Compliance Policy

Data Protection Principles

• Lawfulness, fairness, and transparency in all data processing
• Purpose limitation: data collected only for specified, explicit purposes
• Data minimization: we collect only what is necessary for our services
• Accuracy: we maintain accurate data and provide tools to correct it
• Storage limitation: we retain data only as long as necessary
• Integrity and confidentiality: we implement appropriate technical and organizational security

Your GDPR Rights

We uphold and facilitate the following individual rights:

• Right to access: Request a copy of your personal data
• Right to rectification: Correct inaccurate personal data
• Right to erasure: Request deletion of your data ('right to be forgotten')
• Right to restrict processing: Limit how we use your data
• Right to data portability: Receive your data in a portable format
• Right to object: Object to processing based on legitimate interests
• Rights related to automated decision-making: Obtain human review of automated decisions

You can exercise these rights through your account settings or by contacting [email protected]

Legal Basis for Processing

• Contract: Processing necessary to provide Apilium Forge and related services
• Consent: Where you have given explicit consent (e.g., marketing communications)
• Legitimate interests: Necessary for our business operations (e.g., security, fraud prevention)
• Legal obligation: Where required by law (e.g., tax records)

Data Protection Officer

We have appointed a Data Protection Officer to oversee GDPR compliance:

Email: [email protected]

We respond to all data subject requests within 30 days.

CCPA/CPRA (California)

For California residents, we provide the following rights under CCPA and CPRA:

• Right to know: What personal information is collected, used, and shared
• Right to delete: Request deletion of your personal information
• Right to correct: Request correction of inaccurate information
• Right to opt-out: Opt out of 'sale' or 'sharing' (we do not sell data)
• Right to limit: Limit use of sensitive personal information
• Right to non-discrimination: No penalty for exercising your rights

Other Privacy Laws We Comply With

We design our services to comply with major global privacy regulations:

• ePrivacy Directive (EU Cookie Law) - Cookie consent and tracking
• PIPEDA (Canada) - Personal Information Protection
• Privacy Act 1988 (Australia) - Australian Privacy Principles
• PDPA (Singapore) - Personal Data Protection
• LGPD (Brazil) - Lei Geral de Proteção de Dados
• POPIA (South Africa) - Protection of Personal Information Act
• UK GDPR - Post-Brexit UK data protection

EU AI Act Compliance

As an AI-powered development tool, we are actively preparing for compliance with the EU AI Act:

Apilium Forge IDE is classified as a limited-risk AI system under the EU AI Act framework.

• Transparency: Clear disclosure that code suggestions are AI-generated
• Documentation: Maintaining technical documentation of our AI systems
• Human oversight: Users review and approve all AI-generated code
• Risk assessment: Regular evaluation of AI system risks and mitigations
• Data governance: Strict controls on training data and model development

Ethical AI Principles

We are committed to responsible AI development and deployment:

• Transparency: We clearly mark AI-generated content and explain how our AI works
• Fairness: We actively work to identify and mitigate bias in AI outputs
• Human-in-the-loop: Users maintain control over AI suggestions and final code
• Privacy by design: Privacy Mode ensures code is not used for training
• Accountability: We take responsibility for our AI systems' behavior
• Security: AI systems are designed with security as a priority

AI Training Data Policy

Our commitment regarding AI training data:

• We do NOT use customer code to train AI models without explicit consent
• Privacy Mode users' code is never used for any training purposes
• Our AI models are trained on properly licensed and public datasets
• We maintain documentation of training data sources and provenance

Security Certifications

We pursue and maintain industry-recognized certifications:

• SOC 2 Type II: Service Organization Controls (certification in progress)
• ISO/IEC 27001: Information Security Management System (planned)
• OWASP: Following Open Web Application Security Project guidelines
• CIS Controls: Implementing Center for Internet Security best practices

Compliance Frameworks

We align our security program with recognized frameworks:

• NIST Cybersecurity Framework (CSF)
• NIST AI Risk Management Framework (AI RMF)
• Cloud Security Alliance (CSA) STAR
• ISO/IEC 27701 Privacy Information Management

Third-Party Audits

We undergo regular third-party security assessments to validate our controls and identify areas for improvement.

AI-Generated Code and IP

Important considerations regarding AI-generated code:

• You own the code you write and the AI-generated suggestions you accept
• AI-generated code may be similar to publicly available code or code generated for others
• You are responsible for reviewing AI-generated code for potential IP issues
• We do not claim ownership of your code or AI-generated suggestions

Respect for IP Rights

We respect intellectual property rights and expect users to do the same:

• DMCA compliance for copyright claims
• Trademark protection and proper use
• Open source license compliance monitoring
• Third-party software properly licensed

DMCA Procedures

To report copyright infringement, contact:

• Identification of the copyrighted work
• Location of the allegedly infringing material
• Your contact information
• Statement of good faith belief
• Statement of accuracy under penalty of perjury
• Physical or electronic signature

Email: [email protected]

Geographic Restrictions

Our services may not be available in countries subject to comprehensive sanctions, including but not limited to Cuba, Iran, North Korea, Syria, and the Crimea region. We screen users against applicable sanctions lists.

Anti-Money Laundering (AML)

We implement appropriate controls to prevent financial crimes:

• Risk-based customer due diligence
• Transaction monitoring for suspicious activity
• Compliance with EU Anti-Money Laundering Directives
• Suspicious activity reporting to relevant authorities

Payment Security (PCI DSS)

We do not store, process, or transmit cardholder data directly. All payment processing is handled by Stripe, a PCI DSS Level 1 certified service provider.

Tax Compliance

We comply with applicable tax obligations:

• EU VAT collection and remittance (VAT OSS)
• Estonian corporate tax obligations
• Digital services taxes where applicable
• Proper invoicing with VAT identification numbers

Internal Compliance Program

We maintain a robust internal compliance program:

• Regular compliance audits and risk assessments
• Compliance training for all employees
• Documented policies and procedures
• Whistleblower protection program
• Executive and board oversight of compliance

External Transparency

We provide transparency through: