Safety
How we handle data, model behavior, and security across every engagement — not just the ones that ask about it.
Data handling
We only access the systems and data a project actually requires, scoped to the shortest reasonable duration. Client data is never used to train models, shared across unrelated client engagements, or retained past the end of a project without explicit agreement. Where a project needs sensitive data — customer PII, financial records, health data — we scope storage and access down to the people directly working on that piece.
Model use & oversight
When we build AI features, we default to grounding model output in your actual data rather than trusting a model's unsupported claims. Every AI feature we ship gets an evaluation set before launch, and we build in human review for any action a model takes that's hard to reverse — sending something, charging something, deleting something. AI assists; it doesn't get unsupervised authority over consequential decisions unless a client explicitly asks for that trade-off and understands the risk.
Security practices
- Secrets and credentials are never committed to source control and are rotated on engagement handoff.
- Access to client infrastructure is scoped per-person and revoked immediately at the end of an engagement.
- Dependencies are kept current and scanned for known vulnerabilities as a standing part of our workflow, not a pre-launch checklist item.
- Production changes go through review before they ship — even on small engagements, even under deadline pressure.
Responsible AI principles
We won't build a feature designed to deceive users about whether they're talking to a person or a model. We flag AI-generated content where it materially affects a user's decision. And we'll tell a client directly if a requested AI feature carries a safety or reputational risk we don't think is worth taking — that conversation happens before we build it, not after something goes wrong.
Questions or a report
If you've found a security issue in something we've built, or have a question about how we handle data on a specific engagement, reach us directly at security@ryulabs.io. We reply to every report.
Have specific requirements to review?
Send us your security or compliance questionnaire before you sign — we'd rather answer it upfront than after.