DEEP MIST
AI

TRUST

Security and data handling

Last updated: June 7, 2026

How we handle data, infrastructure, and deployments. Built so your data can stay where your compliance team allows.

Deployment environments

We offer VPC, on-premises, and private-cloud deployment for regulated workloads. Where possible, data stays in your environment end to end. Hosted-by-us deployment is available for non-regulated data on request.

Data handling

We work under non-disclosure by default. Client data shared during an engagement is encrypted in transit with TLS 1.3 and encrypted at rest. Access is limited to the engineers working on your engagement, on a least-privilege basis, with multi-factor authentication required for our accounts and tools.

Sub-processors and where data is processed

For this website and our voice assistant we rely on Google (Gemini), Supabase, Pushover, Vercel, and Cloudflare. Some are located outside the UAE, so handling data can involve an international transfer, which we cover with data protection terms and appropriate safeguards. On client engagements, the sub-processors are defined in that engagement's data processing agreement. Our full sub-processor list for the website is in the Privacy Policy.

Retention and deletion

We keep data only as long as we need it. On the website, server logs are kept for up to 30 days and voice assistant transcripts for up to 12 months. On engagements, retention and deletion are set in the agreement, and we delete or return data on request and at the end of the engagement.

Model usage and AI security

Production systems route to enterprise model endpoints from OpenAI, Anthropic, and Google, with zero data retention enabled where the provider supports it. For regulated data, we use private-cloud or self-hosted model endpoints on request. Our website voice assistant runs on a paid Google Gemini plan, under which Google does not use the data to train its models. We do not use client data to train models. We design against the risks specific to AI systems, including those in the OWASP Top 10 for LLM Applications, such as prompt injection and sensitive-information disclosure. Controls include minimizing personal data before it reaches a model, filtering inputs and outputs, and keeping a human in the loop.

People

Everyone with access to client data works under confidentiality obligations and receives security training.

How we build

Every system we ship is reviewed by frontier models from OpenAI, Anthropic, and Google in parallel, then signed off by a human operator. Human-in-the-loop is the default.

Incident response

If a data breach occurs that puts personal data at risk, we notify the UAE Data Office without delay, and we notify affected people where the risk is high, with what happened and what we are doing about it. On engagements, we follow the notification terms in the agreement.

Reporting a vulnerability

We welcome reports from security researchers. Email security@deepmist.ai with steps to reproduce. We acknowledge reports within two business days and aim to triage within five. Please test only against deepmist.ai, limit your testing to confirming an issue, avoid accessing or changing other people's data, and give us reasonable time to fix the issue before any public disclosure. We will work with good-faith researchers on timing and credit.