How we handle your data.
Clear Road Labs builds custom AI systems for knowledge-work teams. That means we touch sensitive operational data during engagements — and we treat that as a responsibility, not a footnote.
Last updated: April 6, 2026
See also: our principles · how we work
Your data stays yours
We never use client data to train models. Every engagement runs on enterprise LLM endpoints with zero-retention agreements, or on client-hosted models (Bedrock, Azure OpenAI, self-hosted) when regulatory requirements demand it.
Infrastructure you can audit
Our production stack runs on Vercel (SOC 2 Type II) and Neon (SOC 2 Type II, managed Postgres with encryption at rest and in transit). We document exactly which systems touch your data and can provide sub-processor lists on request.
Least-privilege data access
During engagements, we work with the minimum data needed to build and test the system. We use scoped credentials, short-lived tokens where possible, and we hand over admin access to your team at the end of every build.
Clear data lifecycle
We document every system's data retention policy in writing before kickoff. You decide how long we keep engagement artifacts, and we delete them on request — typically within 30 days of project close.
LLM data handling
Default posture. We use enterprise API endpoints from OpenAI, Anthropic, and Amazon Bedrock with zero-retention and no-training agreements for production workloads. Prompts and completions are not logged beyond what's needed for real-time delivery.
Configurable per engagement. When client requirements or regulations demand stricter controls, we deploy into your cloud tenant (Azure OpenAI, Bedrock in your AWS account) or use self-hosted open models. You keep the keys, you keep the logs, you keep the model.
Evaluation and tuning. Prompt engineering and evaluation work happens on synthetic or anonymized data whenever possible. If real data is required for a specific test, we document exactly what is used, where it lives, and how long it's retained — in writing, before the work starts.
This website
Separately from client engagements, this website (Timeback) collects only what you voluntarily submit through the contact form or occupation builder. See our Privacy Policy for the full breakdown of what's collected, why, and how long it's kept. Highlights:
- No tracking cookies, no advertising, no third-party analytics (as of the date above).
- Submitted form data is stored in Neon Postgres (encrypted at rest, accessible only to server-side code).
- Notification email is delivered via Resend; no marketing newsletters.
- You can request full deletion at any time by emailing damon@clearroadlabs.com.
Regulated data
HIPAA-, PCI-, and FedRAMP-eligible architecture is available on request — scoped per engagement. For HIPAA-capable builds, we work with covered entities to sign a BAA, deploy exclusively to client-hosted infrastructure, and use LLM providers that support BAAs (AWS Bedrock, Azure OpenAI). If a specific framework is load-bearing for your deployment, tell us up front and we'll confirm scope before kickoff.
If you have a specific compliance requirement, tell us up front — it shapes the architecture decisions we make in week one, and it's much cheaper to plan for than to retrofit.
Incident response
If you believe you've found a security issue in this website or in an engagement we've delivered, please email damon@clearroadlabs.com with the subject line “Security”. We acknowledge every report within one business day and will work with you on responsible disclosure.
For active client engagements, incident response procedures are defined in your statement of work and include named contacts, notification timelines, and escalation paths.
Want to discuss your security requirements?
Tell us about your compliance needs and data-handling constraints. We'll scope it honestly before any work starts.