Privacy Policy

Who this applies to

This portal is intended for authorised employees, contractors, and administrators of organisations that subscribe to SOF. If your employer or client invited you here, they are usually the “data controller” for much of the information you submit; SOF typically acts as a “processor” on their instructions. Where SOF determines purposes and means (for example, for account security or product analytics), SOF may act as a separate controller for those limited activities.

Information we process

• Account and access data: name, work email, username, role, organisation affiliation, authentication events, and session identifiers.
• Content you or your org uploads: policies, playbooks, FAQs, and other files or text added to the Knowledge Hub, including metadata (titles, tags, upload time, uploader).
• Usage and analytics: feature usage, approximate timestamps, device/browser type, and engagement signals your organisation enables to improve adoption and content quality.
• Support and communications: messages you send to administrators or to us for support, and technical logs needed to diagnose issues.

AI-assisted features

When you use AI-assisted document tools or question answering, we process prompts, retrieved excerpts from your organisation’s approved knowledge base, and model outputs to deliver the service. We design the product so answers are grounded in content your organisation chooses to make available, subject to the access controls they configure.

Unless your organisation’s agreement with us says otherwise, we do not use your organisation’s confidential uploaded content or end-user prompts to train public foundation models. Subprocessors and model providers used to provide the service are subject to contractual and technical safeguards described in your organisation’s order form or data processing terms.

Purposes and legal bases

We process personal information to:

• Provide, secure, and improve the learning portal and AI features;
• Authenticate users, enforce access control, and prevent abuse;
• Meet legal obligations and respond to lawful requests where required;
• Fulfil our contract with your organisation and, where applicable, our legitimate interests in a reliable, secure service (balanced against your rights).

Where required by law, we rely on consent for optional analytics or marketing; you can withdraw consent without affecting lawfulness of processing before withdrawal.

Sharing and subprocessors

We share personal information only as needed: with infrastructure, authentication, and AI service providers under strict contracts; with professional advisers where required; or when we believe disclosure is necessary to comply with law or protect rights and safety. We do not sell personal information.

Retention

We retain account and activity data for as long as your organisation’s subscription is active and for a reasonable period afterward for backups, disputes, and legal compliance. Content in the Knowledge Hub is retained according to your organisation’s settings and agreements. Technical logs are rotated on a schedule appropriate for security monitoring.

Security

We use industry-standard administrative, technical, and organisational measures, including encryption in transit, access controls, and least-privilege engineering practices. No method of transmission or storage is perfectly secure; please report suspected incidents to your organisation’s administrator or our security contact.

International transfers

If data is processed in countries other than yours, we implement appropriate safeguards (for example, standard contractual clauses) where required by applicable data protection law.

Your rights

Depending on where you live, you may have rights to access, correct, delete, or port your personal information, to restrict or object to certain processing, and to lodge a complaint with a supervisory authority. Because many records relate to your employment or contractor relationship, we may need to coordinate with your organisation to fulfil requests. Contact your administrator first, or reach us using the details below.

Children

This service is not directed at children. We do not knowingly collect personal information from anyone under the age required for consent in their jurisdiction for workplace tools.

Changes

We may update this policy to reflect product, legal, or regulatory changes. We will post the revised version here and adjust the “Last updated” date. Material changes may require additional notice under your organisation’s agreement.