Security & Compliance

Data Governance

Precise.ai, Inc. · Effective: April 13, 2026 · Last updated: April 13, 2026

1. Our Commitment

Precise processes media performance data on behalf of our clients. We treat every dataset as confidential and proprietary. Our data governance framework is built around three principles: transparency, control, and accountability.

This page describes the technical and operational controls that govern how we handle Client Data. For information about how we collect and use personal information directly, see our Privacy Policy.

2. Compliance and Certifications

✓

SOC 2 Type II

Annual audit covering security, availability, and confidentiality trust service criteria, performed by an independent third-party firm. Most recent report available under NDA upon request.

✓

CCPA & State Privacy Laws

Processes and controls aligned with the California Consumer Privacy Act (CCPA/CPRA) and applicable state privacy laws.

✓

Encryption at Rest & In Transit

All data encrypted with AES-256 at rest and TLS 1.2+ in transit. No exceptions.

✓

Access Controls

Role-based access, MFA enforcement, and audit logging across all production systems.

3. Data Processing Principles

Client Data Isolation

We never commingle client datasets. Each client’s data is logically isolated and processed independently. We do not use one client’s data to benefit another.

Purpose Limitation

Client Data is processed solely to deliver the contracted service: mapping the media supply chain, measuring contribution, and optimizing allocation. No secondary uses.

Data Minimization

We ingest only the data required for analysis. We do not request or retain data beyond what is necessary for the engagement scope.

AI and Machine Learning

Our platform uses AI and machine learning to deliver media economics insights. These capabilities are subject to the same governance principles as all other data processing:

AI/ML processing is performed solely to deliver analytics and insights within the contracted scope of service.
We do not use one client’s data to train models that benefit other clients unless the data has been fully anonymized and aggregated such that it cannot be re-identified.
AI/ML outputs are treated as Client Data and are subject to the same isolation, retention, and deletion policies.
Our AI/ML features produce analytical outputs only. They do not make decisions that produce legal or similarly significant effects on individuals. Clients retain full decision-making authority over how outputs are used.

Precise does not independently verify the accuracy or completeness of Client Data and is not responsible for errors, omissions, or limitations in data provided by the client or third-party platforms.

Auditability

Every optimization, data access event, and system action is logged with timestamps and user attribution. Clients can request complete audit trails at any time.

4. Data Lifecycle

Client Data follows a defined lifecycle with controls at each phase:

Phase

Handling

Retention

Ingestion

Encrypted transfer via secure API or SFTP. Data validated and checksummed on receipt.

Duration of engagement

Processing

Isolated compute environment. No cross-client access. AI/ML processing within same isolation boundary.

Duration of engagement

Output

Reports, insights, and analytical outputs delivered to client via secure channels.

Per client agreement

Deletion

Cryptographic erasure with verified purge. Confirmation provided to client on request.

30 days post-termination

5. Infrastructure and Security

Production infrastructure hosted on SOC 2 certified cloud providers.
Role-based access controls with least-privilege principles enforced across all production systems.
Multi-factor authentication (MFA) required for all personnel with access to production environments.
Automated vulnerability scanning on a continuous basis.
Third-party penetration testing conducted at least annually.
Employee security awareness training conducted upon hire and annually thereafter.
Regular backup testing and disaster recovery exercises.

Incident Response

Precise maintains a documented incident response plan with defined roles, escalation paths, and SLAs. In the event of a security incident affecting Client Data:

The affected client is notified without undue delay and in accordance with the applicable Data Processing Agreement.
A root cause analysis is conducted and shared with the client.
Remediation steps are implemented and verified.

Additional detail on breach notification procedures is available in our Privacy Policy.

6. Access Controls

All access to Client Data is role-based and follows the principle of least privilege.
MFA is enforced for all production system access.
Access reviews are conducted quarterly.
All access events are logged with user attribution and timestamps.
Privileged access requires documented business justification and management approval.
Employee access is revoked immediately upon termination or role change.

7. Subprocessors

We maintain a list of subprocessors that process Client Data on our behalf. All subprocessors are bound by contractual obligations that require them to maintain security standards consistent with our own.

Clients are notified of any changes to subprocessors with reasonable advance notice, allowing time to raise objections as provided in the applicable Data Processing Agreement. The current subprocessor list is available upon request.

8. Data Processing Agreements

All client engagements involving Client Data are governed by a Data Processing Agreement (DPA) that defines the scope of processing, security obligations, breach notification timelines, sub-processor management, and data return/deletion procedures. A copy of our standard DPA is available upon request.

9. Requesting Information

To request any of the following, contact us at privacy@precise.ai:

SOC 2 Type II report (available under NDA)
Current subprocessor list
Standard Data Processing Agreement
Audit trail for your account
Security questionnaire responses