The SchemaLabs Service is currently in beta. The commitments below reflect our current operational posture, which we are actively building out.
Capitalised terms used on this page (including "Customer Data," "Schema Models," "Base Model," and "Fine-Tuned Checkpoint") have the meanings set forth in the Terms of Service, the Schema Model License, and the Data Processing Agreement.
1. The architectural commitment
Customer Data is never used to train, improve, or modify any Schema Base Model. Each customer who fine-tunes a Schema Model receives an isolated checkpoint (also referred to as a Customer Endpoint or Model Endpoint) architecturally separated from the Base Model and from every other customer. Deleting a Fine-Tuned Checkpoint fully removes the Customer-specific adaptations; backups follow the deletion process described in DPA Section 10.
This is enforced by our system architecture, not only by policy.
2. Current security controls
- Encryption: TLS 1.2+ in transit; AES-256 at rest; keys managed through Google Cloud KMS and AWS KMS
- Access: role-based access control with least privilege; multi-factor authentication required for SchemaLabs personnel accessing production systems and Customer Data
- Infrastructure: Google Cloud Platform and Amazon Web Services, US data centers (see Supported Regions); GCP and AWS each maintain SOC 2 Type II, ISO 27001, and other independent certifications inherited at the infrastructure layer
- Logging: audit logging of administrative actions, data access events, API requests, fine-tune jobs, and playground jobs
- Isolation: per-customer Fine-Tuned Checkpoints are architecturally isolated at the model level
- Personnel: all SchemaLabs personnel with access to Customer Data are subject to confidentiality agreements
Our complete list of third parties that process Customer Data is at schemalabs.ai/sub-processors.
3. Incident response
If a security incident affects your data, we will notify you without undue delay in accordance with our Data Processing Agreement.
Customers report security concerns to [email protected]. Researchers should follow our Responsible Disclosure Policy.
4. Honest status
The Service is in beta. We are open about where our security posture is today and what we are working toward. We do not yet have:
- A completed SOC 2 Type II audit (in progress)
- An independent ISO 27001 certification
- Cyber liability insurance coverage (in progress)
- A designated EU Representative under GDPR Article 27 (in process)
We disclose these gaps rather than imply otherwise.
5. Hall of Fame
SchemaLabs may, at its sole discretion and with the submitter's consent, acknowledge security researchers whose submissions, made under our Responsible Disclosure Policy, led to a remediated issue. Recognition is not a license, authorization, waiver, or right of action.
6. Contact
- Security incidents: [email protected]
- Compliance and vendor questionnaires: [email protected]
- Privacy: [email protected]
- Legal: [email protected]