Scispot AI Security and Privacy Policy

Scispot AI (Scibot) is built with a strong focus on security, compliance, and privacy. Our policies ensure that customer data remains confidential and is protected at all times. This document outlines the principles and measures we uphold to maintain these standards.

Last Updated: April 8, 2026

Customer Data Isolation: Customer data is isolated and segmented, ensuring each customer's data is kept separate and secure.

No Training on Customer Data: Customer data is never used to train Scispot's models, nor is it used to train any underlying third-party LLM providers' models (such as those from Anthropic, OpenAI, Google, or others). All data processing is confined to your Scispot instance.

Cloud AI Controls: Robust security controls, including data encryption in transit (TLS 1.2+) and at rest (AES-256), access management, and compliance with industry standards, are utilized to manage and process data securely.

Data Storage: All customer data is stored securely in a segmented customer database, complying with all relevant security and compliance standards. Data is stored in AWS infrastructure in the United States.

Data Processing: Data processing is performed on secure Scispot servers, ensuring data transformations and embedding generation remain within the secure cloud environment. Scispot does not send your raw data to third-party AI providers in bulk — only the minimum context required to fulfill a specific request is transmitted.

Data Access: Access to customer data is strictly controlled and monitored. Only authorized Scispot personnel have access, and all access is logged and audited. Scispot maintains an internal access log retention policy aligned with SOC 2 requirements.

Retrieval Augmented Generation (RAG): We use off-the-shelf models in a stateless way by employing RAG. This means the model does not retain any data between sessions. For example, when summarizing a labspace page, the LLM receives a prompt containing the specific content to be summarized, along with instructions for how to do so — then discards that context when the session ends.

No Fine-Tuning on Your Data: Scispot does not fine-tune, distill, or otherwise train AI models using any customer data.

Privacy Benefits: The statelessness of RAG ensures that all results are grounded in your company's knowledge base, making them more relevant and accurate without the risk of data retention by the model.

SOC 2 Type II: Scibot AI's infrastructure and data handling processes are designed in alignment with SOC 2 Type II controls. Our SOC 2 report is available to enterprise customers upon request under NDA.

HIPAA Compliance: Scispot can support HIPAA-covered workflows. Please contact [email protected] to discuss a Business Associate Agreement (BAA) if your organization handles Protected Health Information (PHI).

FDA 21 CFR Part 11: Our data handling practices comply with 21 CFR Part 11 requirements for electronic records and signatures, including audit trail integrity and attributable access logs.

Advanced Security Measures: We implement TLS 1.2+ for all data in transit, AES-256 encryption at rest, role-based access controls, and conduct regular internal security reviews.

Incident Response and Breach Notification: In the event of a confirmed data breach affecting customer data, Scispot will notify affected customers within 72 hours of discovery, in alignment with applicable regulatory requirements. Notifications will include the nature of the breach, data affected, and remediation steps taken.

Scispot utilizes enterprise AI models deployed within its dedicated, access-controlled AWS environments to provide Scibot’s functionality. All model inference is performed within these AWS regions under Scispot’s logical and network segregation controls, and customer content is not sent to public API endpoints operated by third-party providers such as OpenAI or Anthropic.

Scispot’s use of AWS services is governed by AWS' audited SOC 2–aligned control framework, including encryption in transit and at rest, strict identity and access management, and regional data residency options. Where AWS is engaged as a sub-processor, it operates under the AWS Products and Services Data Protection Addendum and related data processing terms, which contractually restrict use of customer data to providing the services and prohibit use for model training without customer authorization.

Only the minimum necessary context required to fulfill a given Scibot request is processed by the underlying models, and such data remains within Scispot’s governed AWS tenant and selected regions. Customer content transmitted for inference is not used to train foundation models, is not shared across tenants, and is retained only in accordance with Scispot’s documented retention policies and customer agreements to support security monitoring, troubleshooting, and compliance obligations

A full list of Scispot's data sub-processors is available to enterprise customers upon request. Contact [email protected].

Data Ownership: Customers retain full ownership of their data at all times. Scibot processes data solely on behalf of the customer and in accordance with their instructions.

Personalized Experience: Customers can opt out of Scibot or choose to remove the service from their account if they do not wish to use it.

Data Deletion: Customers can request the deletion of their data at any time. Upon such requests, all customer data will be permanently deleted from Scispot's systems within 30 days. Deletion requests can be submitted to [email protected].

If customers prefer not to use Scibot's AI features, they can remove the service from their account by contacting [email protected]. Disabling Scibot does not affect access to any other Scispot features.

Scispot AI is committed to maintaining the highest standards of security, compliance, and privacy. We ensure that customer data is protected and used responsibly, providing our users with control over their data and peace of mind.

For further information, security questionnaires, or compliance documentation requests, please contact [email protected].