Every document your procurement team, privacy office, and InfoSec reviewer will ask for — published, downloadable, and dated. No waitlist, no NDA, no back-and-forth over email.
You will be asked for a Data Processing Addendum on every deal. We wrote one that covers GDPR, CCPA/CPRA, VCDPA, UK IDTA, Swiss FDPIC, and a zero-training covenant that is enforceable as a material breach.
5-page template covering 16 sections plus 4 schedules (Customer Information, Sub-processors, Jurisdiction-Specific Terms, Technical and Organizational Measures). The zero-training clause is explicit and survives termination.
Personal Data submitted to the Services shall not be used — directly or indirectly — to train, fine-tune, evaluate, or benchmark any machine learning model. Survives termination. Enforceable as a material breach.
Documented runbook. Notification within 72 hours of becoming aware of a Security Incident, with categories, record counts, likely consequences, and remediation measures.
Standard Contractual Clauses (Module Two) incorporated by reference. UK IDTA and Swiss FDPIC addenda apply as relevant. EU, UK, and Swiss transfers all covered out of the box.
Annual on-site audit rights with 30-day notice. SOC 2 Type II reports, SIG-Lite responses, and third-party pentest results made available on request under NDA.
Two sub-processors. Both named. Both SOC 2 Type II. Both operating under their own zero-training-on-API-input commitments, contractually passed through to you.
| Name | Purpose | Location | Certifications |
|---|---|---|---|
| Anthropic, PBC | LLM scoring model (Claude Haiku 4.5) | United States | SOC 2 Type II, ISO 27001 |
| Vercel, Inc. | Edge compute, static hosting, CDN | United States / Global | SOC 2 Type II, ISO 27001, PCI DSS |
Material changes to this list trigger 30-day advance notice to customers under DPA §9. No other third party touches your payloads.
What we have today. What we are actively building. What we will never have. Honesty over aspiration — we are a company that sells honesty, after all.
Module 2 SCCs built in. UK IDTA. Swiss FDPIC. Ready to sign.
✓ LiveCovers service-provider and contractor obligations under California law. Schedule C, ready to execute.
✓ LivePre-filled Shared Assessments SIG-Lite (Lite version, ~340 questions). Available on request under NDA.
✓ On requestDocumented escalation, 72-hour notification window, named security contact on Defend tier.
✓ LiveAudit engagement kicks off Q2 2026. Type II report targeted Q3 2026. Annual thereafter.
⏳ Q3 2026Gap analysis Q2 2026. Stage 1 audit Q4 2026. Certification target Q1 2027.
⏳ Q1 2027Business Associate Agreement available on the Defend tier for healthcare-adjacent deployments.
✓ On Defend tierYour prompts and responses will never be used to train, fine-tune, evaluate, or benchmark any model. Ours or anyone else's. Contractual. Enforceable. Period.
✓ ZeroThe December 9, 2025 coalition letter from 42 Attorneys General demanded 16 specific safeguards from 13 named AI companies. Here is how Sycoindex maps 1:1 to each of them.
See the 16-safeguard coverage matrix →Found a vulnerability? Report it to security@sycoindex.ai. We acknowledge within one business day and commit to a remediation timeline within five business days.
In scope: *.sycoindex.ai, debait-gamma.vercel.app, /api/*, /sycoindex.js, infrastructure under our control.
Out of scope: third-party services (rate-limit with the provider instead), physical security of our offices, social engineering of our team, denial-of-service testing.
Safe harbor: we will not initiate legal action against researchers acting in good faith under this policy.
Machine-readable: /.well-known/security.txt (RFC 9116)
Procurement needs a document you don't see here? Legal needs a redlined DPA? InfoSec needs answers to a specific questionnaire? Email us. Same business day turnaround.
Security reports: security@sycoindex.ai · DPA questions: chris@sycoindex.ai · Press: chris@sycoindex.ai