Data and model governance.

1. What customer data does the Service handle?

Three categories:

• Account data — name, email, organisation, role. Stored in our EU database.
• Customer content — briefs you type, files you upload, decks/modules/documents/assessments we generate from those briefs, comments, and version history. Stored in our EU database and on EU file storage (Hetzner).
• Operational metadata — login timestamps, action history (for audit), credit usage. Stored in our EU database.

2. What is sent to model providers, and to which ones?

We use third-party text-generation models for two purposes: (a) interpreting your brief and producing a structured content plan, and (b) drafting text fields where you click an explicit "draft" button. We may also use image-generation models when you explicitly request an image.

The current list of model providers is always reflected on the sub-processors page, which we keep up to date and announce 30 days in advance for any addition.

3. Is customer content used to train models?

No.We do not use customer content for model training. We do not fine-tune or retrain any model on customer content. Our contracts with our model providers prohibit them from training on data we submit, and we enable zero-retention mode where the provider supports it (currently the case with OpenAI's API on MLtitude's organisation).

4. What does "zero-retention" mean in practice?

OpenAI's API, when zero-retention is enabled on the calling organisation, does not store request or response payloads at rest beyond what's needed to fulfil the immediate request. Logging of abuse-detection metadata may be retained per the provider's own policy. We do not have visibility into that retention; the provider's published policy applies.

5. Where are model calls processed?

OpenAI inference is performed on US infrastructure. This is a transfer of personal data outside the European Economic Area. Standard Contractual Clauses (European Commission Decision 2021/914) are incorporated by reference into our DPA. We send only the minimum data necessary to fulfil each request, and we do not embed personal account identifiers into prompts.

6. Where are the outputs stored?

Model outputs are stored in your tenant on our EU infrastructure (Hetzner, Germany) and treated as your customer content for all retention, deletion, and access purposes. They are never sent back to the model provider for any purpose other than the user-initiated operation that produced them.

7. Can a customer opt out of model usage?

The Service's core value depends on model-generated content — opting out of model usage is opting out of the product. We don't currently support a no-model mode. If your compliance posture forbids any third-country processing, talk to us before signing.

8. Hallucination posture and human-in-the-loop

• MLtitude positions every generated output as a draftthat the user reviews and edits before publishing or exporting. The end user — your trainer, your L&D author — is the accountable reviewer.
• For XLSim assessments, the rubric (what counts as a correct answer) is authored or reviewed by a human trainer before any trainee is exposed to it. Automated grading is deterministic against that rubric — no LLM scoring of submissions.
• For text generation, factual claims, statistics, or quotations the trainer cares about should be verified by the trainer. The Acceptable Use Policy sets this expectation explicitly.

9. What logs do you keep?

• Application audit log — significant user actions (account changes, document creation/deletion, role changes, invitations). Retained for the life of the account. Per-org admins can request a copy.
• Authentication log — login attempts, password resets, OAuth callbacks. Retained for 90 days.
• Generation log — for each generation, we log: timestamp, user id, document id, document type, prompt size, output size, provider, model name, latency, success/failure. We do not store the prompt or output text in the generation log; those live with the document itself.
• Error monitoring — Sentry (EU region). Stack traces and request metadata, no message bodies.

10. Data deletion: how and how fast?

• Customers can delete individual documents at any time. Trashed documents are auto-purged after 30 days.
• Account deletion: the org admin can remove a member at any time. We honour data-subject erasure requests at info@edothsoft.com within 30 days of receipt for active systems, and within 90 days for backups.
• Termination of the agreement triggers full tenant deletion within 30 days unless legally required to retain (e.g. billing records).

11. Output reproducibility and auditability

• Every generated document is versioned. You can see the version history and roll back.
• The brief that produced each version is retained with the document.
• The model name, provider, and timestamp of each generation are recorded in the document metadata for traceability.
• We do not guarantee that re-running the same brief produces an identical output — model providers do not publish deterministic-mode SLAs.

12. Sub-processor changes

We announce material sub-processor changes on the sub-processors page 30 days before they take effect. Customers on commercial agreements may object to a sub-processor change as set out in the DPA, Section 9.

Questions

If your governance team needs information that isn't on this page, email info@edothsoft.com. We answer model-handling and data-flow questions within five business days; we will respond in writing on letterhead if your assessment requires it.