Security Preview
Security, privacy & data rights

Security starts before the first recording.

For robotics data, risk is not limited to file storage. Buyers need to know who collected the data, where it came from, what consent and usage rights support it, who can access it, and how the project is closed out.

Company KYB support Consent-backed collection Project-scoped access
01 / VERIFYKnow the company and source

KYB, collector eligibility and source records are matched to the project.

02 / LIMITCollect only what is needed

Purpose, modalities, personal data and retention are defined before production.

03 / CONTROLRestrict project access

Named teams, approved tools and customer-specific transfer routes can be used.

04 / EVIDENCEKeep an auditable trail

Consent, batch status, delivery and deletion records are tied to the release.

Project security controls

Security by design, not by slogan.

Controls are selected according to the sensitivity of the data and documented in the statement of work, data processing terms or customer security questionnaire before collection begins.

KYB

Business and supplier verification

Legal entity, contracting authority, payment details and relevant supplier information can be verified before onboarding or production access.

ID

Contributor and collector checks

Identity, age, eligibility, location and role checks are applied proportionately. Sensitive identity records are separated from training data where practicable.

RGT

Consent and usage rights

Collection instructions define the approved purpose, recording environment, permitted usage, withdrawal route and restrictions relevant to the project.

ACL

Least-privilege access

Access can be limited to named project members, role-specific folders and approved review tools, with links or credentials removed when no longer required.

XFR

Controlled storage and transfer

Delivery can use approved cloud storage, customer-provided environments or agreed secure transfer methods, with storage region and access method recorded.

DEL

Retention, deletion and closeout

Working copies, rejected data and final releases follow the retention schedule agreed for the engagement, including deletion confirmation where required.

Data chain of custody

Trace the release from source to delivery.

A useful audit trail connects the supplier, contributor, collection session, episode files, quality review and final delivery package.

01

Source approval

Confirm the supplier, environment, task rights and any location authorization.

02

Contributor verification

Record consent, eligibility and the identifiers needed for project accountability.

03

Controlled collection

Apply the approved protocol, equipment configuration and file naming convention.

04

Quality and rights review

Check technical acceptance, task validity, metadata and required documentation.

05

Release and closeout

Deliver accepted files, manifests and records, then complete retention or deletion actions.

Controls matrix

Define the rules before data moves.

These are project controls, not blanket promises. The exact configuration is confirmed in writing for each engagement.

Control
Baseline approach
Project option
Access
Named project team with access limited to required folders and workflow stages.
Customer approval list
Storage location
Approved cloud storage or agreed project environment.
Region-specific storage
Transfer
Authenticated sharing or customer-approved secure transfer route.
Customer cloud delivery
Retention
Retention periods and working-copy rules documented for the engagement.
Deletion confirmation
Data reuse
Use is limited by the signed license, confidentiality terms and statement of work.
Exclusive scope available
Subcontractors
Project participants receive task-specific confidentiality, rights and handling requirements.
Disclosure / approval terms
Evidence
Release manifest, QC status, source records and project documentation are linked by stable identifiers.
Custom audit package
Regional privacy readiness

Built for cross-border buyer review.

Applicable requirements depend on the people recorded, collection location, customer role, storage location and intended use. We document those facts before deciding the legal and operational controls.

UNITED STATES

State privacy and contract controls

For US engagements, the workflow can support applicable notice, access, correction, deletion and contractual processing requirements, including California-specific review where relevant.

Purpose and category notices
Consumer or contributor request route
Service-provider and reuse restrictions
EU / EEA / UK

GDPR-oriented project documentation

European projects may require a defined lawful basis, data minimization, processor terms, transfer safeguards and support for privacy impact assessment or data-subject rights.

DPA and role definition
SCC support for relevant transfers
Retention and rights handling
INDIA & OTHER REGIONS

Local-law and collection-location review

For India and other collection regions, notices, consent, grievance contacts, security measures and any cross-border restrictions are reviewed against the applicable local framework.

Collection-location records
Local consent and notice language
Regional transfer requirements
Accurate security claims

Trust depends on saying exactly what is true.

Formal certifications, infrastructure details and legal conclusions should be supported by current evidence. Where a control is project-specific, we say so and document it contractually.

01

No unsupported certification claims

Security certifications or compliance badges are presented only when current, applicable and independently verifiable.

02

No hidden expansion of permitted use

Customer-confidential data and custom project outputs are used only as allowed by the signed commercial and licensing terms.

03

No private-data scraping presented as consent

Where personal data is intentionally collected, the project must have an appropriate source, authorization and notice or consent process.

04

No vague “secure” promise in place of evidence

Buyer review focuses on the actual storage, access, transfer, retention, incident and rights-handling controls for the project.

Vendor diligence package

Documents for engineering, legal and procurement.

The package is assembled according to the stage of the opportunity. Sensitive documents may be shared after NDA or as part of an approved vendor review.

KYB

Company and contracting pack

Legal entity details, authorized representative, payment information and supplier onboarding materials.

RGT

Rights and provenance pack

Consent language, contributor records, collection locations, permitted use and source-to-release lineage.

SEC

Security and processing pack

Access model, storage and transfer route, subprocessor information, retention plan, DPA and incident contacts.

REL

Release and closeout pack

Accepted quantities, batch manifest, QC evidence, delivery confirmation and deletion or retention record.

Security FAQ

Questions buyers usually ask.

Final answers depend on the signed scope and the systems selected for the engagement.

Do you require KYC or KYB?

We distinguish business verification from contributor verification. KYB may be used for the contracting company or supplier. Contributor identity, age, eligibility and location checks are proportionate to the project. Government-ID collection is not treated as a default requirement; where it is necessary, the purpose, access and retention must be documented.

Can the data stay in our cloud or approved storage?

Yes, customer-controlled storage or a customer-approved transfer environment can be used when agreed during scoping. The delivery route, access list, folder structure and closeout steps should be defined before production begins.

Can you sign an NDA, MSA or Data Processing Agreement?

Project contracting can include confidentiality, scope, data processing, licensing, retention, incident and transfer terms. The required documents should be reviewed alongside the technical collection specification so the legal promises match the actual workflow.

Is the data exclusive or non-exclusive?

Licensing is defined per order. Existing inventory is commonly offered on a non-exclusive basis unless agreed otherwise. Customer-specific confidential data, custom protocols and exclusive deliverables are governed by the signed statement of work and license terms.

Do you have SOC 2 or ISO 27001?

Any formal certification is stated only when it is current, applicable and verifiable. Where certification is not part of the engagement, buyers can review the project-specific controls, contracts, storage architecture, access process and evidence package instead of relying on an unsupported badge.

Can working copies be deleted after delivery?

Yes, when included in the project terms. The closeout plan can define which accepted, rejected, backup and working copies are retained, for how long, by whom, and whether a deletion confirmation is required.

How do you handle a security or privacy incident?

The engagement should identify the reporting contact, information required for investigation, notification expectations, containment steps and contractual timeline. These requirements are documented before production for sensitive or regulated projects.

Send your vendor questionnaire before the pilot.

We can align the collection protocol, rights package, storage route and delivery evidence with your engineering, privacy and procurement review.

Merit Data | Real-World Robotics Data for Physical AI Request a pilot