FIG. A · DATA HANDLING SPECIFICATION

The Short Version

Why This Matters

Most AI-related data breaches aren't sophisticated attacks. They're well-meaning employees pasting client data into prompts, using personal AI accounts, or asking AI to summarise restricted documents. No technical skills required — anyone with access to a chat window can accidentally expose confidential information.

Research from IBM found that 97% of organisations reporting an AI-related breach lacked proper AI access controls. The gap isn't technology — it's governance.

When businesses don't provide approved AI tools, staff find their own. Consumer-tier plans don't guarantee your data stays private or that it won't be used for model training. Shadow AI is a real problem, and most shops don't know it's happening.

This is what ProtoForge's practices are built around — not paranoia, just awareness of how the landscape actually works.

How It Actually Works

The model is simple: your data stays under your control.

• I work out the right Anthropic plan for your business based on your situation and comfort level
• Pro — works for one or two users. Your data isn't used for model training, but it does transit Anthropic's servers to get processed. No admin tools.
• Teams — centralised admin, access controls, formal data handling terms, zero data retention. The right choice if multiple people are using the tools or you want a paper trail for compliance.
• You subscribe under your own account. I build and integrate methods and workflows into your environment
• Your data stays in your conversations, under your terms with Anthropic
• I bring 15 years of nesting knowledge packaged into tools — you keep the data

Day-to-day use of these methods means real data goes through whichever platform you've chosen — that's the same trade-off as email or cloud accounting. The important thing is you make that choice with your eyes open, not after the fact.

What I Use

Full transparency on the tools involved in client work:

• Claude (Anthropic) — API and Pro tiers. Primary tool for workflow analysis, methodology development, and process optimisation. Data from paid tiers isn't used for model training.
• Gemini (Google) — evaluation and quality checking only. Not used with client data.
• Credential isolation: API keys, passwords, and access credentials are never placed in AI conversations or prompts. Full stop.
• No other AI models are used in client work.

What Happens to Your Files

Data lifecycle in plain language:

• Drawing packages and sensitive data: never retained beyond active engagement
• Individual reference parts (for testing): retained up to 12 months, local encrypted storage, not cloud-synced
• Full deletion on request — confirmed in writing within 5 business days
• Highly sensitive documents: for workflows where data must never leave your network, on-premises options exist. This is a separate engagement with its own scope and cost — a different conversation, but worth knowing the option is there
• Skill files and methodology documentation built for you: delivered and owned by you on full payment
• ProtoForge's underlying framework — harness template, question library, evaluation processes — retained by ProtoForge, developed independently of any single client's data, reused across engagements
• Cross-engagement pattern refinement is opt-in. At contract signing you choose whether I can extract anonymised structural patterns from your engagement (for example, how different business types tend to structure pricing) to refine the framework for future clients. Your confidential information — pricing, customer names, operational specifics — is never included regardless of your choice. Either option is fully accepted

Ask Me Anything

You can ask how your data was handled at any point during or after an engagement. Straight answer, no runaround.