Data handling ยท Privacy ยท Sub-processors

Trust & data handling.

Deliberately specific. Written so a CISO, a DPO โ€” and in the case of the Google Workspace scan, a Google CASA reviewer โ€” can confirm exactly what happens and when.

GuaranteesWorkspace scanAudit submissionsSub-processorsLLM outputsYour rightsIncidents

Four concrete guarantees

Promises we can actually show you the code for.

  • Workspace scan ยท purged in 24h

    Everything from a Workspace scan is auto-deleted within 24 hours โ€” enforced by a daily cron, not a promise.

  • Read-only scopes

    We request only the two admin read-only scopes we need. No write access, no mailbox content, no drive files.

  • No training on your data

    LLM providers operate under enterprise agreements that exclude your audit data from model training.

  • GDPR Art. 15 / 17 ready

    Copy, correction and deletion requests are honoured on any audit โ€” for any user, any region, any time.

Google Workspace scan

Ephemeral. Read-only. Purged in 24 hours.

Clicking Scan Google Workspace asks for two admin scopes on an incremental consent screen. We enumerate OAuth apps granted in the domain and match them to our registry. Nothing is sent to analytics, CRM or third-party models.

Aggregated results land inworkspace_scan_sessionswith anexpires_atcolumn enforced by a daily cron at/api/tools/shadow-ai/cron/scan-purge.

Scopes requested

  • admin.directory.user.security.readonly

    Lets us enumerate OAuth-granted apps across your Workspace โ€” the raw material for shadow AI discovery.

  • admin.reports.audit.readonly

    Lets us read the admin audit log so new AI tools appearing in the domain surface in your audit.

Trigger early deletion any time by emailing privacy@buzzi.ai.

Audit submissions

Your answers, your tools, your inbox.

Survey answers, identified tools and the email you enter at the end are stored in our Postgres instance. Used only to produce your report and, where you opted in, to send you Buzzi.ai insights.

  • Hosting

    Supabase Postgres (AWS ยท US / EU)

  • Backups

    Encrypted at rest ยท Retained per vendor defaults

  • Audit retention

    24 months, then auto-deleted

  • Email retention

    Indefinite for unsubscribe โ€” deletable on request

Sub-processors

Everyone who touches your data.

Four vendors. Thatโ€™s the whole list. We publish changes at least 30 days before they apply.

  • Supabase

    Primary Postgres hosting ยท AWS ยท US / EU

    Stores audit submissions, survey answers and generated outputs. Encrypted at rest.

  • Postmark / Amazon SES

    Transactional email ยท US

    Sends audit reports, save-for-later links and insight emails you opt into.

  • OpenAI (Enterprise)

    LLM inference โ€” summaries, DPIA drafting ยท US

    Enterprise agreement excludes customer data from training. Outputs scoped to your account.

  • Google (Vertex / Workspace Scan)

    LLM inference + OAuth scan ยท US / EU

    Used for Workspace OAuth discovery and Gemini-powered text generation. No training on customer data.

LLM-generated outputs

Executive summary, DPIA, vendor questionnaires.

When you generate artefacts, we send the audit context to OpenAI or Google under enterprise agreements that exclude training on customer data. Outputs land inaudit_outputsscoped to your account and your account only.

Your rights

GDPR Article 15 / 17. Everywhere.

We honour copy, correction and deletion requests for any audit, regardless of your region. Emailprivacy@buzzi.aiand we respond within 30 days.

  • Request a copy

    Email privacy@buzzi.ai and we send you everything we hold for your audit in machine-readable form.

  • Request deletion

    Your audit, your outputs and your email are removed on request within 30 days. Confirmations are in writing.

  • Opt out of insights

    Opting in to marketing is explicit. Opting out is one click in any email or by replying "stop".

Security incident response

Responsible disclosure is always welcome.

If you believe youโ€™ve found a security issue, please disclose responsibly viasecurity@buzzi.ai. We acknowledge within 2 business days and follow standard IR procedure โ€” including regulator and data-subject notification where appropriate.

security@buzzi.ai

Privacy contact

Talk to our DPO.

Copy / correction / deletion, DPA requests, sub-processor notifications โ€” all go here.

privacy@buzzi.ai

Methodology

How we score risk.

Trust is the data side. Methodology is the math side โ€” multipliers, bands and formulas, all published.

Open methodology