Built for the security review you’re about to send us.

We are a processor for customer content (recordings and the evidence layer derived from them) and a controller for account and usage data. In practice this means:

• Data Processing Addendum (DPA). Available on request and signed before customer content flows. Incorporates EU SCCs (2021) and the UK IDTA. Pre-signed countersigned copy returned within one business day.
• Lawful basis. Contract for service delivery; legitimate interests for security, abuse prevention, and product improvement; consent for opt-in communications. Documented per processing purpose on /privacy.
• DSAR handling. SLAs published in /privacy. Verified-identity workflow. We assist customer-controllers with DSARs against their workspace data within 10 business days.
• DPIAs. We provide a DPIA support pack including data flow diagrams, sub-processor list, residency map, and risk-treatment narrative.
• Records of processing (Art. 30). Maintained internally; relevant excerpts shared under NDA.
• Sub-processor change notice. 30 days’ advance notice via the trust portal; objection rights per the DPA.

• Where we are. Readiness assessment is complete. Controls operate across the five Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). Evidence collection is automated through our compliance platform.
• Audit partner. Engaged with a recognised CPA firm (named under NDA in the security pack).
• Target. Type II report covering an observation window ending Q4. We will publish the report (NDA-gated) when issued.
• Available today. Trust gap letter, control narrative aligned to AICPA TSC, sample audit-log export, pen-test executive summary, architecture diagram, data-flow narrative.

• Status. HIPAA-readiness work is scoped on the public roadmap. Production HIPAA support — including default BAA and PHI-suitable defaults — is not generally available.
• What’s possible today. For Enterprise customers with a qualified pilot use case (typically: limited PHI, defined retention, single-region pinning), we can sign a BAA, configure PHI-suitable defaults, and disable specific sub-processors that aren’t in your BAA scope.
• What we don’t do. We don’t recommend running production PHI workloads on the standard cloud tier today.

• Status. ISO 27001 certification is on the public roadmap, scheduled to follow SOC 2 Type II issuance.
• Available today. Annex A control mapping, draft Statement of Applicability, and ISMS scope document on request under NDA.
• Approach. SOC 2 first because the overlap is large and most customer questionnaires we see lead with SOC 2.

• No sale of personal information. We do not sell or share personal information as defined under CCPA/CPRA.
• Rights honoured. Access, deletion, correction, opt-out of sharing for cross-context behavioural advertising (we don’t do this anyway), and the right to limit use of sensitive personal information. Routed through privacy@citesvue.com and in-product privacy controls.
• Authorised agents. Supported with verification.

• Defaults. Region is determined by account origin at sign-up.
• Pinning. Enterprise customers can pin all customer content (raw media, transcripts, evidence layer, embeddings, backups) to a single region. We extend pinning to sub-processor invocations where the provider supports regional routing; sub-processors that cannot honour pinning are documented and can be disabled per BAA/DPA.
• Cross-border instruments. EU SCCs (2021) Module 2 (controller-to-processor) and Module 3 where applicable. UK IDTA addendum where data leaves the UK.
• Government access. No bulk access; we challenge over-broad requests; we notify customers where legally permitted. Full transparency statement in the security pack.

• Definition. A "material breach" is a confirmed unauthorised disclosure, alteration, or loss of customer content or account data — not a contained probing event or unsuccessful attempt.
• SLA. Customer notification within 72 hours of confirmation, in line with GDPR Art. 33; Enterprise contracts may negotiate tighter SLAs.
• Channels. Direct email to workspace owners and security contacts on file; status-page incident with severity tag; in-product banner for severities affecting authenticated sessions.
• Content. Nature of the incident, data categories and approximate volume affected, current containment status, mitigations recommended, and a contact for further questions. A formal post-incident report follows within 30 days.

Available under mutual NDA via security@citesvue.com:

• Security overview (architecture, controls, data flows)
• SIG-Lite completed questionnaire (current revision)
• CAIQ-Lite completed questionnaire
• Sub-processor list (current, with regions)
• Most recent annual penetration test executive summary
• DPA (pre-signed) + EU SCCs + UK IDTA
• SOC 2 readiness / trust-gap letter
• Business continuity & DR summary (RPO/RTO)
• Vulnerability management policy summary
• Vendor management policy summary
• Insurance certificate (cyber + E&O)

• Training-data policy. We do not train, fine-tune, or evaluate any model on customer content. Not our models, not third-party models. Contractually committed in the DPA.
• Provider configuration. Where we use third-party LLM providers for transcription, OCR, artifact extraction, or Q&A, we use zero-retention API modes where the provider offers them, and we contractually prohibit training on inputs in all cases.
• Output grounding. Q&A answers are grounded in the customer’s own evidence layer with cited timestamps, speakers, and frames — not free-form generation. See /product/evidence-qa.
• Human review. Aggregate model-quality metrics are reviewed without engineer access to underlying customer content. Targeted review requires the same just-in-time access workflow as any other customer-content access.
• Safety & misuse. Standard provider-side safety controls remain enabled. We don’t use customer content to red-team models.

• Security & questionnaires: security@citesvue.com
• Legal & contracts: legal@citesvue.com
• Vulnerability disclosure: security@citesvue.com

The full FAQ continues below in expandable form.