Spacetime StudiosSpacetime Studios
Book call

Security & Data Handling

Spacetime Studios treats every client engagement as confidential by default. We follow least-privilege access controls, encrypt data in transit and at rest, and never use client data to train models. This page outlines our security practices, data handling policies, and compliance posture for enterprise procurement review.

Last reviewed: February 2026

How is client data handled during engagements?

Confidentiality by Default

All client data, workflows, and business logic are treated as confidential. We sign NDAs before any data exchange and maintain strict information barriers between clients.

No Model Training on Client Data

We never use client data to train, fine-tune, or improve AI models beyond the scope of the specific engagement. Your data stays your data.

Encryption in Transit & at Rest

All data transmitted between systems uses TLS 1.2+. Data stored during development and deployment uses AES-256 encryption at rest.

Least-Privilege Access

Team members only access the systems and data required for their specific tasks. Access is provisioned per-project and revoked upon completion.

How are AI models and third-party APIs used?

When we integrate AI models (OpenAI, Anthropic, etc.) into client systems, we use enterprise API tiers that include data processing agreements (DPAs) and zero-retention policies where available.

  • API calls are made through enterprise-tier accounts with data processing agreements
  • We configure zero-retention settings when supported by the provider (OpenAI, Anthropic)
  • Client data sent to model APIs is limited to the minimum required for the task
  • All API keys and credentials are stored in encrypted environment variables, never in code
  • We document every third-party service used during an engagement for client review

What about deployment and infrastructure security?

  • Systems are deployed to client-owned infrastructure or client-approved cloud environments
  • We follow infrastructure-as-code practices for reproducible, auditable deployments
  • Production deployments include monitoring, alerting, and rollback capabilities
  • Human-in-the-loop controls are built into AI agent workflows by default
  • All automations include error handling, logging, and audit trails
  • We provide full source code and documentation. No vendor lock-in

What governance controls are in place?

Human-in-the-Loop

AI agents are deployed with configurable approval gates. High-stakes actions (financial transactions, customer communications, data deletion) require human review before execution.

Rollout Controls

New automations are deployed incrementally, starting with a subset of workflows, monitoring for errors, then scaling to full production after validation.

Audit Trails

Every AI action is logged with timestamps, input data, model responses, and outcome. Logs are retained per client requirements and available for compliance review.

Regular Review Cycles

Post-deployment, we conduct regular reviews of AI agent performance, accuracy, and error rates. Systems are tuned and updated based on real-world feedback.

Procurement FAQs

Do you sign NDAs?

Yes. We sign mutual NDAs before any data exchange or detailed scoping begins. We can use your standard NDA or provide ours.

Can you work with our existing security requirements?

Yes. We adapt to your organization's security policies, compliance requirements, and vendor onboarding process. We've worked with organizations that require SOC 2-aligned controls, BAAs for healthcare data, and custom data handling agreements.

Do you carry insurance?

Yes. We carry professional liability (E&O) and general liability insurance. Certificates of insurance are available upon request.

What happens to our data after the engagement ends?

All client data in our development environments is deleted within 30 days of engagement completion. Source code and documentation are transferred to your team. We retain no copies of client data after the engagement.

Can you deploy to our infrastructure?

Yes. We deploy to client-owned infrastructure (AWS, GCP, Azure, on-premise) or client-approved environments. We don't require you to use any specific hosting provider.

Have security questions?

We're happy to walk through our security practices in detail, provide documentation for your procurement team, or complete your vendor security questionnaire.

BOOK A STRATEGY CALL →