Security & Trust at ServiceCaptain
We are a secure-by-design implementation partner for AI workflows. Our controls are designed to give procurement and security teams confidence without overclaiming.
Last updated: March 3, 2025
Need security docs for review? Contact us.
Security Principles
- •Security by design — controls built into our process, not bolted on.
- •Least-privilege access — only the access needed to deliver services.
- •Human-in-the-loop control for critical workflows — no hands-off automation for high-impact actions.
- •Practical governance over checkbox compliance — we focus on what actually reduces risk.
Technical & Organizational Controls
Controls may vary by engagement scope and hosting model.
Encryption in Transit
We implement TLS 1.2+ for data in transit, with a preference for TLS 1.3 where supported by our infrastructure and providers.
Encryption at Rest
Data at rest is protected using industry-standard encryption by our hosting and storage providers.
Access Control
We use role-based access control (RBAC), least-privilege principles, and role separation where applicable.
Authentication & Credential Hygiene
We use multi-factor authentication where supported, secure secret handling, and a defined approach to key rotation.
Logging & Monitoring
We maintain access logs and operational monitoring with awareness of anomalies. Log retention aligns with operational and legal needs.
Data Segmentation & Environment Controls
We implement tenant and project separation where applicable to limit data exposure across engagements.
Backup & Recovery Practices
We follow backup cadence practices and test restore-readiness. Specific practices may vary by engagement and hosting model.
Vulnerability & Patch Management
We apply routine updates and prioritize critical security patches in a timely manner.
Vendor / Subprocessor Review
We use a risk-based approach to vendor selection and periodic review of subprocessors.
Secure Change Management
Production changes undergo review and approval before deployment where feasible.
Data Handling & Ownership
You own your data. ServiceCaptain processes data only to deliver the services contracted under our agreement. We follow a data minimization approach — we collect and retain only what is needed for the stated purposes.
Retention and deletion follow our stated principles. Upon termination, we handle data in accordance with our Terms of Service and any applicable SOW. You may request deletion or export of your data, subject to legal and contractual constraints.
AI-Specific Security & Risk Controls
We implement human approval gates for high-impact actions. Output verification responsibility and workflow guardrails are designed into our implementations. Prompt and data handling boundaries are defined to limit exposure.
We may change AI models or providers for security or performance reasons; we aim to minimize disruption when doing so. We do not claim perfect accuracy or elimination of all risk — AI outputs require human review and oversight.
Compliance & Assurance Posture
We state only what is true. Status may change; contact us for current details.
Incident Response
We follow a structured incident response process: detect → contain → investigate → remediate → communicate. We aim to notify affected clients within a commercially reasonable timeframe, subject to legal requirements and investigation needs.
Questions from your IT or Security team?
Email: hello@servicecaptain.ai
We aim to respond to security inquiries within 1 business day.
We can also arrange a security review meeting — reach out to schedule.