Trust center

How Jubi handles your data, in one place.

Last updated: 2026-04-25 · Pre-launch

Every document a security reviewer or procurement team is likely to ask for. If something you need isn't here, email security@jubi.my and we'll send it.

01 · Security

How we secure your data, and how to report a problem.

The architecture and the controls that sit on top of it. How vulnerability reports reach us. The per-request model that gates every AI call.

Reference

Security overview →

Infrastructure, identity, application security, operations, BCP/DR, incident response, customer security features. Each control marked active / in-build / roadmap.

Reference

Per-request security model →

How Guardian sees every AI request — Mode 1 (BYOAI) and Mode 2 (Jubi agents) pipelines, R1–R5 risk catches, audit coverage.

Policy

Responsible disclosure →

Scope, safe-harbour conditions for good-faith research, and our coordinated-disclosure expectations. Reports go to security@jubi.my.

Disclosure

Subprocessors →

Third-party services that process customer data on Jubi's behalf. Material changes notified at least 30 days before they take effect.

02 · Privacy & data

What we collect, how we use it, what AI is allowed to do with it.

The data notices, plus the AI-specific commitments: no training on your data, where inference runs, how grounding works.

Notice

Privacy & PDPA notice →

What data Jubi collects, the legal bases under PDPA Malaysia and the EU GDPR, your rights as a data subject, and how to exercise them.

Policy

AI use & data policy →

Models we use, training and retention, inference residency, Article 22 GDPR, EU AI Act framing, sensitive-use restrictions, customer responsibilities.

Agreement

Data processing agreement →

Public summary of the DPA attached to a customer engagement: roles, security measures, transfers, breach handling, audit rights, TOMs annex.

Notice

Cookie policy →

What cookies the marketing site sets and why. No advertising trackers, no cross-site profiling, no session-replay tools.

03 · Legal & engagement

Site terms and pre-engagement documents.

These cover the marketing site and the pre-sales materials. Customer engagements run on the signed Master Service Agreement, not on these public versions.

Terms

Use of jubi.my and pre-engagement materials. Includes warranty disclaimers, limitation of liability, IP, indemnification, dispute resolution, and governing law.

Policy

Acceptable use →

What customers and end-users may not do with Jubi: bypass Guardian, exfiltrate data, target other tenants, use the platform to harm individuals.

Targets

Service level agreement →

Operational uptime and incident-response targets today, with a contractual SLA expected in customer engagements at GA.

Statement

Accessibility →

WCAG 2.2 AA target, current conformance posture (partial), known limitations, and how to report accessibility issues.

Compliance roadmap

What we have. What we're working on. What's deliberately not in scope. We don't list certifications we don't hold.

In place

PDPA Malaysia · operating posture alignedNotice, consent, purpose limitation, security, and DSR handling are in place. Designated PDPA contact: privacy@jubi.my.

In place

GDPR readinessDPA available with Standard Contractual Clauses and UK addendum where applicable. Sub-processing list, retention schedule, DSR workflow documented.

In place

Provider posture (Anthropic, OpenAI)We use enterprise endpoints configured for no-training and no-retention beyond inference. Posture verified per provider terms current at integration.

In progress

SOC 2 (Type I → Type II)Audit firm engaged. Trust Services Criteria scoped: Security, Availability, Confidentiality. Timing depends on environment readiness and audit firm scheduling.

In progress

ISO 27001 ISMSInformation Security Management System scoping in progress. Stage 1 audit timing aligned with the SOC 2 timeline.

In progress

Periodic third-party penetration testingApplication surface and Guardian policy enforcement in scope. Most recent test summary available on request under NDA.

Targeted

Coordinated vulnerability research programmeBeyond the current responsible-disclosure policy. May include recognition rewards where law and provider terms permit.

Targeted

Customer-managed encryption keys (CMEK)For VPC-isolated and on-prem deployments. Quoted per engagement.

Not in scope

HIPAA, PCI DSS, FedRAMPNot in scope today. Jubi does not target US healthcare, card-holder, or US-federal workflows. We will revisit if and when we do.

Need a security questionnaire filled in?

We respond to CAIQ, SIG-Lite, VPAT/ACR, and customer-supplied formats. Email security@jubi.my with the package and we'll indicate timing on receipt.

Request →

Disclaimer. This trust center is provided for informational purposes only. It does not constitute legal advice and does not create or vary contractual obligations. Binding obligations arise from the customer engagement (Master Service Agreement, Data Processing Agreement, and any deployment-specific addenda) executed between the customer and Jubi's contracting entity. Where a public document on this site differs from a signed engagement document, the signed engagement controls. Jubi may update this page at any time.