ClientsLeadershipOperating ModelBackstoryIntelligenceEvents
Send Private InquiryReview
Menu
HomeClientsLeadershipOperating ModelBackstoryIntelligenceEventsSend Private Inquiry

LEGAL & SECURITY / DATA HANDLING

PUBLIC RECORD / EN

Sensitive information has a defined route.

This statement records the default handling discipline applied to sensitive work. A mandate-specific engagement letter, data-processing agreement, or handling schedule may impose stricter controls.

Effective 13 July 2026

inquire@svperior.com ↗

On this page

  1. 01Governing principles
  2. 02Classification
  3. 03Intake and authority
  4. 04Approved systems and transfer
  5. 05Access and disclosure
  6. 06Working record and delivery
  7. 07Retention, return, and disposal
  8. 08Loss, exposure, and incident handling
  9. 09Client responsibilities

01

Governing principles

Purpose first
Svperior identifies why information is needed, what decision or output it supports, and whether the same result can be achieved with less sensitive material before accepting it.
Minimum necessary
Collection, access, copying, disclosure, and retention are limited to what is proportionate to the accepted scope. Convenience alone is not a sufficient reason to centralize client information.
Need to know
Access follows the responsible discipline, role, task, and period. A person’s seniority or relationship with the client does not create automatic access to every mandate or dataset.
Defined end state
Before intake, Svperior determines the expected deliverable, return or deletion path, legal retention needs, and what evidence of handling must remain.

02

Classification

Public
Information intentionally available without restriction. Public status does not remove intellectual-property, accuracy, purpose, or aggregation risks.
Internal
Non-public operational material whose disclosure would be inconvenient or reveal internal methods, relationships, or planning. Access is limited to the relevant office function.
Confidential
Client, prospect, commercial, legal, technical, personnel, partner, or professional information that requires controlled sharing, approved storage, and a defined retention purpose.
Restricted
Credentials, private keys, recovery material, privileged records, identity documents, financial and health data, vulnerability evidence, live incident data, precise personal exposure, source identities, or other information capable of causing material harm if misused. Restricted data receives a specifically approved channel, access list, and handling plan.

03

Intake and authority

Before accepting sensitive information, Svperior establishes the client and instructing authority, the purpose and scope, relevant people and systems, source and lawfulness, expected categories and volume, destination countries, required recipients, Svperior’s data role, and the return, retention, or deletion requirement.

A client or other provider of information is responsible for having authority to disclose it and to authorize the requested processing. Svperior may require written consent, corporate authority, system-owner permission, a court or regulatory basis, or another form of evidence before proceeding.

  • General inquiry and event forms are not approved routes for credentials, identity documents, breach datasets, vulnerability evidence, privileged files, OSINT scope, or bulk personal data.
  • Personal OSINT, dark-web, or exposure research is defined through a separate written scope after selection and before collection begins.
  • Where data is received unexpectedly or outside scope, Svperior may quarantine, restrict, return, or delete it without substantive review, subject to legal and evidentiary requirements.

04

Approved systems and transfer

  • The channel is selected for the classification and may include an approved encrypted workspace, controlled repository, secure transfer mechanism, or separately agreed communications system.
  • Secrets and decryption material are separated from the material they protect where practicable. Credentials are not requested in ordinary email and should be time-limited, least-privileged, and revoked when no longer required.
  • Multi-factor authentication, device controls, logging, encryption, region selection, and download restrictions are applied where proportionate to the mandate and platform capability.
  • Client material is not placed in the public website CMS, website analytics, marketing systems, public repositories, event pages, or public-facing structured data.
  • Restricted client or prospect information is not entered into a public or shared general-purpose AI service, used to train a model, or retained for unrelated AI improvement without express written authorization and an approved processing arrangement.

05

Access and disclosure

Svperior limits access to the people and providers required for the mandate. Specialists, implementing counsel, infrastructure providers, and other recipients are engaged under appropriate confidentiality, security, purpose, and data-protection terms. Access is removed when the task or relationship ends.

Information is not disclosed to an event sponsor, strategic partner, another client, or a member of a participant group merely because that person or organization is connected to Svperior. Disclosure requires an identified operational need, client authority, contractual permission, or another lawful basis.

06

Working record and delivery

  • Svperior distinguishes source material, working analysis, evidence, privileged or counsel-directed material, and final deliverables so their status and permitted use remain legible.
  • Reports are prepared for the named recipient and approved purpose. Redaction, anonymization, aggregation, watermarking, access expiry, or controlled presentation may be used where the information should not circulate freely.
  • Where a finding could materially increase risk if transmitted, Svperior may present it verbally or through a restricted channel before delivering a written record.
  • Corrections, changes in authority, and contested facts are recorded against the relevant work rather than silently overwritten where an evidentiary trail matters.

07

Retention, return, and disposal

Each mandate should have a retention position proportionate to the work. At closure, Svperior identifies what must be delivered, returned, preserved, minimized, anonymized, or deleted. Temporary and working copies are removed when no longer needed; required professional, financial, security, or evidentiary records remain protected for the applicable period.

Deletion from active systems may precede expiry from encrypted backups, immutable logs, or legal holds. Material in those systems remains access-restricted and is not restored for ordinary use. Physical material is returned or destroyed using a method appropriate to its classification.

08

Loss, exposure, and incident handling

A suspected loss, misdirection, unauthorized access, disclosure, alteration, or unavailability is escalated according to the information and mandate involved. Svperior seeks to contain the condition, preserve relevant evidence, establish scope and consequence, coordinate with the client and responsible providers, and determine contractual, professional, insurance, regulatory, and legal notification requirements.

Notification timing follows applicable law and the accepted mandate. Svperior does not delay a required notice in order to complete a perfect investigation, and it does not make a public statement about a client incident without authority or legal necessity.

09

Client responsibilities

  • Identify the authorized instructing and escalation contacts and notify Svperior promptly when authority changes.
  • Provide accurate classification, ownership, jurisdiction, source, and handling restrictions, including any secrecy, privilege, regulatory, export, employment, health, or contractual constraints.
  • Maintain secure endpoints and accounts used to access shared material; protect links, credentials, and downloaded copies; and revoke access that is no longer appropriate.
  • Avoid sending additional data merely because a channel exists. Ask before expanding the scope, category, source, system, or affected population.
  • Report suspected exposure or misdelivery immediately through the agreed security contact and preserve relevant evidence.

Operating statements

The complete public boundary.

Client Privacy

The personal-data notice, including categories, purposes, recipients, international transfers, retention, and rights.

Read statement →
Security Posture

The security boundary applied to the public site, communications, applications, and mandate environments.

Read statement →
Legal & Security

The company identity, website terms, engagement boundary, and controlling legal position.

Read statement →

Svperior GmbH. There's no room for second place.

Backstory · Leadership · Events · Legal & security · Client privacy · Inquire ·