Dataix’s offline architecture and documented legal framework are designed to protect client organizations at every stage of every engagement.
The professional services industry is confronting a foundational question: what happens to client data after a vendor touches it? When a firm embeds itself in your systems, accesses your networks, or holds ongoing credentials to your infrastructure, the data it encounters does not exist in isolation. It exists within a firm that has competing interests, other clients, and its own business development objectives.
Dataix was built around the opposite principle. We receive only the specific data exports you provide for a defined engagement. We process them offline in a controlled environment with no network connectivity. We hold no credentials to your systems, maintain no ongoing access, and have no mechanism by which client data could flow to any other purpose. When the engagement ends, the data is destroyed on a documented schedule.
This is not a compliance posture. It is the foundational architecture of the practice. Every structural decision at Dataix, from offline processing to de-identified data intake to engagement-scoped rather than ongoing access, follows from the same principle: the safest data relationship is one where exploitation is structurally impossible, not merely prohibited.
Dataix is built on an offline, zero-integration model. We require no access to client systems, no network connectivity, no login credentials, and no software installation. Clients provide exported data files which we process entirely off-network in a controlled environment. Because we never connect to client infrastructure, we cannot introduce risk to it. This architecture eliminates the most common vectors of vendor security exposure before they exist.
We never receive credentials or connect to client networks, EHRs, or billing systems.
All reconciliation runs off-network in a controlled environment, isolated from external connectivity.
We request only the specific data required for the engagement, and nothing more.
Wherever possible, Dataix works from de-identified data or limited data sets, reducing exposure of protected health information. When an engagement requires identifiable data, all handling is governed by a signed Business Associate Agreement executed prior to any data transfer. Data is encrypted in transit and at rest, retained only for the duration of the engagement, and securely destroyed upon completion in accordance with the engagement agreement.
Clients may provide a SHA-256 cryptographic hash of each raw data export at the moment of extraction. On receipt, Dataix re-hashes every file and compares the values before analysis begins. Any mismatch is flagged to the client and resolved before the engagement proceeds.
Every engagement maintains an audit trail recording input hashes, processing steps, and versioning. Each findings package includes a methodology and integrity appendix, so the path from raw export to documented finding can be reviewed end to end.
Dataix maintains administrative, physical, and technical safeguards consistent with the HIPAA Security Rule. Every client engagement involving protected health information is governed by a Business Associate Agreement. Our policies, access controls, and data handling procedures are designed to meet or exceed HIPAA requirements for a business associate.
Dataix's infrastructure is hosted on enterprise cloud providers that maintain SOC 2 Type II and ISO 27001 certifications. Dataix is actively building toward its own SOC 2 attestation as part of a formal, staged compliance program, with controls implemented across data handling, access management, and operational security. Engagements proceed under our BAA and offline architecture while this attestation matures. We are happy to share our current security posture, completed vendor security questionnaires, and our BAA upon request.
Documentation available to prospective clients under NDA: security questionnaire, BAA, data handling policy.
Findings from every Dataix engagement are prepared for attestation under AICPA AT-C 215 (Agreed-Upon Procedures) by an independent CPA partner. Deliverables are structured as documented, claim-level findings — not a software report.
Before any data is exchanged, Dataix executes a Statement of Work defining the precise scope of the engagement, deliverables, timeline, and fee structure. A Business Associate Agreement is executed simultaneously, establishing the legal framework for data handling. No data is received without both documents fully executed.
Raw client data files are destroyed within 90 days of engagement completion. Engagement deliverables are retained for seven years as required for professional services compliance. Clients may request early destruction of raw data files at any time in writing. Destruction is documented and confirmed.
The Firm’s governance policies — security questionnaire, Business Associate Agreement, and data handling policy — are available to prospective clients under NDA. Request them at compliance@dataixai.com.
Security or compliance questions: compliance@dataixai.com