Is My Data Safe?
How SCF Viewer protects your sensitive compliance information
AI Data Handling
We use the Anthropic Claude API with strict data boundaries. Here is exactly what happens with your data.
Your data is never used for AI training
We use the Anthropic Claude API. Anthropic's usage policy explicitly states that API inputs and outputs are NOT used to train models. Your conversations are never used to improve the AI.
No data retention by the AI
Conversations are processed in real-time. Claude does not store or remember your queries between sessions. Each conversation is stateless from the AI's perspective.
Grounded responses, not guesses
Claude only answers using data from your SCF database via structured tool calls. It does not draw on training data for control-specific information, reducing hallucination risk.
No sensitive data leaves your environment unnecessarily
The SCF database content (control provisions, framework mappings, assessment objectives) is compliance reference material, not customer PII. Your questions and Claude's answers are the only data sent to the AI API.
AI Governance and Guardrails
Multiple layers of controls ensure the AI operates within strict boundaries
System prompt controls
Claude operates under strict instructions: always use tools to verify data, never fabricate control IDs, cite sources, and never tell users to look elsewhere.
Tool-use architecture
Claude cannot access arbitrary data. It has a defined set of 11 read-only tools that query the SCF database. No write access, no external API calls, no internet browsing.
Reviewed data gate
AI-discovered control relationships are flagged as unreviewed until human-validated. The API enforces this gate by default.
Data Ownership and Privacy
Your data belongs to you. Full stop.
Your data stays yours
No selling, sharing, or reuse of your data for any purpose beyond providing the service to you.
Conversation privacy
Conversations are per-user and encrypted. Other users cannot see your chat history.
Right to deletion
Request deletion of your data at any time. We will remove it promptly.
We don't sell your data
Your data is never sold or shared with third parties for analytics, advertising, or any other purpose. Period.
Infrastructure Security
Encrypted everywhere
TLS 1.3 in transit, AES-256 at rest. Your data is encrypted at every stage.
AWS hosted in the US
Infrastructure runs on AWS with US-based data residency.
Invite-only access
Credential-based authentication. No anonymous or public access to application data.