The paperwork and operating controls that make private AI buyable.

Controller and processor roles, sub-processor list, transfer safeguards, and a data processing agreement for business customers that need one.

Technical and organisational measures covering access control, encryption posture, logging, backups, provisioning handling, and incident response.

Defined operating periods for logs, order records, support material, and optional Pre-Load files, with shorter retention for customer content.

For Pre-Load provisioning, selbsai can provide a written deletion confirmation after customer files are wiped from provisioning storage.

Each delivered system should identify the model families, source locations, license class, intended workload, and update channel.

Security updates, model refreshes, and compatibility updates are separated so customers can choose stability or newer capability deliberately.

A machine-readable disclosure contact is published at /.well-known/security.txt and points to the current security policy.

Security reports can be sent to the published security contact and are triaged for customer impact, severity, remediation, and disclosure handling.