The full policy.
This policy covers the TestML evaluation platform, the documentation site at testml.org, and any production-review or red-team engagement performed by TestML personnel. For the workspace data you submit, you are the data controller and TestML is the processor under our Data Processing Addendum. For account, billing, and product-telemetry data we collect about you as a TestML customer, TestML is the controller.
TestML, Inc. is registered in Delaware, USA. Our EU representative under Art. 27 is VeraSafe Ireland Ltd., Dublin. UK representative under UK GDPR is VeraSafe UK Ltd., London.
We minimise. The categories below are the complete inventory — there is no fingerprinting layer, no third-party marketing pixel, and no data broker enrichment. If a category is not listed here, it does not exist in our systems.
| Category | Fields | Legal basis | Retention |
|---|
| Account & billing | Name, work email, employer, billing address, VAT/EIN | Contract (Art. 6(1)(b)) | Lifetime of contract + 7 years (tax) |
| Authentication | Hashed password (Argon2id), SSO subject claim, WebAuthn keys, IP at sign-in | Legitimate interest — account security | Until account closure + 90 days |
| Evaluation prompts & completions | Inputs you submit, model outputs, retrieved context, scoring rubric verdicts | Contract — performing the eval you requested | 30 days default, configurable to 24 hours |
| Evaluation metrics | Pass/fail rates, drift sigma, p95 latency, cost per run, anonymised aggregates | Contract + legitimate interest — service health | 13 months rolling |
| Red-team artefacts | Discovered jailbreaks, injection vectors, attribution metadata | Contract + legitimate interest — security research | Vault-encrypted, 24 months, opt-out available |
| Audit logs | Actor, action, resource, timestamp, IP, request ID | Legal obligation — SOC 2, GDPR Art. 30 | 13 months online, 7 years cold archive |
| Product telemetry | Page views, feature flags, exception traces, no third-party trackers | Legitimate interest — product improvement | 90 days |
Processing purposes are restricted to (a) running the evaluation, drift, and red-team services you ordered, (b) operating and securing the platform — abuse detection, fraud prevention, capacity planning, (c) legal obligations under tax, anti-money-laundering, and security-disclosure regimes, and (d) internal product improvement using anonymised aggregates only.
We do not sell personal data. We do not share personal data with advertisers, data brokers, or AI training consortia. We do not use customer prompts to improve models — yours, ours, or anyone else's.
§ 04Legal basis under GDPR Article 6
The data table in § 02 names the basis per category. Where we rely on legitimate interest, we have run and recorded a balancing test under Recital 47. The legitimate-interest claim is narrow: account security, service health, and fraud prevention. You may object to legitimate-interest processing at any time via Settings → Privacy or by writing to the DPO.
Default retention follows § 02. Workspace administrators can shorten prompt retention to 24 hours per workspace, and may opt out of red-team artefact storage entirely. Backups are encrypted and rotate on a 35-day cycle; deletion requests propagate to backups within one full rotation.
Audit logs are exempt from on-request deletion under GDPR Art. 17(3)(b) because retaining them is necessary for compliance with our legal obligations. They are still deleted on schedule.
Our complete subprocessor list lives in the next section. We notify workspace owners by email of any addition or material change at least 30 days before it takes effect, and you have the right to terminate the contract for cause if you object to a new subprocessor.
§ 07International transfers
EU and UK customers default to eu-west-1 (Dublin). Where a transfer to a third country is unavoidable — typically for billing receipts via Stripe US — it is governed by the EU Standard Contractual Clauses (2021/914) plus our Transfer Impact Assessment. The TIA is available under NDA on request.
Encryption: TLS 1.3 in transit, AES-256-GCM at rest with per-tenant KMS keys. Access: SSO with mandatory WebAuthn for staff, just-in-time elevation, every privileged session recorded. Network: zero-trust mesh, no flat VPC. Posture: SOC 2 Type II (Schellman, current report), ISO 27001:2022, HIPAA- compatible architecture, and a continuous penetration test programme.
Vulnerability disclosure: security@testml.org — PGP key fingerprint in the security.txt file at the site root. We acknowledge within 24 hours and publish a coordinated disclosure timeline within 5 working days.
Under GDPR, UK GDPR, and the California Consumer Privacy Act, you can exercise the rights below at no charge. We respond within 30 days; if a request is complex we may extend by a further 60 days and will tell you why before the first deadline expires.
- R1Access — receive a copy of your dataSelf-serve export from the workspace, or DSAR to dpo@testml.org
- R2Rectification — correct inaccurate fieldsIn-app for account fields; ticket for derived audit records
- R3Erasure — delete prompts, accounts, telemetryWorkspace → Settings → Danger Zone, completes within 30 days
- R4Portability — machine-readable exportJSON Lines + signed manifest, restorable into a fresh workspace
- R5Objection — opt out of legitimate-interest processingToggle in Settings → Privacy, or written notice to the DPO
- R6Lodge a complaint with a supervisory authorityLead authority: Irish DPC; you may also contact your local DPA
§ 10Contact the Data Protection Officer
For DSARs, complaints, or anything in this document that needs clarification, reach our DPO at dpo@testml.org. For commercial questions, use the contact page.
TestML, Inc., Attn: Data Protection Officer, 169 Madison Ave, Ste 11437, New York, NY 10016, USA. EU: VeraSafe Ireland Ltd., Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork T23 AT2P, Ireland.