How we handle client information

1. Purpose and scope

Mayhem Shield conducts buyer-side implementation assurance reviews of enterprise AI deployments. In the course of a review, clients share materials such as architecture diagrams, policy documents, configuration exports, screenshots, and interview notes. This document describes how those materials are handled from intake through destruction.

2. Legal entity and insurance

• Entity: Mayhem Shield, LLC (Texas, United States)
• Professional liability (errors and omissions): $5,000,000 per claim
• Cyber liability: $5,000,000 per claim

Certificates of insurance are available to clients on request.

3. Storage and infrastructure

• Primary storage: Google Workspace (Google Drive), US region.
• Client-side encryption: All client materials are encrypted locally with XQ before upload to Google Drive. Cleartext copies are not stored in Google Drive.
• Endpoint security: All founder workstations run Netskope for endpoint protection and data loss prevention, with full disk encryption enforced.
• Access control: Single sign-on (SSO) is enforced on all accounts that access client materials. Multi-factor authentication (MFA) is required for all administrative and data-accessing actions.
• Controlled environment only: Client materials are not copied to personal devices, consumer cloud storage, or non-enterprise tools. Material does not leave the controlled environment described above.

4. AI tool usage disclosure

Mayhem Shield uses AI tools during engagement analysis and deliverable preparation. The following applies:

• Tool in use: Claude for Work (Teams plan) from Anthropic.
• Training on data: Under Anthropic's Claude for Work terms, customer data is not used to train Anthropic's models.
• Other AI tools: Client materials are not processed through consumer-tier AI products (for example, free-tier ChatGPT), unmanaged browser extensions, or any AI service without enterprise-grade data handling terms.

Clients who require that no AI tooling be used in their engagement can request this in writing before engagement start.

5. Retention and destruction

• Default retention: Engagement artifacts are retained for 90 days after engagement close.
• Client-specified retention: Where a client agreement specifies a different retention period (shorter or longer), the client agreement governs.
• Destruction: At the end of the retention period, artifacts are deleted from Google Drive and from any local or encrypted copies. Deletion is completed within 30 days of retention expiry.
• Confirmation on request: A written confirmation of destruction can be provided to clients on request.

6. Confidentiality and personnel

• Non-disclosure agreements: All three founders sign client NDAs as standard. Client-provided NDA templates are accepted; a Mayhem Shield mutual NDA is available if the client prefers.
• No subcontractors: All engagement work is performed by the three Mayhem Shield founders. No subcontractors, contractors, or offshore resources are engaged.
• Independence: Buyer-side reviews and vendor-side enablement are never combined on the same tool in the same engagement. Vendor relationships are disclosed before engagement.

7. Data processing agreements

Mayhem Shield does not maintain a standard DPA template at this time. We accept client-provided DPA templates and will negotiate terms to match client requirements. A standard Mayhem Shield DPA template is expected to be available in 2026.

8. Certifications and compliance posture

Individual certifications

Held by the technical co-founders Tich Gandhe and Danny Hondo:

• CISM — Certified Information Security Manager (ISACA)
• CASP+ — CompTIA Advanced Security Practitioner
• AAIA — Advanced in AI Audit (ISACA)
• AAISM — Advanced in AI Security Management (ISACA)

Firm-level compliance

• SOC 2 Type II: Engagement is planned for 2026–2027. Target observation period and auditor information available on request during procurement review.
• Additional compliance documentation (policies, control descriptions) can be provided on request during procurement review.

9. How to request additional documentation

Enterprise clients who need additional documentation during procurement review, including DPA negotiation, certificate of insurance, detailed security questionnaire responses, or reference checks, can contact:

• Email: info@mayhemshield.com
• Primary point of contact: Cristina Lopes, Co-Founder (Business and Operations Lead)

Standard turnaround for procurement documentation requests is three business days.