We protect Customer Data with architectural isolation, current security controls, and transparent documentation. This page summarises our posture and links to the underlying policies.
Customer Data is never used to train, improve, or modify any Schema Base Model. Each Fine-Tuned Checkpoint (also referred to as a Customer Endpoint or Model Endpoint) is architecturally separated from the Base Model and from every other customer.
TLS 1.2+ in transit, AES-256 at rest with keys in Google Cloud KMS and AWS KMS, RBAC and MFA for SchemaLabs personnel accessing production, audit logging across administrative actions, data access, API requests, fine-tune and playground jobs, and architectural isolation of per-customer Fine-Tuned Checkpoints.
We do not sell personal data, do not share for cross-context advertising, and do not use Customer Data to train any Schema Model. GDPR, UK GDPR, and CCPA/CPRA rights are honored.
Production runs on US-based GCP and AWS infrastructure. Standard Contractual Clauses (Module Two) govern EU, UK, and Swiss transfers. Dedicated EU-resident deployments may be available on request as a paid option for enterprise customers.
A live list of every Sub-Processor that processes Customer Data. Enterprise customers receive 15 days advance notice of additions or replacements.
SOC 2 Type II audit and cyber liability insurance coverage are in progress. ISO 27001 certification and the EU Article 27 representative designation are in process. We disclose gaps rather than imply otherwise.
Report a security vulnerability you have observed in the Service. Submitting a report does not authorize testing; SchemaLabs reviews each submission internally and may exercise forbearance under the policy.
Intended use, training data, evaluation, limitations, and bias considerations for every Schema Model, in support of customers' EU AI Act deployer obligations.
All legal documents are publicly available. Enterprise customers may also execute a Master Services Agreement on request.