Occam

UNIFY • SIMPLIFY • AMPLIFY

Data Privacy

Back to Occam Agent

Occam Agent — Data Privacy & Security Statement

Effective Date: February 10, 2026
Applicable Region: New Zealand
Prepared for: Occam Customers

Overview

Occam Agent is an AI-powered natural language interface that allows you to interact with your business data using conversational queries. This statement explains how your data is collected, processed, stored, and protected when you use Occam Agent.

Key Principle: Your business data remains under your control within your existing Occam environment. Occam Agent enhances your ability to query and analyze this data without compromising its security or privacy.

How Occam Agent Works

Occam Agent operates as a secure extension of the Occam platform you already use:

  1. You submit a question in natural language through the Occam interface (e.g., "How many site visits did we complete last month?")
  2. Occam Agent interprets your question using advanced AI to understand your intent
  3. The system queries your existing Occam database (read-only access to the RPT reporting schema)
  4. Results are returned to you in a conversational format with context and insights
  5. Your conversation is stored in your Occam operational database for future reference

What Makes This Secure

  • Occam Agent cannot modify your data — it has read-only access to your reporting database
  • All queries are logged and auditable — you can review what questions were asked and what data was accessed
  • Access is restricted — only authenticated users within your organization can use Occam Agent
  • Your data never leaves your control — aside from necessary AI processing (detailed below), all data remains in your Occam environment

Data Collection & Processing

What Data We Collect

Conversation Data: - Questions you ask ("Inputs") - Responses generated by the system ("Outputs") - Metadata: timestamps, user authentication tokens, conversation identifiers

Technical Data: - Authentication: a per-customer access password is used to log in (the password itself is not stored in the Occam Agent database) - Session information to maintain your logged-in state (a signed session cookie) - A short-lived authentication token may be passed via URL during login to support iframe environments - Device and browser information for security monitoring - IP addresses for access control and security

What Data We Do NOT Collect

  • We do not access or process data outside the Occam database
  • We do not track your behavior outside of Occam Agent
  • We do not sell or share your data with third parties for marketing purposes
  • We do not use your business data to train AI models (see AI Processing section below)

Where Your Data Is Stored

Your Occam Database (Existing Infrastructure)

Conversation History: Stored in your operational SQL Server database in New Zealand - Inputs and Outputs from all conversations - Conversation metadata and timestamps

Reporting Data: Your existing business data remains in your Occam database - Occam Agent queries this data but does not copy or move it - Read-only access ensures your source data cannot be modified

Security Measures for Stored Data

Encrypted at rest — All data is encrypted using industry-standard AES-256 encryption
Encrypted in transit — All communications use HTTPS/TLS 1.2+ encryption
Role-based access control — Database access is restricted to authorized system components only
Secure secret management — All passwords, connection strings, and API keys are stored in dedicated secret management systems, never in code or configuration files
Managed identities — Occam Agent uses cloud-managed service identities to authenticate to cloud resources, eliminating the need for stored credentials where possible
Regular backups — Your data is backed up according to your existing Occam backup policy

AI Processing — Anthropic Claude API

Occam Agent uses Anthropic's Claude AI model via their commercial API to interpret your questions and generate natural language responses. Here's what happens when you use the AI:

How AI Processing Works

  1. Your question and relevant database context are sent to Anthropic's API over an encrypted connection
  2. The AI model interprets your intent, generates SQL queries, and formats results into a conversational response
  3. The response is returned to you within seconds
  4. The interaction is logged in your Occam database

Critical Privacy Protections

Your data is NOT used to train AI models - Anthropic's Commercial Terms of Service (Section B) explicitly state: "Anthropic may not train models on Customer Content from Services" - Our account settings have user feedback disabled, ensuring no conversation data is used for model improvement - We have not joined Anthropic's Development Partner Program

Limited data retention by Anthropic - Anthropic retains API data for 30 days only for trust and safety monitoring (abuse detection, policy violations) - After 30 days, all data is automatically and permanently deleted from Anthropic's systems - This is significantly more restrictive than consumer AI products (e.g., ChatGPT, Claude.ai)

You own your data - Anthropic's terms (Section B) state: "Customer owns its Outputs" and "Anthropic disclaims any rights it receives to the Customer Content" - Any intellectual property in your queries and the AI's responses belongs to you

No third-party sharing by Anthropic - Anthropic does not sell your data or use it for advertising - Data is not shared with other Anthropic customers or the public - Anthropic's Privacy Policy governs their handling of data

Data Processing Agreement - Our use of Anthropic's services is governed by their Data Processing Addendum (DPA), which ensures GDPR-equivalent protections - Anthropic acts as a "data processor" on your behalf, meaning they cannot use your data for their own purposes

Understanding the Distinction: Commercial API vs. Consumer Products

It's important to understand that Occam Agent uses Anthropic's commercial API, not consumer services like Claude.ai. The commercial API operates under strict contractual terms that prevent Anthropic from training on your data, whereas consumer AI services (e.g., free ChatGPT, Claude.ai) may use your inputs to improve their models unless you opt out.

