Access
Engagement files use named-account access and multi-factor authentication (MFA). Available Google Workspace access and sharing logs are reviewed.
Security and data handling
These are the operational controls used today for human-led consulting work. They describe the present assisted-transfer workflow and its limits without implying a certification or automated integration.
Current controls
Engagement files use named-account access and multi-factor authentication (MFA). Available Google Workspace access and sharing logs are reviewed.
Each client receives a client-specific restricted Google Workspace folder. Client source data is not sent as email or Slack attachments.
Local work is limited to the FileVault-protected MLDeep-controlled device. FileVault was verified as enabled on 28 June 2026. This is a point-in-time local device verification, not an assessment of the overall control program.
Data minimization applies at intake and throughout the work: MLDeep requests and keeps only the data needed for the agreed analysis.
Data handling
There are no automated Shopify, ad, or courier integrations today. The client supplies agreed exports through the restricted Workspace folder. MLDeep uses those exports only for the agreed engagement purpose.
Client source data is deleted from active Workspace storage, local working copies, and Trash within 30 days after the engagement ends, or earlier when it is no longer needed. Legal or contractual retention requirements may require a different period.
Clients should provide only the agreed exports, use the restricted folder rather than email or Slack, identify who is authorized to access the folder, promptly remove access that is no longer required, and tell MLDeep when legal or contractual retention requirements apply.
Provider inventory
This inventory covers the current service providers used for client engagement files, public website hosting, website analytics, scheduling, and contact forms. See the privacy policy for the related visitor and engagement-data disclosure.
| Google Workspace | Current engagement-file service provider or subprocessor where applicable. Client exports are transferred through the restricted client folder. |
|---|---|
| Google Cloud | Hosts the public MLDeep website. It is not the current assisted-transfer channel for client engagement datasets. |
| Google Analytics | Handles website usage analytics after the applicable visitor choice. Client engagement datasets are not intentionally sent to Google Analytics. |
| PostHog | Handles website usage analytics after the applicable visitor choice. Client engagement datasets are not intentionally sent to PostHog. |
| Google Calendar | Handles scheduling interactions for calls and consultations. Client engagement datasets are not intentionally sent to Google Calendar. |
| Formspree | Handles messages submitted through the public website contact form. Client engagement datasets are not intentionally sent to Formspree. |
Website services and client engagement work have separate purposes. Client engagement datasets are not intentionally sent to Google Calendar, Formspree, Google Analytics, or PostHog.
Current assurance limitations
MLDeep is not currently ISO 27001 certified and has not completed a SOC 2 Type 2 audit. These controls are owner-attested and have not been independently assessed. This page does not claim penetration testing, a security guarantee, or the absence of risk.
This is a factual operational disclosure, not legal advice or a contractual security addendum. Contract-specific requirements should be agreed in writing before data is transferred.
Incident contact
Report suspected security incidents to info@mldeep.io. Include the affected engagement, what you observed, and a safe way to contact you. Do not include client source files in the message. MLDeep will assess the report, preserve relevant information where available, and coordinate next steps with the affected client.