Compliance

We handle client and end-user data under the GDPR and the CCPA/CPRA, and we apply those standards as our baseline across all engagements regardless of where a client is located.

We collect only the data an engagement requires, use it only for the purpose it was shared, and retain it only as long as the contract or applicable law demands. When we process personal data on a client's behalf, we act as a processor under that client's instructions, and we sign a Data Processing Agreement before any such data is shared.

Data subjects and consumers may exercise their rights — access, correction, deletion, portability, and opt-out of sale or sharing. Where Digital Networks is the controller, send requests to contact@digitalnetworks.ai (the same route used in our Privacy Policy). Where we process data for a client, we route the request to that client and support their response. We complete verified requests within the statutory window: one month under GDPR (extendable where permitted) and 45 days under the CCPA.

We do not sell personal information. International transfers, where they occur, rely on Standard Contractual Clauses or another lawful transfer mechanism. Our governing privacy terms live on the Privacy page; this page covers the broader compliance posture.

Security controls are applied to both our own systems and the systems we build for clients.

• Least privilege. Access to client environments and data is granted by role and by need, scoped to the engagement, and revoked when the work ends or staff change roles. We prefer time-bound and just-in-time access over standing access.
• Encryption. Data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using the storage and key-management controls of the underlying platform.
• Access controls. Administrative access requires multi-factor authentication. Credentials and secrets are kept out of source code and stored as protected platform secrets, never shared in plain text.
• Logging and review. Access to sensitive systems is logged. We review access grants periodically and remove what is no longer needed.
• Separation. Client environments are kept separate. We do not commingle one client's data or credentials with another's.

We build on established cloud and vendor platforms and inherit their certified infrastructure controls rather than reinventing them. Specific controls for a given engagement are defined in the contract and any associated security addendum.

Our advisory work is vendor-neutral. When we recommend a model provider, platform, or tool, the recommendation is based on fit, cost, and outcome for the client — not on any commercial relationship we hold with that vendor.

We do not accept referral fees, commissions, rebates, or kickbacks from vendors in exchange for recommending their products to clients. If a vendor relationship could create the appearance of a conflict, we disclose it in writing before making a recommendation.

Clients own the sourcing decision. We provide the analysis, the trade-offs, and a clear recommendation; the client chooses. This separation between advice and incentive is the reason a vendor-neutral firm is worth hiring, and we treat it as a firm rule rather than a preference.

We are an AI firm and we are direct about where AI is used.

In engagements, we disclose which parts of a deliverable or deployed system rely on AI models, which model providers are involved, and what the system can and cannot do. We do not present AI output as human-authored when a client or end user would reasonably need to know the difference.

Human oversight is built into how we work. AI systems we deploy include a defined point of human review proportionate to the risk of the decision — higher-stakes outputs get tighter review. We design for a human to be able to inspect, correct, and override the system, and we document the limits and known failure modes so the people operating it understand them.

We do not use client data or client-confidential material to train general-purpose models, and we configure vendor tooling to exclude client data from provider training where that option exists. Specific data-handling terms for model providers are set per engagement and recorded in the contract.

Client confidentiality is a contractual obligation, not a courtesy. Under our standard terms and any applicable NDA, we protect client information, business plans, data, and the existence and details of the engagement itself.

Access to confidential material is limited to the staff working on the engagement. We do not disclose client names, work product, or results to third parties without written permission, which is also why we do not publish client case studies or named metrics without consent.

Confidentiality obligations survive the end of the engagement. On request or at contract close, we return or securely delete client data according to the terms agreed, and we can provide written confirmation of deletion.

We are not currently certified under SOC 2, ISO 27001, or a similar framework, and we will not claim a certification we do not hold.

What we can stand behind is concrete: the security practices described above, and the certified infrastructure we build on. Our core providers — including Vercel for hosting, Supabase for database and storage, and Resend for transactional email — maintain their own independent security attestations, such as SOC 2 Type II, and we inherit those infrastructure controls rather than reinventing them.

We would rather be accurate about where we are than imply an audit we have not completed. If your procurement process requires a specific certification or a security questionnaire, tell us at compliance@digitalnetworks.ai and we will give you an honest picture of our controls, the platform certifications we inherit, and what we can commit to contractually for your engagement.

The systems we build are governed by a small set of principles we apply consistently:

• Accountability. A named human or team is responsible for every AI system we deploy. AI does not own a decision.
• Transparency. We disclose where AI is used and explain, in plain terms, how a system reaches its outputs and where it can be wrong.
• Fairness. We consider who could be harmed by a system's errors and test for skewed or discriminatory outputs before deployment.
• Human control. People can review, correct, and shut down the systems we deliver.
• Data minimization and purpose limitation. We use the least data needed, for the stated purpose only.
• Security by design. AI systems inherit the security controls described above, not a weaker standard.

These principles inform our advice as well as our builds, and we are willing to decline or redesign work that cannot meet them.

If you discover a security vulnerability, a suspected data incident, or a compliance concern involving Digital Networks, tell us.

• Security issues and vulnerabilities: security@digitalnetworks.ai
• Compliance, privacy, and conduct concerns: compliance@digitalnetworks.ai

Describe the issue with enough detail for us to reproduce or investigate it, and include how to reach you. We acknowledge reports promptly and investigate every credible one. We do not pursue or penalize good-faith security researchers who report responsibly and avoid privacy violations, service disruption, or data destruction while testing.

For postal contact or formal legal notices, write to Digital Networks AI at 382 NE 191st St, PMB 322596, Miami, Florida 33179-3899, US, or call +1 (571) 253-8264. Compliance commitments on this page are governed by the laws of the State of Florida, United States.