Trust Center · Updated · 2026.05
Trust & Security

Trust
backed by evidence.

We work with sensitive information from global brands. This page documents how we handle data, what happens with confidentiality, and which regulatory frameworks we operate under. No empty promises. A written protocol.

Data residencyAR · UY · ES · US
Standard NDAYes · before brief
Applicable frameworksLATAM · EU
Internal reviewBiannual
Subprocessors12 · active DPAs
01 · Data handling

What we do and don't do
with client data.

Policy · 2026
Reviewed every 6 months
Data Flow · Ownership and residency Simplified diagram
SOURCES · PUBLIC Social Listening API Visual Monitoring API Meta · X APIs OFFICIAL Verified public TLS 1.3 EPICAL · ISOLATED PER CLIENT Processing Pipeline Observe · Protect AES-256 AT REST Understand · Anticipate ISOLATED MODEL Senior curation AR · ES · US ENCRYPTED CURATED · HUMAN-IN-LOOP Senior Analyst Review 16 SPECIALISTS Decision Brief Narrative Alert Quarterly Report NDA · DPA CLIENT · OWNER Client DATA OWNER C-level Comms / Marketing Strategy DATA OWNERSHIP · CLIENT AT EVERY STAGE · AUTO-PURGE AT 12 MONTHS
EncryptionTLS 1.3 + AES-256 Data residencyAR · UY · ES · US OwnershipClient · 100%
01.1
Ingestion

Public sources and official licenses only.

All of Epical's analysis is built on official platform and network APIs (Meta, X) and publicly accessible sources. We don't scrape private content, we don't violate platform terms of service, and we don't use data leaks or dubious sources. This isn't an ethical commitment: it's a condition for our work to be legally usable by the client.

01.2
Processing

Client data isolated per project.

Each project runs in an isolated environment. The ingested data, intermediate results, and deliverables for client A are not accessible to, nor do they train models that client B will see. Our proprietary models are trained on regional public conversation; client-specific data does not feed the shared model.

01.3
Storage

Configurable data residency.

By default, project data lives on cloud infrastructure in Argentina (Buenos Aires) with backup in Uruguay. For clients with specific requirements we offer residency in Spain or the US. All data is encrypted in transit (TLS 1.3) and at rest (AES-256).

01.4
Retention

Configurable purge, by default 12 months after close.

When a project ends, ingestion data is archived in encrypted format and automatically purged after 12 months, unless agreed otherwise. We retain client deliverables (reports, briefs, enabled decisions) by contract; they are not unilaterally ours.

02 · Subprocessors

Who we share
the data with, and why.

12 active subprocessors
Active contractual terms · Selected by criticality
Jurisdictions · Data residency
4 regions 12 subprocessors
AR
Headquarters · HQ
Primary storage · AWS
UY
Primary backup
Montevideo · replica
ES
EU residency
AWS EU · available
US
Cloud · processing
AWS · AI models
UK
Listening
Conversation capture
HeadquartersBuenos Aires · AR Primary backupMontevideo · UY EU residencyAvailable · ES
Subprocessor Purpose Data Jurisdiction
Enterprise social listening platform Social conversation ingestion Public mentions, metadata UK
Visual monitoring platform Image intelligence Public images CY
AWS Compute & storage Encrypted data AR · ES
Cloudflare CDN & DDoS protection Request metadata US · Global
AI model providers Text processing for analysis Anonymized text US
Linear · Notion Project management Project metadata US
Google Workspace Communication & files Client communication US · EU
Full list and DPA available on request. We notify clients 30 days before adding a new subprocessor.
03 · Incident response

If something goes wrong,
we have a protocol.

T+0

Detection

Detection via internal alert, client report, or subprocessor notice. Immediate escalation to senior leadership and the Operations Lead.

< 4h

Containment

Isolation of the affected project. Suspension of processing. Evidence preservation. Lockdown of potentially compromised access.

< 24h

Client notification

If there is potential impact on client data, direct notification to the contractual counterparty with a preliminary report and a response plan.

< 72h

Regulatory disclosure

When legally required, we notify within the timeframes mandated by the applicable jurisdiction.

< 30d

Post-mortem

Documented root-cause analysis, remediation plan, review of internal controls. Report shared with the affected client.

Operating framework

Epical is a 16-specialist intelligence partner. We don't operate a 24/7 SOC or a dedicated on-call security team. Our response protocol operates during extended business hours in LATAM, with direct escalation to senior leadership outside those hours. The committed times are business-hours response times, not platform SLAs. For clients with dedicated SOC requirements, we refer to specialized partners.

Specific questions? Direct contact
Talk to procurement
For formal security, compliance, DPA, or security questionnaire requirements. Response within 72 business hours.