reasonable information about core tools used for its project.

7. AI tool handling

AI tools may be used to summarize workflows, draft internal checklists, prepare configuration notes, generate code, classify tasks, create documentation, or support delivery. Staffable AI should avoid sending unnecessary sensitive personal data to AI tools and may use redaction, summaries, test data, or anonymized examples where practical. Client approval is required before AI-prepared output is used externally in important workflows.

8. Security measures

Reasonable safeguards may include HTTPS, restricted admin access, least-privilege permissions, secure configuration, access reviews, server-side validation, rate limiting, logging, environment separation where practical, backups where appropriate, and careful handling of credentials. Security measures depend on the written scope, client tool choices, hosting provider, third-party limitations, and agreed budget.

9. Confidentiality

Staffable AI should use client confidential information only for the project, support, administration, legal compliance, and agreed business purposes. Staffable AI may use generalized learning and non-identifying workflow patterns to improve its services, but should not publish client confidential information without permission.

10. Incident handling

If Staffable AI becomes aware of a security issue affecting client project data under its control, it should take reasonable steps to investigate, contain, and notify the affected client where appropriate. The client remains responsible for incidents in its own systems, accounts, employees, vendors, or configurations outside Staffable AI's control.

11. Return and deletion

At the end of a project or on reasonable written request, Staffable AI may return, delete, anonymize, or archive client project data where practical and lawful. Some records may be retained for invoices, tax, accounting, security, backups, legal compliance, dispute handling, or proof of work. Backup and log deletion may follow normal technical cycles.

12. International transfers

Because modern SaaS, hosting, AI, email, calendar, and automation tools often process data globally, project data may be stored or accessed outside India. Clients should check whether their own legal, customer, or industry obligations require specific regional hosting, data residency, or vendor restrictions before approving a tool stack.

13. Regulated or high-risk workflows

Healthcare, finance, legal, employment, education, children's services, insurance, government, and other regulated workflows may require extra review, professional advice, stricter approvals, logging, and safer limits. Staffable AI may refuse or narrow work that creates unacceptable legal, privacy, safety, or security risk.

14. Written agreement controls

If a signed agreement, data processing addendum, statement of work, or written project term conflicts with this general policy, the more specific written project term controls for that project.