Risk-based governance
Salenza intends to maintain assigned security responsibilities, documented policies, periodic risk review, personnel confidentiality, access review and security training appropriate to the size, service and information involved. The final program will distinguish verified controls from planned improvements.
Identity and access management
Production access should follow least-privilege principles, use individual identities, require stronger authentication for privileged access, be reviewed periodically and be removed promptly when no longer needed. Administrative and support access should be logged where technically appropriate.
Exact MFA coverage, review frequency, approval workflow and emergency-access controls are being documented before production.
Data protection and retention
Salenza will validate encryption in transit, storage protections, secrets management, environment separation, backup handling, retention and deletion against the actual production architecture and provider capabilities.
We do not currently claim that all data remains in Canada, that deletion is instantaneous, or that any system is absolutely secure. Confirmed processing locations will be published in the Subprocessor Register.
Change and development controls
The production process is expected to include source control, review of material changes, dependency and vulnerability management, testing before release, controlled deployment and separation of production information from ordinary development use. The final schedule will state the controls actually implemented.
Logging, monitoring and availability
Operational and security-relevant activity should be logged at a level that supports troubleshooting, incident investigation and accountability without creating unnecessary retention of sensitive content. Monitoring, alerting, backup restoration and continuity procedures will be tested and documented.
No uptime percentage, recovery objective or service credit applies unless included in the signed Order Form or support schedule.
Provider assessment
Providers with access to personal information or critical service functions will be reviewed for contract terms, security information, processing locations, retention, subprocessors, incident duties and model-training settings where relevant. Material providers will be recorded before production and reviewed when changed.
Incident response
Salenza is preparing a process to identify, contain, investigate, remediate and document suspected security incidents and to notify affected customers as required by contract and applicable law. Notification timing, decision responsibilities, evidence preservation and regulator support will be defined in the final DPA and incident plan.
Suspected vulnerabilities or incidents can be reported to support@salenza.ai.
Shared responsibility
Customers remain responsible for authorized users, credentials, connected systems, lawful configuration, accurate escalation rules and limiting the information submitted. Customers should promptly report suspected compromise and follow the Acceptable Use Policy.