Security and data handling

How MLDeep currently handles client business data during assisted engagements.

These are the operational controls used today for human-led consulting work. They describe the present assisted-transfer workflow and its limits without implying a certification or automated integration.

Current controls

Restricted access from intake through closeout.

Access

Engagement files use named-account access and multi-factor authentication (MFA). Available Google Workspace access and sharing logs are reviewed.

Transfer

Each client receives a client-specific restricted Google Workspace folder. Client source data is not sent as email or Slack attachments.

Endpoint

Local work is limited to the FileVault-protected MLDeep-controlled device. FileVault was verified as enabled on 28 June 2026. This is a point-in-time local device verification, not an assessment of the overall control program.

Minimization

Data minimization applies at intake and throughout the work: MLDeep requests and keeps only the data needed for the agreed analysis.

Data handling

An assisted transfer workflow, not a direct data connection.

There are no automated Shopify, ad, or courier integrations today. The client supplies agreed exports through the restricted Workspace folder. MLDeep uses those exports only for the agreed engagement purpose.

Client source data is deleted from active Workspace storage, local working copies, and Trash within 30 days after the engagement ends, or earlier when it is no longer needed. Legal or contractual retention requirements may require a different period.

Provider backup limitation: Deletion from active storage and Trash does not promise immediate erasure from provider-managed backups. Backup copies follow the provider lifecycle and are not used as active working data.

Client responsibilities

Clients should provide only the agreed exports, use the restricted folder rather than email or Slack, identify who is authorized to access the folder, promptly remove access that is no longer required, and tell MLDeep when legal or contractual retention requirements apply.

Provider inventory

Complete current providers for engagement files and the website.

This inventory covers the current service providers used for client engagement files, public website hosting, website analytics, scheduling, and contact forms. See the privacy policy for the related visitor and engagement-data disclosure.

Current website and engagement service providers
Google WorkspaceCurrent engagement-file service provider or subprocessor where applicable. Client exports are transferred through the restricted client folder.
Google CloudHosts the public MLDeep website. It is not the current assisted-transfer channel for client engagement datasets.
Google AnalyticsHandles website usage analytics after the applicable visitor choice. Client engagement datasets are not intentionally sent to Google Analytics.
PostHogHandles website usage analytics after the applicable visitor choice. Client engagement datasets are not intentionally sent to PostHog.
Google CalendarHandles scheduling interactions for calls and consultations. Client engagement datasets are not intentionally sent to Google Calendar.
FormspreeHandles messages submitted through the public website contact form. Client engagement datasets are not intentionally sent to Formspree.

Website services and client engagement work have separate purposes. Client engagement datasets are not intentionally sent to Google Calendar, Formspree, Google Analytics, or PostHog.

Current assurance limitations

Operational disclosure without certification claims.

MLDeep is not currently ISO 27001 certified and has not completed a SOC 2 Type 2 audit. These controls are owner-attested and have not been independently assessed. This page does not claim penetration testing, a security guarantee, or the absence of risk.

This is a factual operational disclosure, not legal advice or a contractual security addendum. Contract-specific requirements should be agreed in writing before data is transferred.

Incident contact

Report a security concern directly.

Report suspected security incidents to info@mldeep.io. Include the affected engagement, what you observed, and a safe way to contact you. Do not include client source files in the message. MLDeep will assess the report, preserve relevant information where available, and coordinate next steps with the affected client.