Security Policy & Data Protection
Thalamus AI's commitment to protecting your data and maintaining the highest security standards.
Last Updated: February 20, 2026
1. Policy Overview
Thalamus AI, Inc. ("Thalamus AI", "we", "us", or "our") is committed to protecting the security, confidentiality, and integrity of our customers' data. This Security Policy outlines our security practices, data protection measures, and compliance commitments.
This policy applies to all Thalamus AI services, including SYNAPTICA, SOPHIA-CODE, ExecutionIQ, and ASO (collectively, the "Services"), and governs how we handle data across our infrastructure.
By using our Services, you acknowledge that you have read and understood this Security Policy. We may update this policy from time to time, and we will notify customers of material changes via email or through the Services.
2. Data Protection Measures
We implement comprehensive technical and organizational measures to ensure the security of your data.
Data Encryption
All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3. Customer data is never stored or transmitted in plaintext.
Infrastructure Security
Our infrastructure is hosted on Google Cloud Platform (GCP) with private VPC networking, firewall protection, and DDoS mitigation through Cloud Armor.
Access Controls
Role-based access control (RBAC) with multi-factor authentication (MFA) required for all administrative access. Principle of least privilege enforced.
Network Security
Web Application Firewall (WAF) protection, IP allowlisting capabilities, and continuous network monitoring for suspicious activity.
3. Security Commitments to Customers
Our promises to you regarding data security and service reliability.
Transparency
We maintain complete transparency about how your data is processed, stored, and protected. No hidden data practices.
No Data Training
Your business data is never used to train AI models. Your proprietary information remains exclusively yours.
99.9% Uptime SLA
We commit to 99.9% uptime for our services, with automatic failover and redundancy built into our architecture.
Regular Audits
We conduct regular third-party security audits and penetration testing to identify and remediate vulnerabilities.
4. Compliance & Certifications
We are committed to meeting industry standards and regulatory requirements.
GDPR
General Data Protection Regulation (EU)
CCPA
California Consumer Privacy Act
SOC 2 Type II
Expected Q2 2026
HIPAA
Expected Q4 2026
5. Incident Reporting Procedures
5.1 Security Incident Definition
A security incident is defined as any unauthorized access, disclosure, alteration, or destruction of customer data, or any event that compromises the confidentiality, integrity, or availability of our Services.
5.2 Incident Response Timeline
- Detection: Continuous monitoring with automated alerting systems
- Response: Initial response within 1 hour of detection
- Notification: Customers notified within 24 hours of confirmed incidents
- Resolution: Full incident report provided within 72 hours
5.3 Customer Notification
In the event of a security incident affecting your data, we will notify you via email to your registered account address within 24 hours of confirmation. Notifications will include:
- A description of the incident and data affected
- Steps taken to contain and remediate the incident
- Recommended actions for your organization
- Contact information for further assistance
6. Data Handling & Retention
6.1 Data Storage
Customer data is stored in GCP data centers located in the United States. All data is encrypted at rest using AES-256 encryption. We maintain geographically distributed backups for disaster recovery purposes.
6.2 Data Retention
We retain customer data for the duration of your subscription plus 30 days, unless otherwise specified in your service agreement. After this period, data is securely deleted using industry-standard methods.
6.3 Data Deletion
Upon account closure or request, we will delete your data within 30 days, subject to any legal obligations requiring retention. You may request immediate data deletion by contacting our support team.
6.4 Data Portability
You have the right to export your data at any time. We provide standard export functionality in common formats (JSON, CSV) through the Services or upon request.
7. Contact for Security Concerns
If you have any security concerns, questions about this policy, or need to report a security vulnerability, please contact our security team.
For security vulnerabilities:
Please include detailed information about the vulnerability, steps to reproduce, and any potential impact. We follow responsible disclosure and will acknowledge receipt within 24 hours.
Related Legal Documents
Please review our other legal policies for complete information.