Legal & trust center.
Our policies, certifications, and the controls your security team will want to review.
Last updated · January 2026 · Portfolio concept — illustrative.
Privacy policy
We process customer data solely to provide the service, under your instructions as the data controller. We don't sell data, and we use the minimum necessary for any purpose.
Your data, your control
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Granular RBAC and an immutable audit log
- Export and deletion on request
Terms of service
Use of Northwind is governed by your order form and our master subscription agreement. Service levels, support tiers, and uptime commitments are defined by your plan.
Acceptable use
No unlawful use, no attempts to bypass security, and no activity that degrades the service for others. We provide notice before material changes to these terms.
Sub-processors
We use a small set of vetted infrastructure providers to deliver the service. Each is bound by data-protection terms; the current list is available to customers under NDA.
| Provider | Purpose | Region |
|---|---|---|
| Cloud infrastructure | Compute & storage | US / EU / APAC |
| Email delivery | Transactional notifications | US / EU |
| Error monitoring | Reliability | EU |
Data residency
Choose where your data lives across 12 regions, with isolation between customers at the storage layer. Enterprise customers can run fully self-hosted, or use self-hosted runners so sensitive data never leaves your VPC.