Security, compliance,
and model governance.

1. Our security posture

Master Art Index operates at the intersection of illiquid asset valuation and institutional capital markets. Our users — private banks, insurers, auction houses, lenders, and family offices — entrust us with data that directly informs collateral decisions, underwriting, and portfolio mark-to-market. We treat that trust as a non-negotiable design constraint.

Our security program is organized around five principles: data minimization, default-deny access, defense in depth, auditability, and transparent governance. Every architectural decision, every vendor relationship, and every model change is evaluated against these principles.

2. Data residency & sovereignty

All customer data is hosted on Amazon Web Services infrastructure in the Canada (Central) region, located in Montreal (AWS ca-central-1). This choice is deliberate and strategic for three reasons:

• Canadian jurisdiction. Data stored in ca-central-1 is governed by Canadian federal law (PIPEDA) and Quebec provincial law (Law 25 and the Civil Code of Quebec), providing a clear, predictable legal framework for data subjects and controllers.
• Non-submission to the US CLOUD Act. Data held in AWS Canadian regions, for Canadian entities, is not subject to compulsory disclosure under the United States Clarifying Lawful Overseas Use of Data Act. This matters for European and Canadian institutions that explicitly require non-US data residency in their vendor assessments.
• Latency & availability. ca-central-1 provides multi-Availability-Zone redundancy within Canada, ensuring high availability without cross-border replication.

Backups are stored encrypted in the same jurisdiction. No customer data is replicated to US, European, or Asian regions without a documented, consented purpose and a completed privacy impact assessment.

3. Regulatory alignment

Master Art Index is designed to align with the privacy and data protection requirements of the jurisdictions in which our users operate:

Canada

• PIPEDA — Personal Information Protection and Electronic Documents Act (federal).
• Quebec Law 25 — Act respecting the protection of personal information in the private sector (as modernized by former Bill 64), including the requirement to conduct privacy impact assessments for cross-border transfers.

European Union & United Kingdom

• GDPR — General Data Protection Regulation (Regulation EU 2016/679), including Articles 28 (processor obligations), 32 (security of processing), and 33 (breach notification).
• UK GDPR — applicable to UK-based data subjects.

United States

• CCPA / CPRA — California Consumer Privacy Act, as amended by the California Privacy Rights Act.
• State-level financial privacy frameworks applicable to institutional clients, including GLBA where relevant.

For detailed operational procedures around consent, data subject rights, retention, and breach notification, please refer to our Privacy Policy, which is the operative document for exercising your rights.

4. Security architecture

Our technical controls are organized into four layers:

5. Access controls & authentication

Access to production systems follows a strict principle of least privilege. No team member has standing production access; elevated access is granted temporarily, logged, and reviewed.

• Multi-factor authentication is enforced for all internal accounts, including email, cloud console, source code, and administrative interfaces.
• Role-based access control segregates engineering, operations, and support duties. Access rights are reviewed quarterly and revoked on role change or departure.
• Production data access is gated behind explicit approval workflows. Direct database access in production is disabled by default and requires a documented incident or investigation rationale.
• Endpoint hardening. All employee devices enforce full-disk encryption, automatic security updates, and screen lock timeouts.

6. Sub-processors

In line with GDPR Article 28 and the transparency requirements of Quebec Law 25, we disclose the full list of third parties that process personal or customer data on our behalf. Sub-processors are bound by written data processing agreements requiring equivalent levels of protection.

We will notify active users of any material change to this sub-processor list at least 30 days before it takes effect. Where a sub-processor change creates a cross-border transfer not previously disclosed, we will complete a fresh privacy impact assessment under Quebec Law 25 before implementation.

7. Data lifecycle & retention

We design every data flow around a clear answer to four questions: why do we need this, who can access it, how long do we keep it, and how is it destroyed?

Collection

We collect only data that is strictly necessary to deliver the service or qualify access. We never request government identifiers, payment card data, banking credentials, or sensitive special-category data as defined under GDPR Article 9.

Processing

Artwork images and metadata submitted for valuation are processed through our Drafter-Auditor-Expert pipeline. Images transmitted to our vision-language model sub-processor are scoped to the minimum context required for valuation and are not retained by the sub-processor for training purposes.

Retention

• Beta access applications — 24 months from submission, then anonymized or destroyed.
• Active customer records — duration of the commercial relationship plus 7 years for tax and accounting compliance under Canadian law.
• Valuation inputs (artwork images and metadata) — retained during active processing and for a defined post-processing period documented in the customer agreement, then destroyed.
• Aggregated, de-identified statistics — retained indefinitely for model improvement, provided re-identification is not reasonably possible.
• Technical logs — up to 12 months for security and diagnostic purposes.

