Skip to main content

Security & Trust

We ask clients to trust us with the question of where their data lives. That obliges us to answer the same question about ourselves — including the parts that aren’t flattering.

The short version
#

  • This website stores no database of enquiries. Your message becomes an email; there’s no submissions store to breach.
  • We collect as little as we can. No phone number, no cookies for tracking, no advertising or analytics profiling.
  • The systems we build run on your infrastructure, not ours. That’s the entire product.
  • We hold no SOC 2 or ISO 27001. We’d rather say so here than have you discover it on a call — see Certifications.

How this website handles data
#

Full detail is in the Privacy Policy. The security-relevant facts:

Transport HTTPS only, with HSTS. No plaintext fallback.
Enquiry storage None. The contact form posts to a Cloudflare Worker that validates the anti-spam challenge and sends the message onward as email. The Worker is stateless — no database, no KV, no logs of your message.
Secrets API keys live in Cloudflare Worker secrets, set out-of-band. None are in the page, the JavaScript, or the repository.
Anti-spam Cloudflare Turnstile, validated server-side — not a client-side widget that can be bypassed by posting directly to the endpoint. Plus a honeypot field and an origin allowlist.
Fonts Self-hosted. Loading this site tells Google nothing about you.
Cookies One: cf_clearance, Cloudflare’s bot-check cookie. No advertising, analytics, or tracking cookies.
Data minimisation The form asks for name, work email, company (optional), and your message. We removed the phone field because we don’t need it to answer a first enquiry.

Who we rely on
#

This site runs on Cloudflare (hosting, CDN, bot protection, cookieless analytics), and enquiry email is delivered via Brevo. Our processors — including where each is located and what data reaches them — are listed in the Privacy Policy.

Some of that processing happens outside Canada, and the Privacy Policy says so plainly rather than burying it. Which is exactly why the guidance below matters: a first enquiry never needs your confidential material.

A detailed security overview — full subprocessor list, data flows, and answers to your standard security questionnaire — is available on request. Email [email protected] and you’ll get it from the engineer who built the system, not a sales team reading from a template.

How the systems we build work
#

This is the part a compliance reviewer usually cares about, and it’s a different question from the one above. The architecture we deploy is the opposite of a contact form:

  • Your data stays in your infrastructure — on-premises, in your private cloud, or air-gapped. Models run next to the data rather than the data travelling to a model.
  • Open-weight models run locally, so inference doesn’t require shipping your documents to a third-party API. Where a commercial API genuinely fits a use case, that’s a deliberate, named decision — not a default hidden in the architecture.
  • You own the deployment. Code, infrastructure definitions, and documentation are handed over. The system keeps working if we disappear — no dependency on us as a service.
  • No training on your data, and no copying it out for our own purposes.

If your requirement is “client information cannot leave our network” — for privilege, Law 25, PIPEDA, or contractual reasons — that constraint is the design premise, not an obstacle to work around.

Working with us
#

NDAs: happy to sign yours on request — just ask before the call, and we’ll have it done beforehand. We don’t insist on our own paper.

What to send before an NDA is in place: describe the problem in general terms. “We want to search ten years of client files without them leaving our servers” is enough to have a useful first conversation. Names, records, and samples belong in a call under an agreement, never in a web form.

Certifications
#

We do not currently hold SOC 2, ISO 27001, or any comparable certification.

Core-AI is a small, engineer-led practice. Certification is a meaningful investment of time and money, and we haven’t made it yet. We’d rather tell you plainly than imply otherwise and have it surface during your diligence.

What that means in practice: if your procurement process requires a certified vendor, we’re not a fit today, and we’ll say so early rather than waste your time. If your process assesses architecture and engineering judgement, we’re happy to be examined on those — in depth, by your technical people.

Reporting a vulnerability
#

If you think you’ve found a security problem with this site, please tell us.

[email protected]

  • Scope: core-ai.net, www.core-ai.net, and the contact endpoint at /api/contact.
  • We’ll acknowledge within 2 business days, tell you what we found, and let you know when it’s fixed.
  • We won’t pursue legal action against anyone reporting in good faith who avoids privacy violations, data destruction, and service degradation.
  • Please don’t run denial-of-service tests, automated scanners that degrade the site for others, or social-engineering attempts against us or our providers.

We don’t run a paid bug bounty. We will credit you if you’d like.

Questions
#

Compliance or security questions before a call are welcome — that’s what this page is for, and a detailed question is a good sign rather than an imposition.

[email protected] — security and privacy [email protected] — everything else