Back
Trust & Security
Last updated: 2025-09-24 ## Overview DATALBL provides synthetic healthcare datasets designed for safe AI development. This page summarizes our security, privacy, and governance practices to expedite vendor assessments and procurement. ## Regions and Data Residency - Primary operations: EU-based with EU data residency by default. - Hosting: EU-region cloud providers with availability in additional regions upon request. - Cross-border transfers: Governed by Standard Contractual Clauses (SCCs) and supplementary measures when applicable. ## Subprocessors We use vetted subprocessors to deliver the service. Subprocessors are bound by data processing agreements and security obligations. - Cloud hosting and storage (in-region) - Email and support communications - Payment processing (for commercial transactions) An up-to-date list of specific subprocessors is available upon request under NDA and may vary by customer region and deployment model. ## Security Controls - Network and infrastructure hardening; least-privilege access; MFA enforced. - Encryption in transit (TLS 1.2+) and at rest for applicable services. - Segmented environments for development, staging, and production. - Vulnerability management and patching program. - Continuous monitoring and audit logging for security-relevant events. ## Privacy and Compliance - GDPR: We act as a Controller for business contact data and as a Provider of fully synthetic datasets (no real patient records). - EU AI Act readiness: internal mapping of safeguards, data governance, and risk management to applicable provisions. - DPA and SCCs available for enterprise customers; custom terms on request. ## Dataset Governance - Synthetic generation processes with controls to minimize re-identification risk. - Quantitative QA including schema validation, leakage proxy tests, bias snapshot, and PII scans. - Public artifacts (where available): data cards, QA summaries, and governance notes. ## Data Retention - Business contact and account data: retained only as long as needed for service delivery, support, billing, and legal compliance. - Synthetic datasets provided to customers: retained per license terms; evaluation deliveries are time-limited; enterprise deliveries follow contract retention and destruction schedules. ## Incident Response - Documented incident response plan with defined SLAs for notification consistent with applicable law and contracts. - Post-incident reviews and corrective actions. ## Customer Responsibilities - Manage credentials and access for your users; enforce least privilege. - Use datasets in accordance with license terms; do not attempt re-identification. - Implement appropriate safeguards in your environment when hosting the datasets. ## Contact and Requests For security questionnaires, DPA/SCCs, or subprocessor lists: support@datalbl.com We aim to respond within 2 business days for enterprise due diligence requests.