Skip to main content
PolicySpeak

Trust Center

Last updated: 30 May 2026. We update this page whenever our practices change.

The work you do with PolicySpeak — position papers, member briefings, stakeholder strategies — is among the most sensitive material your organization produces. This page sets out what we do to protect it, where it lives, and how we operate.

If you're evaluating PolicySpeak and need to complete a security questionnaire, our Data Processing Addendum, AI Policy, and detailed sub-processor disclosure are available under NDA on request. For anything else, write to security@policyspeak.com— we respond within a few business days.

Where your data lives

All customer data is stored in an EU-based managed database located in Ireland, inside the European Economic Area.

You can request deletion of your organization's data at any time by writing to security@policyspeak.com. We are expanding self-service deletion and standardized retention windows as part of our 2026 roadmap.

Encryption

Data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. Encryption keys are managed by our infrastructure providers and rotated at least annually.

How we use AI

PolicySpeak is built on AI. We use multiple language models, embedding models, and supporting services across our intelligence pipeline. Our AI Policy describes how we build and operate these features, how we reduce the risk of incorrect output through source citation and verification, and how we approach the EU AI Act.

The complete sub-processor list and contractual terms are available to customers under NDA on request. Write to security@policyspeak.com for a sub-processor disclosure package — we respond within a few business days.

Who at PolicySpeak can see your content

Customer content is accessed only when needed to provide or troubleshoot the service, or when required by law. Access is role-based and recorded in an audit trail.

PolicySpeak is currently a small team operating with documented access controls and security training. New staff complete security training before access is granted, and access is revoked promptly on departure.

Incidents

If we discover a security incident affecting your data, we will notify you without undue delay, and within seventy-two hours of confirming it, with the facts as we know them, and follow up with a fuller report as our investigation progresses.

Audits and your rights

You may request a review of our security posture once per year via questionnaire, or by reviewing our control documentation under NDA. Write to security@policyspeak.com to begin.

Certification roadmap

PolicySpeak is not currently certified against any external information-security standard. We operate a documented information security program whose controls are aligned with ISO 27001 and the SOC 2 Trust Services Criteria. Formal certification is part of our 2026–2027 roadmap, and we will publish certification status on this page as it is achieved. Current control documentation is shared under NDA on request.

EU data protection

We act as a data processor under GDPR. Our Data Processing Addendum is available to customers on request via security@policyspeak.com. Where an EU Representative under Article 27 is required, we will appoint one and publish the named contact here.

Documents

Contact

For security questions, questionnaires, evidence requests, our DPA, or sub-processor disclosure, write to security@policyspeak.com— we respond within a few business days.