NorthStarSoftware
← Back to Governance

Data Handling & Security Terms

Northstar AI Labs is built on the principle of data sovereignty. Our security commitments are not policy statements—they are architectural guarantees. Your data remains under your control, protected by encryption, access controls, and air-gapped isolation.

Core Principle: Data sovereignty is guaranteed by physics, not policy. Our air-gapped infrastructure ensures your data never traverses networks you don't control. Zero external dependencies. Zero data egress. Absolute containment.

1. Data Ownership & Sovereignty

Your data remains yours. Northstar's role is custodial, not proprietary:

  • Ownership: Customer retains full ownership of all data at all times
  • Location: Data resides only on infrastructure you control (on-premise or designated facility)
  • Access: Northstar personnel access data only with explicit authorization and for defined purposes
  • Portability: Full data export capabilities in standard formats at any time
  • Deletion: Cryptographic erasure and physical destruction options upon contract termination

2. Data Classification Framework

Northstar supports industry-standard data classification with appropriate controls:

ClassificationDescriptionControls Applied
RestrictedHighly sensitive (PII, PHI, financial, legal privileged)Maximum encryption, strict access, full audit
ConfidentialInternal business data, proprietary informationEncryption, role-based access, audit logging
InternalGeneral business informationStandard encryption, access controls
PublicInformation approved for public disclosureIntegrity controls, access logging

3. Encryption Standards

All data is protected with industry-leading encryption at every stage:

Data at Rest

  • Algorithm: AES-256-GCM for all stored data
  • Key Management: Customer-controlled keys with optional HSM integration
  • Full Disk Encryption: All storage volumes encrypted at the hardware level
  • Database Encryption: Transparent data encryption for all database systems
  • Backup Encryption: All backups encrypted with separate key hierarchy

Data in Transit

  • Protocol: TLS 1.3 minimum for all network communications
  • Certificate Management: Automated certificate rotation
  • Internal Traffic: All inter-service communication encrypted
  • Air-Gapped Systems: Physical isolation eliminates transit exposure

Data in Use

  • Memory Protection: Encrypted memory enclaves where supported
  • Secure Processing: Data decrypted only within secure compute boundaries
  • Key Isolation: Cryptographic keys never exposed to application layer

4. Access Control

Multi-layered access controls ensure only authorized personnel can access data:

Identity & Authentication

  • Multi-Factor Authentication: Required for all system access
  • Single Sign-On: Integration with customer identity providers (SAML, OIDC)
  • Privileged Access: Separate authentication for administrative functions
  • Session Management: Automatic timeout and re-authentication requirements

Authorization Framework

  • Role-Based Access Control (RBAC): Permissions assigned by role, not individual
  • Least Privilege: Users receive minimum access required for their function
  • Separation of Duties: Critical operations require multiple approvals
  • Regular Reviews: Quarterly access reviews and certification

Northstar Personnel Access

  • Access only with documented customer authorization
  • Time-limited access grants for specific support activities
  • All access logged and auditable by customer
  • Background checks on all personnel with data access
  • Annual security training and certification required

5. Data Processing Terms

When Northstar processes customer data, the following terms apply:

  • Purpose Limitation: Data processed only for contracted services
  • Data Minimization: Only necessary data collected and retained
  • Processing Records: Complete documentation of all processing activities
  • Subprocessors: No subprocessors without customer approval; full list maintained
  • Cross-Border: Data remains in specified jurisdiction unless explicitly authorized

6. AI Model & Training Data

Special protections apply to AI models and training data:

  • Model Isolation: Customer models never shared or commingled with other customers
  • Training Data: Customer training data never used for any other purpose
  • No Learning: Base models do not learn from customer interactions unless explicitly configured
  • Model Ownership: Fine-tuned models remain customer property
  • Inference Logging: Customer controls what (if any) inference data is retained

7. Audit & Logging

Comprehensive audit trails support compliance and security requirements:

  • Access Logs: All authentication and authorization events
  • Data Access: Records of all data reads, writes, and deletions
  • Administrative Actions: Configuration changes and system modifications
  • Security Events: Failed access attempts, anomalies, and alerts
  • Retention: Logs retained for minimum 12 months (configurable to 7 years)
  • Immutability: Logs are append-only and cryptographically protected
  • Export: Full log export available in standard formats (SIEM integration)

8. Incident Response

Northstar maintains a comprehensive incident response program:

Detection & Response

  • 24/7 security monitoring and automated threat detection
  • Defined incident classification and severity levels
  • Documented response procedures for each incident type
  • Dedicated incident response team with defined roles

Customer Notification

  • Security Incidents: Notification within 24 hours of confirmed incident
  • Data Breaches: Notification within 72 hours per GDPR requirements (or sooner per contract)
  • Ongoing Updates: Regular status updates until incident resolution
  • Post-Incident Report: Full root cause analysis within 10 business days

Recovery & Remediation

  • Documented recovery procedures for all incident types
  • Regular backup testing and recovery drills
  • Post-incident hardening and control improvements
  • Lessons learned incorporated into security program

9. Data Retention & Deletion

Clear policies govern data lifecycle:

  • Retention Periods: Defined per data type and regulatory requirement
  • Automatic Deletion: Data purged after retention period expires
  • Customer-Initiated Deletion: Available on request with confirmation
  • Deletion Verification: Certificate of destruction provided
  • Methods: Cryptographic erasure for logical deletion; physical destruction for hardware

10. Physical Security

For on-premise deployments, physical security requirements are documented:

  • Access Control: Multi-factor physical access to data center
  • Surveillance: 24/7 video monitoring with 90-day retention
  • Environmental: Fire suppression, climate control, redundant power
  • Visitor Management: Escorted access only, visitor logs maintained
  • Equipment Security: Locked racks, tamper-evident seals

11. Third-Party Assessments

Northstar's security controls are independently validated:

  • Annual penetration testing by qualified third party
  • Vulnerability assessments and remediation tracking
  • Customer audit rights with reasonable notice

12. Data Processing Agreement

For customers subject to GDPR, CCPA, or similar regulations, Northstar executes Data Processing Agreements (DPAs) that include:

  • Standard Contractual Clauses where applicable
  • Defined processor and controller responsibilities
  • Data subject rights support procedures
  • Subprocessor management obligations
  • Data transfer mechanisms and safeguards

13. Contact Information

For data security questions or to request our security documentation:

Legal Entity: North Star Software, LLC (DBA Northstar AI Labs)
Security Team: security@northstarsoftware.net
Data Protection: privacy@northstarsoftware.net
Address: Minneapolis, MN