Security Statement

Effective date: June 2, 2026

How EmergentOS protects the security and privacy of your data


Provider	EmergentOS Inc, a Delaware corporation
Audience	Customers, prospects, and partners (external-facing)
Contact	info@emergentos.ai
Website	www.emergentos.ai

1. Our Commitment

EmergentOS Inc is committed to protecting the security and privacy of your data. As a decision-intelligence platform that processes sensitive executive information — such as messages, calendar entries, and strategic decisions — we treat security as a foundational requirement, not an afterthought. This document summarises our security practices for customers, prospects, and partners.

2. Architecture

Data-loss-prevention boundary. User content passes through Nightfall DLP at the ingestion boundary before reaching any AI model. Personally identifiable and sensitive information is detected and screened in real time. If the DLP service is unavailable, data transmission is blocked (fail-safe).
Data isolation. Access to data is scoped per user and enforced application-side within our primary datastore (Convex). Each user can access only their own data; there is no shared data layer between customers.
Encryption. TLS 1.3 for data in transit and AES-256 for data at rest. SHA-256 content hashing underpins Decision Provenance audit trails.
Model-agnostic AI. The platform routes tasks to the most suitable AI model from our providers (Anthropic, OpenAI, and Google) without locking into a single vendor. AI processing operates on screened data.

3. Access Controls

OAuth 2.0 for all third-party integrations, with minimal scope requests.
Multi-factor authentication required for all internal access to production systems.
Role-based access controls for internal personnel, applying least-privilege principles.
Quarterly access reviews, with immediate revocation on role change or separation.

4. Data Handling

Data ownership. You retain full ownership of all data you provide to the Service.
No advertising. We do not use your data for advertising purposes.
No selling. We do not sell your personal data to any third party.
Google API compliance. Our use of Google user data adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Data export. You can export your data, including Decision Graph records, at any time.
Data deletion. On account closure, your data is permanently deleted within 30 days, following a 30-day export window.

5. Infrastructure

Cloud-native. Hosted on Vercel (application and edge delivery) with Convex as the managed primary datastore and Clerk for authentication — no self-managed servers.
Backups. Automated daily backups with 30-day retention and point-in-time recovery.
Edge delivery. Global edge deployment via Vercel for resilience, DDoS protection, and low-latency access.
Immutable deployments. All changes ship through a version-controlled CI/CD pipeline. There is no interactive shell access to production.

6. Decision Provenance

Every decision record in EmergentOS includes a SHA-256 content hash linked in a chain to previous records. This provides a tamper-evident audit trail — any modification to historical records would break the hash chain. Decision records can be exported as signed PDFs with cryptographic verification for inclusion in board packs, regulatory filings, and audit documentation.

7. Compliance

Standard	Status	Details
GDPR / UK GDPR	Compliant	Privacy Policy, Data Processing Addendum with SCCs/IDTA, and data-retention controls in place
Google API Limited Use	Compliant	Privacy Policy includes the required Limited Use disclosures
CCPA / CPRA	Compliant	Privacy rights documented; no sale of personal information
Cyber Essentials	In progress	UK government-backed baseline security certification
Independent penetration test	In progress	Independent third-party assessment
SOC 2 Type I	Planned (2026)	Service Organisation Control audit
ISO 27001	Planned (2027)	Full information-security management-system certification

8. Incident Response

We maintain a documented Incident Response Plan with defined severity levels, escalation procedures, and communication protocols. In the event of a confirmed security incident affecting customer data, we will notify affected customers without undue delay, consistent with applicable law and our Data Processing Addendum, with the nature of the incident, the data affected, the likely consequences, and the measures we have taken.

9. Responsible Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a vulnerability in the EmergentOS Service, please report it to info@emergentos.ai. We aim to acknowledge receipt promptly, provide an initial assessment, and keep you informed of remediation progress. We will not take legal action against good-faith security researchers who follow responsible-disclosure practices.

10. Contact


General, security, and privacy contact	info@emergentos.ai
Website	www.emergentos.ai
Provider	EmergentOS Inc