Trust and Security Policy
Effective Date: [Date]
How Calrissian Treats Your Data
Our customers are bound by confidentiality obligations to their clients, and we treat the data we touch with the same standard. This page describes what we do and what we will not do.
Our Commitments
No training on your data. We do not use customer data to train, fine-tune, or otherwise develop any AI model, ours or anyone else's. Ever.
No client PII into public AI services. We do not paste your clients' personally identifiable information into ChatGPT, Claude, Gemini, or any other public generative AI service. When we use third-party AI tools, we use only pre-processed, anonymized facts.
Your environment first. Where it is reasonably practicable, we perform analysis inside your environment instead of extracting your data to ours. When extraction is necessary, we minimize what we take and how long we keep it.
Anonymized case studies, on your terms. We do not publish case studies, screenshots, or testimonials that reference your firm without your written approval, and any approved materials are anonymized with respect to your clients and matters.
Your environment first. Where it is reasonably practicable, we perform analysis inside your environment instead of extracting your data to ours. When extraction is necessary, we minimize what we take and how long we keep it.
Security Practices
We apply administrative, technical, and physical safeguards to protect customer data, including encryption in transit and at rest, role-based access control, multi-factor authentication for administrative access, vendor diligence, security incident response procedures, and routine backups. Our Data Processing Addendum and Information Security and Data Handling Policy describe these in more detail.
Compliance
We design our operations and contracts to support our customers' compliance with the ABA Model Rules and state-bar analogues on confidentiality (Rule 1.6) and supervision of nonlawyer assistance (Rule 5.3), as well as applicable U.S. state privacy laws (including the Colorado Privacy Act and the California Consumer Privacy Act). Customer-specific compliance requirements can be addressed in the Data Processing Addendum to your Master Subscription and Services Agreement.
Subprocessors
We maintain a list of the subprocessors we use to deliver our services. Customers can request the current list at hello@calrissian.ai. We notify customers in advance of any addition or replacement of subprocessors and provide customers an opportunity to object on reasonable data protection grounds.
Incident Notification
In the event of a confirmed security incident affecting customer data, we will notify the affected customer within 72 hours of confirmation and will cooperate in the investigation and remediation.
Contact
If you have any questions about this Trust and Security Policy, contact us at: Calrissian, LLC, 1500 N Grant ST, Ste R, Denver, CO 80203 | hello@calrissian.ai.