Genspark Data Security & Privacy Policy for Enterprise Clients
Version 1.3 | November 2025
Road‑map note: All future‑dated items in this document are targets only. Time‑lines may shift based on audit scheduling, engineering capacity or regulatory changes.
1 Security & privacy principles
| Principle | What we do today | Road‑mapped enhancement |
|---|---|---|
| Zero training – Genspark will never use your data to train any model. | Enforced by contract & technical controls; current third party provider terms/DPAs prohibit training (e.g. OpenAI API: https://platform.openai.com/docs/guides/your-data Anthropic API: https://privacy.anthropic.com/en/articles/7996868-is-my-data-used-for-model-training Google Gemini: Reference: https://cloud.google.com/gemini/docs/discover/data-governance). Note that the foregoing third party policies are provided solely for reference and that Genspark makes no representations or warranties as to such policies, including any updates or changes thereto that may occur. | — |
| Tenant isolation – logical segregation of each customer | Logical isolation in a multi‑tenant (Virtual Private Cloud) VPC; dedicated VPC + per‑tenant encryption keys available on request (fee‑based, capacity‑planned) | Customer‑managed keys in progress (targeting H1 2026) |
| Transparent processing – you know where data goes | Data‑flow diagrams & sub‑processor list in the Trust Portal in progress | Real‑time pipeline viewer in progress (targeting beta H2 2026) |
| Independent validation – third‑party audits | SOC 2 Type I in progress , targeting report in Q4 2025 | SOC 2 Type II & ISO 27001 targeting 2026 |
2 Shared responsibility model
| Customer controls | Genspark controls |
|---|---|
| Data submitted to the service (no classified / export‑controlled data unless covered by an addendum) | Secure service operations & infrastructure |
| Role‑based access configuration, retention overrides, Customer Managed Keys (CMKs) (when purchased) | Logical tenant isolation, encryption, logging & monitoring |
| Endpoint security & network posture of end‑users (when purchased) | 24 × 7 incident response & vulnerability management |
3 Data life‑cycle
| Phase | Retention & location | Controls |
|---|---|---|
| Ingress (prompt / attachment upload) | Encrypted transient storage | TLS 1.3; server‑side AES‑256 |
| Processing (LLM call) | Prompts relayed without tenant identifiers; minimal request only | Third party terms & DPAs currently prohibit training. |
| Post‑processing / logging | 30‑day rolling log window (content hashes only) for security & billing | Customer‑configurable shorter window (min 24 h) planned |
| Storage of outputs | Depending on the data type: "User Profile" - permanently stored if not deleted, 30 days backup if deleted/cancelled. "Project History (user facing content only)" - permanently stored if not deleted, 30 days backup if deleted/cancelled; longer backup period available on request (fee‑based, capacity‑planned). "Activity History (e.g. login, logout, payments...)" - 30‑day rolling log window, no permanent storage. "AI Drive" - permanently stored if not deleted, 30 days backup if deleted/cancelled. "Intermediate Items" - 30‑day rolling log window, no permanent storage. | — |
| Deletion requests | Immediate wipe from hot storage; crypto‑erasure from backups within 30 days. Also reference to "Storage of outputs" | ISO 27040 alignment in progress |
4 Deployment models
| Model | Status | Data residency | Typical use‑case |
|---|---|---|---|
| Cloud (multi‑tenant) | Generally Available | US West (default) | Standard SaaS |
| Dedicated VPC option | Available for an additional fee; subject to capacity planning | Same regions as above | Stricter segmentation needs |
| Hybrid (Edge Gateway) | Limited availability – controlled beta | Customer network for data at rest; prompts leave network in anonymised form | Regulated workloads |
| Fully on‑prem | Private preview | Customer‑controlled | Defence / air‑gapped |
5 Compliance status (Aug 2025)
| Framework | Scope | Status |
|---|---|---|
| SOC 2 Type I | Security, Availability, Confidentiality | Audit field‑work in progress; report expected Q4 2025 |
| HIPAA | ePHI via BAA | Template BAA in progress |
| GDPR | Controller & processor obligations | EU sub‑processors & DPA in progress |
| FedRAMP | Moderate baseline | Discovery & gap analysis |
We will not reference a framework as "certified" until the attestation letter is issued.
6 Security controls
- Encryption – TLS 1.3 in transit; AES‑256‑GCM at rest; keys rotated every 90 days
- Access control – SSO (SAML 2.0 / OIDC) plus mandatory MFA for console access
- Incident response – 24 × 7 on‑call; notice to affected clients within 72 h of confirmation
Third‑party reliability disclaimer: Genspark relies on multiple third‑party vendors (e.g., cloud, LLM APIs, monitoring, auth). These materials may not operate with 100 % reliability, which can affect our services. Their data‑handling practices are governed by their own terms and are listed in our sub‑processor register.
7 Data residency & transfer
- Default processing region: at the discretion of Genspark technology team
- Depending on the technical viability of cloud providers including AWS, Azure, and GCP in a specific region, enterprise clients may have the option to select, and Genspark may be able to provide data residency of certain data, such as "user profile", "project history (user facing content only)", "chat history", and "AI drive", at a mutually agreed upon cost and under Genspark's Terms and Conditions.
- Genspark uses reasonable efforts to cause customer data to remain in the selected region. Limited telemetry or backup services may involve cross‑border transfer in line with our sub‑processor list.
- Customers will receive a 30‑day written notice of any material change to regional processing requirements, unless prohibited by law.
- Cross‑border transfers rely on EU Standard Contractual Clauses or another valid mechanism.
8 Third‑party sub‑processors
A continuously updated list (LLM, cloud, monitoring, auth, support tooling) is available in the Trust Portal. Enterprise customers receive 30‑day advance notice of additions and may object on material grounds.
9 Customer responsibilities
Customers must:
- Avoid submitting classified or export‑controlled data unless covered by an addendum.
- Configure user permissions, retention overrides, and custom encryption keys (where purchased).
- Maintain endpoint security and comply with applicable laws and internal policies.
10 Change management
Material changes to this Policy are communicated at least 30 days before the effective date (or sooner if required by law).
11 Contact
| Purpose | |
|---|---|
| Security Team | [email protected] |
| Enterprise Support | [email protected] |
| Legal | [email protected] |