Compliance Package

1. Data retention. Zero.

Hire operates a stateless processing architecture. Customer-supplied input artifacts (text, files, structured data) are loaded into memory at the moment of job execution, processed against the catalog item's defined output template, and discarded at the moment of delivery. The system does not persist customer content to disk, durable cache, archival storage, or backup.

The transaction's persistent record contains four fields and only four fields: a transaction identifier, an ISO-8601 timestamp, the catalog item identifier, and a SHA-256 hash of the original input. The hash exists so that you can verify what was sent without us retaining what was sent. Content is never retained.

Operational consequence: a breach of our database tier exposes transaction metadata, never customer content. The architecture removes the entire class of incident where a vendor data breach discloses your strategic memos, financial statements, or HR documents.

2. Stateless security architecture.

Each job is an isolated, atomic transaction. The processing tier holds no shared customer context across jobs. There is no customer profile being built. There is no behavioral signal being aggregated. There is no fine-tuning happening on your inputs.

We achieve SOC-2-equivalent security posture through architectural elimination rather than control attestation: most of the controls a SOC-2 auditor verifies exist to manage risks created by long-lived customer-content stores. We do not operate one. The risks those controls mitigate are absent in our architecture.

For your auditor: we provide architectural documentation, transaction-log samples, and operational evidence on request. We do not currently hold a SOC-2 Type II attestation. Our position is that the architectural posture is materially stronger than typical SOC-2-attested vendors that operate persistent customer-content stores. Your auditor may agree or disagree; we will provide whatever evidence supports the conversation.

3. Model training. None of your data.

Customer inputs are never used to train, fine-tune, distill, or otherwise improve any model in our processing pipeline. The architectural prohibition is absolute, not contractual.

Operational consequence: there is no path by which your strategic content, financial data, or proprietary document templates could appear, in whole or in part, in any future output we deliver to any other customer.

4. Cross-tenant isolation.

Cross-tenant data exposure is architecturally precluded. Because each job processes in isolation with no persistent customer context, there is no mechanism for one customer's inputs or outputs to surface in another customer's transaction.

Vendor risk note: the typical SaaS multi-tenant data leakage incident requires a shared datastore and an access control failure. We have neither.

5. Data residency.

Job processing occurs on dedicated hardware under our direct operational control, inside the United States. Inputs do not traverse third-party AI vendor APIs. There is no cross-border data movement in the job-execution path.

For regulated workloads: if your regulatory regime requires explicit residency attestation, we provide it on request as part of the engagement onboarding.

6. Audit trail.

Available on request: per-transaction logs containing transaction ID, timestamp, authenticated customer account, catalog item identifier, content hash, payment reference, and delivery confirmation. Logs do not contain input or output content.

Retention period: seven years for transaction metadata, supporting standard financial-record retention requirements. Content is never retained, regardless of audit context.

7. Refund terms and SLA.

Every catalog item ships with a documented refund-eligibility specification: the structural elements the deliverable must contain, the delivery time commitment, and the conditions under which a refund is granted without arbitration. The specifications live on the public job page for each catalog item.

SLA on tier-1 (deterministic) jobs: 99.5% completed within stated delivery time. Tier-2 (structured-generative) and tier-3 (generative-nuanced) jobs ship under best-effort timing with explicit refund paths if delivery exceeds documented bands. See the catalog legend for tier definitions.

8. Pricing and contractual structure.

Hire is purchased per deliverable. There are no monthly minimums, no contractual lock-in periods, no auto-renewing seats, no tier-based feature gating. Each catalog item has a single fixed price.

Operational consequence: the procurement burden is reduced to standard purchase-order or expense-report workflows. No master service agreement is required for catalog purchases. Enterprise volume agreements (consolidated billing, dedicated invoicing, pre-paid credits) are available on request.

9. Catalog scope.

The catalog ceiling is not a roadmap limitation. It is a quality contract. Hire offers 76 vetted job types across 16 categories. Every catalog addition passes an 8-step internal vetting process before reaching customers. The vetting methodology is published openly at the Confidence Framework page.

For your team: if your routine deliverable is not in the catalog and you believe it should be, the email below routes to product. If it is genuinely not in the catalog and the architectural fit is wrong, we will say so directly. The graceful-graduation page documents the categorical exclusions.

10. Bus-factor and continuity.

Hire is a small operation. Enterprise procurement reasonably asks what happens to purchased deliverables and undelivered orders if the operating company exits, fails, or is acquired. Three structural mitigations attach automatically to any engagement at or above $5,000 of pre-purchased commitment:

• Source escrow. Job-execution code, catalog definitions, infrastructure-as-code, and local-inference model weights placed in third-party escrow. Releases on insolvency, sustained outage beyond SLA cure period, or material breach.
• Acquisition poison-pill. On any change of control, zero-data-retention, no-training-on-customer-inputs, and fixed-per-deliverable pricing survive without modification. If the acquirer refuses, the engagement converts to a customer-controlled exit with escrow release plus pro-rated refund.
• Architectural posture preservation. Stateless processing, on-premises inference, and metadata-only audit trail are contractually binding constraints, not marketing claims. The vendor cannot drift to a persistent-state SaaS without the customer's signed acceptance.

The escrow and poison-pill templates are shared across the No Human Nearby enterprise suite (REDLINE, DATAROOM, COVENANT) and adapted with light modification for Hire engagements.

Full continuity package: /enterprise/continuity documents trigger conditions, redline scope, and the engagement threshold in detail.