AMBIC legal centre
Data Retention & Security Standard
Default safeguards and deletion principles across Ambic services.
Data minimisation
Ambic requests only information reasonably needed to provide, secure and support the selected service. Customers must avoid uploading unrelated personal data, passwords, card details, private keys or sensitive identity documents. Production data is not used to train Ambic or third-party models unless the affected customer and individuals give separate, informed permission.
Default retention principles
- Website enquiries: normally up to 24 months after the last meaningful interaction, unless an engagement or legal record requires longer retention.
- SmartQR print files: designed for short operational retention and deletion after completion; the exact enforced window must be stated in the deployment order.
- Catalogue inputs and outputs: retained only for the project, review, delivery and agreed recovery window; the current browser demo sends no image to Ambic.
- Payment Auditor records: retained according to the customer’s documented accounting, investigation and legal requirements; deletion must preserve required financial evidence and audit integrity.
- Security and consent records: retained long enough to establish access, permission, incidents and compliance, then deleted or anonymised when no longer necessary.
- Backups: follow the applicable deployment schedule and may expire later than live records; deletion completes when the relevant backup cycle expires unless immediate isolation is legally required.
Security baseline
- Least-privilege access, tenant separation and authenticated administrative actions.
- Encryption in transit and encrypted managed storage before public SaaS launch.
- Secret storage outside source code, rotation and revocation procedures.
- Upload validation, size limits, private object access and abuse controls.
- Logged security-relevant actions, backup testing and incident response appropriate to the deployment.
- Provider and dependency review before production use.
Deletion, export and legal holds
Requests can be sent to ambicdigital@gmail.com. Ambic will verify authority before exporting or deleting business data. Some records may be retained where required for tax, payment, security, dispute, fraud-prevention or other legal purposes. Where deletion is not immediately possible, access will be restricted and the reason explained where lawful.
Current product status
The three product repositories remain controlled-pilot software and are not represented as completing every control in this standard today. Their product schedules identify current limitations. Public SaaS onboarding remains blocked until storage, identity, observability, billing, recovery and security gates are verified.
Read this document with the Terms of Service, Privacy Policy and any signed order or product schedule.