Trust Center · Updated · 2026.05
Data Security & Trust

Security
your procurement team can sign off.

We handle sensitive data for Fortune 500 brands. This page sets out exactly how Epical secures it: where it lives, who can touch it, how confidentiality is enforced, and what happens if anything goes wrong. No vague assurances. A written protocol your CISO can read before the first brief.

Data residencyAR · UY · ES · US
NDA by defaultYes · before brief
FrameworksLATAM · EU
Policy reviewEvery 6 months
Subprocessors12 · active DPAs
01 · Data handling

Exactly what we do
with your data, and what we never do.

Data security policy · 2026
Reviewed every 6 months
Data flow · Ownership and residency Simplified view
SOURCES · PUBLIC Social Listening API Visual Monitoring API Meta · X APIs OFFICIAL Verified public TLS 1.3 EPICAL · ISOLATED PER CLIENT Processing Pipeline Observe · Protect AES-256 AT REST Understand · Anticipate ISOLATED MODEL Senior curation AR · ES · US ENCRYPTED CURATED · HUMAN-IN-LOOP Senior Analyst Review 16 SPECIALISTS Decision Brief Narrative Alert Quarterly Report NDA · DPA CLIENT · OWNER Client DATA OWNER C-level Comms / Marketing Strategy DATA OWNERSHIP · CLIENT AT EVERY STAGE · AUTO-PURGE AT 12 MONTHS
01.1
Ingestion

Public sources and licensed APIs only.

Every Epical analysis is built on official platform APIs (Meta, X) and publicly accessible sources. We never scrape private content, never breach platform terms of service, and never touch leaks or gray-market data. This isn't a values statement. It's the condition that keeps our work legally usable by your legal and compliance teams.

01.2
Processing

Every client isolated, no exceptions.

Each engagement runs in its own isolated environment. The ingested data, working files, and deliverables for one client are never accessible to another, and never train a model another client will see. Our proprietary AI is trained on regional public conversation. Your data stays yours and never feeds the shared model.

01.3
Storage

Data residency on your terms.

By default, project data lives on cloud infrastructure in Argentina (Buenos Aires) with backup in Uruguay. Need EU or US residency for a specific requirement? We provision it in Spain or the United States. Everything is encrypted in transit (TLS 1.3) and at rest (AES-256).

01.4
Retention

Automatic purge, 12 months after close.

When an engagement ends, raw ingestion data is archived encrypted and automatically purged after 12 months, unless we agree otherwise in writing. Deliverables (reports, briefs, the decisions they enabled) are retained by contract, on terms you control. They are never unilaterally ours.

02 · Subprocessors

Every party your data touches
and exactly why.

12 active subprocessors
DPAs in force · Vetted by criticality
Jurisdictions · Data residency
4 regions 12 subprocessors
AR
Headquarters · HQ
Primary storage · AWS
UY
Primary backup
Montevideo · replica
ES
EU residency
AWS EU · available
US
Cloud · processing
AWS · AI models
UK
Listening
Conversation capture
Subprocessor Purpose Data Jurisdiction
Enterprise social listening platform Social conversation ingestion Public mentions, metadata UK
Visual monitoring platform Image intelligence Public images CY
AWS Compute & storage Encrypted data AR · ES
Cloudflare CDN & DDoS protection Request metadata US · Global
AI model providers Text processing for analysis Anonymized text US
Linear · Notion Project management Project metadata US
Google Workspace Communication & files Client communication US · EU
03 · Incident response

If something goes wrong,
there's a written protocol.

T+0

Detection

Triggered by internal alert, client report, or subprocessor notice. Immediate escalation to senior leadership and the Operations Lead.

< 4h

Containment

Isolation of the affected project. Suspension of processing. Evidence preservation. Lockdown of potentially compromised access.

< 24h

Client notification

If client data is potentially affected, we notify your contractual counterparty directly, with a preliminary report and a response plan.

< 72h

Regulatory disclosure

When legally required, we notify within the timeframes mandated by the applicable jurisdiction.

< 30d

Post-mortem

Documented root-cause analysis, remediation plan, review of internal controls. Report shared with the affected client.

Straight talk on scope

We'd rather be precise than oversell. Epical is a 16-specialist intelligence partner, not a security vendor. We don't run a 24/7 SOC or an on-call security team. Our protocol operates during extended business hours across LATAM, with direct escalation to senior leadership outside them. The times above are business-hours response targets, not platform SLAs. If your requirement is a dedicated SOC, we'll point you to specialized partners.