Data Compliance
Last updated: July 15, 2026
I advise organizations on AI governance and data protection for a living. It would be strange if I did not hold my own operation to the same standard. Here is how I do.
The rules I work within
- GDPR and CCPA/CPRA principles guide how I handle personal information: a lawful basis for everything, collect only what is needed, use it only for the stated purpose.
- State AI and privacy laws, including Illinois requirements and the newer state AI acts like Colorado SB24-205 and Utah SB 226. I track these laws publicly at responsible-agetech.org, and I follow them myself.
- ISO 42001 and ISO 42005 shape the AI management and impact-assessment practices I bring to client engagements.
- HIPAA. This website neither collects nor stores protected health information. When client work touches healthcare data, the engagement agreement and Business Associate terms govern it, in writing, before any data moves.
What that looks like in practice
- This site collects nothing beyond what you send me.
- Research data in client work is collected with informed consent, de-identified where feasible, and kept only as long as the engagement needs it.
- My vendor list is short: hosting, scheduling, email. Short lists are easier to keep honest.
Processors and subprocessors
The services that process data on my behalf, each under a data processing agreement:
- Vercel (website hosting and server logs), United States.
- Calendly (appointment scheduling, only if you book), United States.
- Email provider (handling messages you send me).
International transfers
These providers are US-based. For visitors in the EU, EEA, or UK, transfers rely on Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework, alongside each provider’s data processing terms. I ask for a current copy of these safeguards on request.
If something goes wrong
If I become aware of a data incident affecting your information, I will tell you, and I will notify regulators (within 72 hours where the GDPR requires it).
Questions
For compliance questions, data processing agreements, or my current vendor list: ezra@artandtech.com.