Enterprise data security, retention, and privacy.
Simulacra Synthetic Data Studio sessions run in isolated, single-tenant ephemeral containers: we have no access to any data you upload or generate. The Simulacra API stores artifacts encrypted at rest, decrypts them only for authenticated API processing, and uses short, defined retention lifecycles; customer-managed storage and KMS keys are available for sensitive enterprise deployments. For enterprise API integrations, see API security details.
Zero-shot models. No pooled data. No cross-training.
Simulacra's AI is trained zero-shot on uploaded data. Each model lives only inside the active Studio session or API lifecycle window, and never beyond.
Simulacra does not use your data to train or update models for any other customer or user of the service or platform. Each uploaded dataset builds a unique model available only inside the active Studio session or API lifecycle window.
Studio models are deleted when the session ends. API models expire at the end of the lifecycle window, with early-deletion calls available through the API. Generated data is handled the same way: returned to the customer, never used for model training or improvement.
Activity logs capture API, operator, support, and security lifecycle events for monitoring, audit, and investigation. They do not capture uploaded seed rows or generated row content.
Simulacra does not share your data with any third parties. Simulacra does not anonymize or aggregate your data to share with third parties.
Your data's lifecycle within the Synthetic Data Studio.
A Studio session starts with login and an isolated, single-tenant container. Data enters that container, Simulacra fits zero-shot, and generated data and analysis remain available for the duration of the session. All data and outputs are available for download. When the session ends, the container is destroyed; the model, uploaded data, generated data, and analysis are unrecoverable. API integrations follow a different retention model; see API security details.
Legend Solid paths show the Studio session lifecycle. Once data enters, row content and session artifacts remain inside the container until download or teardown. Dashed paths carry metadata-only lifecycle logs for security, support, and audit.
Legend Cards show the Studio lifecycle in order. The Metadata card describes usage and billing logs that persist outside the session.
Audited controls for your data.
Session-only Studio isolation
Studio sessions run in isolated single-tenant containers. Uploaded data, fitted models, generated rows, and analysis remain inside the active session until download or teardown.
Customer-specific models
Each uploaded dataset builds a model for that customer's session. Customer research data is never pooled across tenants or used to train another customer's model.
Approved access paths
Studio access is tied to approved users. API access uses approved company tenants and Auth0 machine-to-machine credentials.
Encryption and key control
Traffic uses TLS. Retained API artifacts are encrypted at rest. Enterprise API deployments can use customer-managed storage and KMS keys.
Metadata-only logging
Lifecycle logs support security, support, audit, and usage tracking. They record events and counts, never uploaded seed rows or generated outputs.
Vendors, audits, and response
Subprocessors are scoped and published. Security incidents follow a documented response plan; vulnerability reports route through Responsible Disclosure.
This summary covers data-relevant control families; complete SOC 2 Type II and ISO/IEC 27001 control mappings are available in the audit package under NDA.
Request the SOC 2 / ISO 27001 / DPA package.
Download the public SOC 3 now. For procurement review, we send the restricted security packet under NDA: audit reports, DPA, questionnaire support, architecture notes, and customer-specific control mappings.
Security packet
- Public SOC 3 report, downloadable now
- SOC 2 Type II report, Jan-Apr 2025 audit period
- ISO/IEC 27001:2022 certificate, active through Aug. 22, 2028
- DPA and security questionnaire
- Architecture notes
- Customer-specific control mappings