This is a deliberate design choice to ensure your business data receives the highest level of privacy protection.

Access Control & Authentication

Who Can Access Occam Agent

  • Authenticated users only — You must log in with a password to access Occam Agent
  • Iframe-only access — Occam Agent can only be accessed through the Occam platform interface
  • Direct browser access is blocked — Attempting to access Occam Agent directly in a web browser (outside of Occam) will be denied with a "403 Forbidden" error
  • Session management — Sessions expire after a fixed maximum age (currently 24 hours), requiring re-authentication

Security Features

Password-based authentication — The access password is stored in secure secret storage (Azure Key Vault) and is compared on login; it is not stored in the Occam Agent database
HTTPS enforced — All communications are encrypted in transit
Content Security Policy — Browser-level security headers prevent clickjacking and code injection attacks
Frame-ancestors policy — Only the authorized Occam domains can embed Occam Agent in an iframe
Referrer validation — The system validates that requests originate from authorized Occam domains
Sec-Fetch-Dest headers — Modern browser security signals are used to detect and block unauthorized access attempts

Data Retention & Deletion

Conversation Data (Stored in Your Database)

  • Retention period: Indefinite, until you choose to delete
  • How to delete: You can delete individual conversations through the Occam interface, or request bulk deletion by contacting your Occam administrator

AI Processing Data (Stored by Anthropic)

  • Retention period: 30 days maximum
  • Automatic deletion: All data is automatically and permanently deleted from Anthropic's systems after 30 days
  • Purpose of retention: Trust and safety monitoring only (e.g., detecting policy violations, abuse, or security threats)

Technical Logs

  • Application logs: Retained for troubleshooting and security monitoring, according to Occam's operational logging policy
  • Logs are designed to avoid: Passwords, connection strings, and other secrets
  • Logs may contain: Timestamps, request metadata, and error messages required for troubleshooting

Compliance & Legal Framework

New Zealand Privacy Act 2020

Occam Agent complies with the New Zealand Privacy Act 2020, including:

  • Principle 1 (Purpose): Data is collected for the explicit purpose of providing AI-assisted data querying services
  • Principle 2 (Source): Data is collected directly from you (the user) and your existing Occam database
  • Principle 3 (Collection): You are informed about data collection through this statement
  • Principle 5 (Storage & Security): Data is stored securely with encryption and access controls
  • Principle 6 (Access): You can request access to your stored conversations at any time
  • Principle 7 (Correction): You can request correction or deletion of inaccurate data
  • Principle 11 (Disclosure): Data is only disclosed to Anthropic for AI processing, as described in this statement

International Data Transfers

  • Primary storage: New Zealand
  • AI processing: United States (Anthropic's infrastructure)
  • Data transferred to the US is protected by Anthropic's DPA and contractual commitments
  • Standard Contractual Clauses (SCCs) equivalent protections apply
  • Data is retained for 30 days maximum and then deleted

GDPR-Equivalent Protections

While Occam Agent is primarily used in New Zealand, Anthropic's DPA provides GDPR-equivalent protections, including: - Lawful basis for processing - Data minimization - Purpose limitation - Storage limitation - Data subject rights (access, correction, deletion, portability)

Your Rights

You have the right to:

Access your data — Request a copy of your conversation history stored in Occam Agent
Correct your data — Request correction of inaccurate information (note: AI-generated Outputs may contain inaccuracies; if they relate to you personally, you can request correction)
Delete your data — Request deletion of individual conversations or your entire conversation history
Withdraw consent — Stop using Occam Agent at any time
Lodge a complaint — Contact the New Zealand Privacy Commissioner if you believe your privacy rights have been violated

To exercise your rights: Contact your Occam administrator

Security & Privacy Technical Implementation

For technical experts evaluating this system, here is a summary of the security controls:

Security Controls: - Authentication: Per-customer access password (stored in Azure Key Vault) with secure session management - Authorization: Controlled access enforcement via security headers and content security policies - Encryption in transit: Industry-standard TLS encryption for all communications - Encryption at rest: AES-256 encryption for database storage and secrets - Network security: Cloud-managed network isolation with HTTPS-only access - Database security: Read-only database access via dedicated service accounts with minimal required permissions

Updates to This Statement

This privacy and security statement may be updated from time to time to reflect changes in: - Our data practices - Legal or regulatory requirements - Security improvements - Third-party service terms

How you'll be notified: - Material changes will be communicated by your Occam administrator - The "Effective Date" at the top of this document will be updated - Previous versions will be archived and available upon request

Current version: February 10, 2026

Contact & Questions

For questions, concerns, or requests regarding your data privacy and security:

Occam Support:
Email: info@occam.works

New Zealand Privacy Commissioner:
Website: https://www.privacy.org.nz
Phone: 0800 803 909

Anthropic Privacy Inquiries:
Email: privacy@anthropic.com
Website: https://www.anthropic.com/legal/privacy

References & Further Reading

Last Updated: February 10, 2026
Version: 1.0