Confidentiality Notice

Important information about how Jarvis protects your financial data

⚠️ CONFIDENTIAL INFORMATION

Jarvis processes and stores Salesforce Financial Services Cloud data that may contain sensitive financial information. This notice outlines our confidentiality obligations and protections.

1. Confidentiality Classification

Information processed by Jarvis is classified as:

CONFIDENTIAL

Customer financial data, account information, and FSC records

RESTRICTED

Salesforce org configuration, custom data models, and integration details

INTERNAL

Jarvis usage analytics, platform metrics, and aggregate insights

2. Data Handling Standards

2.1 Encryption and Transmission

  • All data is encrypted in transit using TLS 1.2 or higher
  • Data is encrypted at rest using industry-standard encryption (AES-256)
  • API keys and credentials are transmitted securely and never logged
  • No sensitive data is transmitted over unencrypted channels

2.2 Access Controls

  • Only authorized Jarvis personnel can access customer data
  • Access is limited to what is necessary to provide the service
  • All data access is logged and audited
  • Two-factor authentication required for all internal accounts
  • Regular access reviews and role-based access control (RBAC)

2.3 Database Security

  • Databases are isolated and accessible only through authenticated API calls
  • Regular automated backups with encryption
  • Row-level security ensures users only access their own data
  • SQL injection and common attacks are mitigated through parameterized queries
  • Sensitive fields are masked in logs and error messages

2.4 Application Security

  • Input validation on all user-provided data
  • Output encoding to prevent XSS attacks
  • CSRF protection on all state-changing operations
  • Regular security audits and penetration testing
  • Automated vulnerability scanning of dependencies

3. Third-Party Vendor Management

Jarvis works with third-party vendors who have access to your data. We ensure their confidentiality through:

  • Data Processing Agreements (DPA): All vendors sign Data Processing Agreements that require compliance with our confidentiality standards
  • Security Assessments: Vendors undergo annual security assessments to verify their practices
  • Subprocessor Controls: Vendors must notify us before using subprocessors
  • Audit Rights: We reserve the right to audit vendor compliance
  • Data Limitations: Vendors receive only the minimum data necessary to provide their service

3.1 Approved Vendors

  • Supabase: Database and authentication - Confidentiality Agreement in place
  • Claude (Anthropic): AI processing - Data Processing Agreement in place
  • Cloud Providers: Infrastructure - Subprocessor agreements documented

4. Incident Response and Breach Notification

4.1 Incident Response Plan

In the event of a suspected data breach or security incident:

  1. Containment: We immediately isolate affected systems to prevent further exposure
  2. Investigation: Our security team conducts a thorough investigation to determine scope and impact
  3. Notification: Affected parties are notified without undue delay, typically within 72 hours
  4. Remediation: We implement corrective measures to prevent recurrence
  5. Documentation: All incidents are documented for regulatory compliance

4.2 Breach Notification

In the event of a data breach, you will be notified via email with the following information:

  • Description of the incident and what occurred
  • Types of personal information affected
  • Number of individuals affected (if applicable)
  • Recommended actions to protect yourself
  • Jarvis contact information for questions
  • Documentation of our response actions

4.3 Regulatory Reporting

We comply with all applicable breach notification laws, including GDPR, CCPA, and state-specific requirements. Notifications to regulatory authorities will be made as required by law.

5. Data Retention and Deletion

Jarvis implements a strict data retention and deletion policy:

  • Active Data: Retained while your account is active
  • Deleted Documents: Soft-deleted for 30 days, then permanently purged
  • Chat History: Retained for 12 months, then archived or deleted
  • Backups: Retained for 90 days for disaster recovery, then permanently deleted
  • Legal Holds: Data may be retained longer if required by law or litigation hold
  • Account Deletion: All data associated with deleted accounts is purged within 30 days, except where legally required

6. Compliance and Certifications

Jarvis maintains compliance with industry standards and regulations:

  • GDPR: Compliant with European data protection regulations
  • CCPA: Compliant with California Consumer Privacy Act
  • HIPAA: Secure handling practices align with healthcare privacy standards
  • SOC 2: Undergoing SOC 2 Type II audit
  • ISO 27001: Information security management standards implementation

7. Employee Confidentiality

All Jarvis employees and contractors are bound by:

  • Strict confidentiality agreements prohibiting disclosure of customer data
  • Annual confidentiality and security training
  • Background checks before employment or contractor status
  • Non-disclosure agreements extending beyond employment termination
  • Disciplinary procedures for violations of confidentiality

8. Customer Responsibilities

While Jarvis implements comprehensive security measures, maintaining confidentiality is a shared responsibility:

  • Strong Passwords: Use unique, complex passwords for your Jarvis account
  • Two-Factor Authentication: Enable 2FA when available
  • API Keys: Never share or expose your Salesforce API keys
  • Access Control: Grant only necessary permissions to Jarvis
  • Monitoring: Regularly monitor your account for unauthorized access
  • Reporting: Immediately report suspected security breaches

9. Right to Audit

Jarvis may be required to undergo audits by regulatory bodies or customers. We maintain documentation of our security practices and can produce evidence of compliance upon request.

10. Confidentiality of This Notice

This Confidentiality Notice is itself confidential and should not be shared with third parties without authorization. However, Jarvis customers have the right to share it with their internal teams to understand our data handling practices.

11. Contact for Security Concerns

If you have security concerns or suspect a confidentiality breach:

Security Email: security@jarvis.dev

Response Time: Critical security issues will be acknowledged within 2 hours

Escalation: For urgent matters, include "URGENT SECURITY" in the subject line

12. Updates to This Notice

This Confidentiality Notice may be updated periodically to reflect changes in our security practices. Material updates will be communicated via email to all customers.

Last Updated: January 2026

This notice applies to all customer data processed by Jarvis and is binding as part of our Terms of Service.