AI Privacy and Model Training

1. Overview

This statement describes how Shieldbase Pte. Ltd. ("Shieldbase") handles customer data in connection with the artificial intelligence functionality of its products and services. It is intended to give enterprise customers, their security and compliance functions, and their procurement reviewers a clear account of how customer content is processed by Shieldbase and by the third-party model providers that Shieldbase relies upon.

The position set out in this statement is the default applicable to all enterprise customers and is reflected in Shieldbase's Master Services Agreement, Data Processing Agreement, and the contractual addenda Shieldbase maintains with each model provider.

2. Default Position

Customer content submitted to Shieldbase — including prompts, files, conversations, retrieved documents, and outputs generated in response — is not used to train, fine-tune, or otherwise improve any artificial intelligence model operated by Shieldbase, by Shieldbase's model providers, or by any other third party.

This default applies without configuration. It does not require the customer to enable a setting, sign a supplemental agreement, or submit an opt-out request.

3. Scope of "No Training"

For the avoidance of doubt, Shieldbase's no-training position covers each of the following:

• Pre-training, continued pre-training, and fine-tuning of foundation models;
• Reinforcement learning from human feedback (RLHF), including any use of customer inputs, outputs, ratings, or corrections to adjust shared models;
• Construction of embeddings, indexes, or derivative datasets that are shared across customers or used for any purpose other than directly serving the originating customer;
• Human review of customer prompts or outputs by model providers, except in the limited circumstances permitted under the applicable enterprise terms (for example, response to lawful process or narrowly scoped abuse investigations);
• Retention of customer content by model providers beyond the period required to generate a response and any contractually defined abuse-monitoring window, which is purged on a defined schedule.

This position applies across all Shieldbase functionality, including chat, document analysis, agentic workflows, integrations, and APIs.

4. Shieldbase's Own Practices

Shieldbase does not train its own models on customer content. Shieldbase does not operate a shared foundation model that learns from one customer's data to the benefit of another. Shieldbase does not aggregate, anonymize, or otherwise repurpose customer prompts, completions, uploaded files, or connected-system data for model improvement.

Where Shieldbase improves its own models or proprietary components, it does so using internal synthetic datasets, publicly licensed corpora, commercially licensed corpora, and — where applicable — explicit, opt-in evaluation programs governed by separate written agreements. Such opt-in programs are not enabled by default and are not applied to enterprise or dedicated-tenant customers without express written consent from an authorized signatory.

5. Model Providers

Shieldbase routes inference requests to a limited set of vetted model providers. In each case, Shieldbase operates under enterprise or commercial API terms that prohibit the use of customer content for training the providers' models. Customers may verify the providers' published positions through the references below.

a. Anthropic (Claude)

Anthropic does not train its models on inputs or outputs submitted by API customers under its Commercial Terms of Service. The same position applies to the Claude enterprise tier on which Shieldbase operates.

• Anthropic Privacy Policy: https://www.anthropic.com/legal/privacy
• Anthropic Commercial Terms of Service: https://www.anthropic.com/legal/commercial-terms
• Anthropic Usage Policies: https://www.anthropic.com/legal/aup

b. OpenAI (GPT family)

OpenAI does not use data submitted via its API to train or improve its models by default. This has been the standing default position for API customers since March 2023. Additional data controls and opt-out mechanisms are available through OpenAI's enterprise terms and privacy portal.

• OpenAI API Data Usage Policies: https://openai.com/policies/api-data-usage-policies
• OpenAI Enterprise Privacy: https://openai.com/enterprise-privacy
• OpenAI Privacy Request Portal: https://privacy.openai.com/

c. Google (Gemini API and Vertex AI)

For paid-tier Gemini API and Vertex AI usage — the tier on which Shieldbase operates — Google does not use prompts or responses to train its models. Google's Generative AI terms and Vertex AI documentation distinguish this paid usage from the free tier, which may be used for product improvement.

• Gemini API Additional Terms of Service: https://ai.google.dev/gemini-api/terms
• Vertex AI Generative AI Data Governance: https://cloud.google.com/vertex-ai/generative-ai/docs/data-governance
• Google Cloud Privacy Notice: https://cloud.google.com/terms/cloud-privacy-notice

d. Other Providers

Where Shieldbase engages additional providers — for example, specialized embedding, transcription, or image-generation services — each is bound by contractual terms equivalent to those described above. A current list of model providers and subprocessors is maintained in Shieldbase's Data Processing Agreement.

6. Customer Controls

Enterprise administrators have direct control over how AI functionality is used within their tenant, including:

• Restriction of the model providers and individual models available to end users;
• Selection of inference regions, where supported, to align with data-residency requirements;
• Configuration of retention periods for conversations, files, and logs, including immediate-deletion modes;
• Revocation of any third-party integration (for example, Google Workspace, Microsoft 365, Slack, Zoom, Salesforce) at any time;
• Export of audit trails recording each model call and the provider that served it;
• Export and deletion of tenant data on request, within the timeframes required by applicable law.

7. Independent Verification

Shieldbase supports independent verification of the commitments set out in this statement through:

• SOC 2 Type II audits;
• ISO/IEC 27001 and 27701 certifications;
• Customer-led penetration testing under signed agreement;
• Provider sub-audits where contractually permitted;
• Review of the Master Services Agreement, Data Processing Agreement, model-provider addenda, and supporting security documentation under non-disclosure agreement.

Evidence packages may be requested through the customer's account team or by contacting support@shieldbase.ai.

8. Provider Policy Changes

Shieldbase monitors the data and training policies of each model provider it uses. If a provider materially changes its terms in a manner that would weaken the protections described in this statement — for example, by introducing default training on API content — Shieldbase will:

1. Notify affected customers in advance of any material change taking effect;
2. Update this statement and the Data Processing Agreement accordingly;
3. Where feasible, route customer traffic to alternative providers or models that preserve the prior protections;
4. Where such routing is not feasible, provide customers with the option to disable the affected provider within their tenant prior to the change taking effect.

9. Frequently Asked Questions

Can a customer's prompt appear in another customer's response?

No. Foundation models do not retain prompts between calls in a manner that could surface one customer's content in another customer's output. In combination with the no-training position described above, there is no mechanism by which customer inputs could be exposed to other users.

Does Shieldbase use customer data to improve search, ranking, or recommendations?

Not across customers. Within a single tenant, customer data may be indexed to improve search and retrieval for that tenant. Such indexes are not combined with the data of other customers and are not used for cross-customer model improvement.

What logs and telemetry does Shieldbase collect?

Shieldbase collects operational telemetry (for example, latency, error rates, and request volumes) that is decoupled from prompt and response content. Customer content is not included in telemetry.

How is data handled in response to legal process?

Model providers may receive lawful requests for data. Where permitted, providers commit to challenging overbroad requests and notifying affected customers. The minimal-retention configurations applied by Shieldbase materially limit the scope of any data that could be subject to such requests.

10. Contact

For questions concerning AI privacy at Shieldbase, model-provider terms, or to request the Data Processing Agreement and security evidence package:

Shieldbase Pte. Ltd.

22 Sin Ming Lane #06-76, Midview City, Singapore 573969

Email: support@shieldbase.ai