Client assurance.
Datum North runs a data-minimizing advisory model built for sensitive board, investment, and institutional work. The controls below apply equally to managing principals and affiliated specialists, and are available in summary form, in writing, during diligence.
Confidentiality
The firm enters into mutual confidentiality agreements before receiving sensitive nonpublic information. Client names, logos, engagements, and outcomes are not publicized without express written authorization.
Commercial confidentiality is not represented as legal privilege. Where privilege is required, clients involve counsel, and the firm works within the structure counsel establishes.
Data minimization
The firm requests only the information necessary for the agreed scope, and avoids receiving production data wherever possible. Preferred methods include client-prepared summaries, redacted or aggregated material, controlled interviews, read-only access, and client-hosted environments.
Any exception requiring operational data is expressly scoped and subject to additional controls.
Use of generative AI
A firm that advises on the governance of AI holds itself to the standard it recommends.
Client-confidential information is not entered into public consumer AI services. Any approved use of AI involving client material occurs in a controlled enterprise environment with contractual data-use protections, no provider training on client content, access controls, logging, defined retention, and human review.
Material use is disclosed to the client. Datum North remains responsible for its conclusions, and AI output is never treated as independent evidence.
Conflicts and independence
Potential financial, professional, competitive, governance, and relationship conflicts are assessed before a proposal is developed and monitored throughout the engagement. Relevant conflicts are disclosed promptly and managed only with informed client consent.
The firm accepts no referral fees, reseller margins, implementation commissions, or provider compensation tied to its recommendations.
Information security and continuity
The firm maintains documented controls for identity and access management, encryption, secure document exchange, managed devices, backup and recovery, provider risk, and incident response. Access is role-based and removed when no longer required.
Continuity arrangements address key-person unavailability and the secure transfer of active engagement records — the same continuity commitment stated in every proposal.
Retention, deletion, and incidents
Client information is retained only for the period required by the engagement, applicable law, or agreed recordkeeping obligations. At the end of that period, information is returned or securely deleted according to the client agreement.
Confirmed incidents materially affecting client information are reported without undue delay and within applicable contractual and legal requirements.
Assurance materials
Relevant insurance certificates, security-control summaries, data-handling policies, and material provider information are available during diligence. Additional client-specific controls may be agreed where the sensitivity or regulatory context of an assignment warrants them.