Our Commitment to AI Trust & Data Privacy

Effective date: January 1, 2024  ·  Last updated: June 1, 2026

1. Scope

This AI Policy applies to all IONATE AI/ML-powered products, including IONATE™ APPDATE, IONATE™ SOTERIA, IONATE™ KÍRKĒ, IONATE™ MENTIVE, and any AI-assisted services delivered as part of an IONATE modernization engagement. It governs how customer data is handled when processed by IONATE's proprietary AI/ML engines.

2. What "Customer Data" Means

For the purpose of this policy, customer data includes any artifacts provided by or generated on behalf of a customer during an engagement, including but not limited to:

• Source code (COBOL, JCL, Natural, PL/I, RPG, ABAP, Oracle Forms, and all other legacy languages)
• Database schemas, stored procedures, and data dictionaries
• Business rules, runbooks, and technical documentation
• Sample data sets, test cases, and configuration files
• Output artifacts generated by IONATE tools (transformed code, analysis reports, dependency maps)

3. No Data Retention

IONATE does not retain any customer data on its own infrastructure. Specifically:

• Customer data is not uploaded to IONATE servers, cloud storage, or data lakes at any stage of an engagement.
• Any transient copies created during on-premises processing are deleted immediately upon task completion and are never persisted.
• Engagement metadata (project timelines, resource allocation) does not include customer source artifacts.
• This commitment applies to all IONATE personnel, subcontractors, and tooling.

4. No Training on Customer Data

Customer data is never used — directly or indirectly — to train, fine-tune, adapt, evaluate, or benchmark any AI or ML model. This prohibition applies to:

• IONATE's internal proprietary models (the AI/ML engines that power APPDATE, SOTERIA, and related products)
• Any third-party foundation models, APIs, or services that IONATE may integrate with
• Any form of federated learning, differential privacy aggregation, or anonymized model improvement

IONATE's AI models are trained exclusively on publicly available codebases, open-source repositories, and synthetic data generated under controlled conditions with no customer involvement.

5. Air-Gapped Deployment Architecture

IONATE's core AI/ML products are designed and delivered as air-gapped, on-premises deployments. This means:

• The APPDATE and SOTERIA engines install and run entirely within the customer's network perimeter — on-premises, in a private cloud, or in a customer-controlled VPC.
• No outbound internet connection is required or permitted for AI/ML processing. The engines operate in fully isolated environments.
• License validation and telemetry, where applicable, are limited to non-customer-data signals (version numbers, uptime) and are opt-out by agreement.
• Customers in classified, regulated, or high-security environments (government, defense, financial services) can request fully disconnected offline deployments with no external connectivity of any kind.

6. SOC 2 Type II Certification

IONATE is certified under SOC 2 Type II across the Security, Availability, and Confidentiality trust service criteria. Our annual audit covers:

• Access controls and least-privilege principles applied to all systems that could touch customer data
• Encryption in transit (TLS 1.2+) and at rest (AES-256) for any engagement artifacts
• Incident response and breach notification procedures
• Vendor and subprocessor management controls
• Change management and deployment pipeline security

Current SOC 2 Type II reports are available under NDA to prospective and existing customers. Contact legal@ionate.io to request a copy.

7. Third-Party AI Services

IONATE does not route customer data through third-party AI APIs (such as public large language model APIs) during modernization processing. Where IONATE integrates with third-party AI services in supplementary tools, such integrations are:

• Disclosed in the applicable product documentation and service agreement
• Subject to the same data prohibition — no customer artifacts are transmitted
• Governed by data processing agreements with each third party that prohibit training on customer data

8. Customer Rights and Controls

Customers retain full ownership of all data they provide to IONATE and all artifacts generated during an engagement. Customers may at any time:

• Request written confirmation that no customer data has been retained by IONATE
• Require a data destruction certificate at engagement close
• Audit IONATE's data handling controls under the terms of the engagement agreement
• Elect a fully disconnected air-gapped deployment with contractual confirmation of zero data egress

9. Contractual Commitments

The commitments in this policy are incorporated by reference into IONATE's Master Service Agreement and all enterprise engagement contracts. They are binding obligations, not aspirational statements. Breaches of these commitments are treated as material contract violations subject to the remedies set forth in the applicable agreement.

10. Updates to This Policy

Any material weakening of the commitments in this policy (e.g., if IONATE were ever to begin retaining customer data) would be disclosed to affected customers no fewer than 90 days in advance and would require explicit written consent before taking effect. The "Last updated" date at the top reflects the most recent revision.

11. Contact

Questions about this policy, requests for SOC 2 reports, or security inquiries should be directed to:

• Email: legal@ionate.io
• Mail: Ionate, Inc., 1 Embarcadero Center, Suite 1200, San Francisco, CA 94111, USA

Privacy Policy  ·  Terms of Service  ·  Cookie Policy