Destruction

On retention expiry or user request, personal data is permanently destroyed through cryptographic erasure or overwrite, in accordance with NIST SP 800-88 guidelines for media sanitization. Backup copies are purged on the next scheduled rotation cycle.

8. Model governance & auditability

For institutional deployment, a valuation model is not just a piece of software — it is a decision-support system whose outputs may influence capital allocation, loan-to-value ratios, and underwriting. We design the Master Art Index platform to align with the Federal Reserve's SR 11-7 guidance on Model Risk Management (applicable to US financial institutions) and the Office of the Superintendent of Financial Institutions (OSFI) Guideline E-23 on Enterprise-Wide Model Risk Management (applicable to Canadian federally-regulated financial institutions).

Model documentation

Every production model version is documented with its training data provenance, feature engineering steps, validation cohorts, performance metrics, and known limitations. The Drafter-Auditor-Expert architecture is described in detail in our research paper (forthcoming on arXiv and submitted for peer review).

Performance monitoring

We continuously monitor model performance across cohorts (first-sale vs. repeat-sale, by artist, by movement, by subject) to detect drift. Residual analysis by artist and subject is made available to institutional clients as part of the standard reporting package, supporting their own independent model validation.

Human oversight

The Drafter-Auditor-Expert architecture is explicitly designed to keep a human-interpretable layer between the peer-based baseline and the final valuation. Institutional clients can inspect peer selections, feature importances, and the gating decisions that trigger the visual audit, enabling meaningful human review.

Known limitations

We publicly disclose known performance biases, including slight underestimation in high-velocity contemporary segments (such as Pop Art) and slight overestimation in traditional movements (such as Baroque and Rococo). We recommend hybrid workflows — combining the Master Art Index output with traditional appraiser review — for Old Master and pre-1900 works, where our dataset is least representative.

9. Incident response

We maintain a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. In the event of a confidentiality, integrity, or availability incident:

• Containment is initiated within hours of detection, with a clear chain of command.
• Regulatory notification — where a confidentiality incident presents a risk of serious injury, we notify the Commission d'accès à l'information du Québec as required by Law 25, and affected supervisory authorities in other relevant jurisdictions.
• User notification — affected data subjects are notified without undue delay, in alignment with GDPR Article 33 (72-hour notification window for processors).
• Post-incident review — each incident is followed by a root cause analysis and a remediation roadmap, documented and retained.

10. Business continuity & disaster recovery

We operate with multi-Availability-Zone redundancy within our primary AWS region. Automated backups of all production data are performed on a continuous basis, with integrity checks and restoration drills conducted regularly. Recovery time objective (RTO) and recovery point objective (RPO) targets are set proportionate to the criticality of each system and documented internally.

11. Certifications & roadmap

We believe in honest disclosure of where we are on the path to formal certification. Master Art Index is in its early beta phase, and we prefer to earn certifications at the right moment rather than overstate our current status.

Current status

• No formal SOC 2 or ISO 27001 certification at this time. Our controls are designed against the Trust Services Criteria (Security, Availability, Confidentiality) and the ISO 27002 control families, but we have not yet completed a formal third-party audit.
• Privacy impact assessments are performed for each new cross-border data flow, in alignment with Quebec Law 25.
• Internal control testing is conducted on a scheduled basis with documented findings and remediation.

Roadmap

We are committed to pursuing SOC 2 Type II certification as the platform matures and our first institutional customers are onboarded. The timing will be driven by customer demand and operational readiness rather than by a marketing calendar. Enterprise clients evaluating Master Art Index may request a letter of intent to pursue SOC 2 as part of their vendor due diligence.

12. Vulnerability disclosure

We welcome security research conducted in good faith. If you believe you have discovered a security vulnerability in any Master Art Index service, please contact us directly at security@masterartindex.com rather than disclosing it publicly.

We commit to acknowledging reports within 5 business days, keeping researchers informed of remediation progress, and not pursuing legal action against researchers who act in good faith, respect the privacy of our users, and avoid data exfiltration or service disruption.

13. Contact the Data Protection Officer

Master Art Index has a designated Data Protection Officer, responsible for overseeing compliance with privacy regulations and serving as the single point of contact for data subjects, supervisory authorities, and enterprise security teams.

If you are an enterprise security team conducting vendor due diligence, we are happy to provide completed security questionnaires, architectural overview documents, and reference calls on request.