Data Governance
Responsible data practices across all research
Our data governance policy defines how we handle, store, and use data in research — including our commitments to data minimization, security, and responsible use in AI development.
CredenceX AI Research Lab manages data to support scientific quality, privacy protection, responsible reuse, and compliance with applicable legal, ethical, and contractual obligations. Our data governance spans acquisition, access, documentation, storage, retention, sharing, and secure disposal.
Scope
This policy applies to:
- Research datasets used for model development and evaluation.
- Derived datasets (e.g., curated subsets, annotations, embeddings).
- Metadata, labels, and documentation.
- Operational data collected via the website (limited to necessary communications).
Core Principles
CredenceX applies the following principles:
- Purpose limitation: use data only for legitimate, stated purposes consistent with permissions and consent conditions.
- Data minimization: collect and retain only what is necessary.
- Access control: restrict sensitive data to authorized personnel with a legitimate need.
- Security by design: use safeguards proportionate to sensitivity and risk.
- Provenance and documentation: maintain dataset documentation, versions, and processing records where feasible.
- Accountability: document decisions on access, sharing, and restrictions.
Data Classification
CredenceX assigns data to one of the following classification levels to guide handling, access, and sharing decisions:
| Classification | Description |
|---|---|
| Public | Materials intended for open dissemination, such as published papers, public documentation, and non-sensitive project summaries. |
| Internal | Operational or research data for authorized CredenceX personnel with a legitimate need, not intended for public release. |
| Restricted | Datasets or outputs subject to contractual, ethical, legal, or partner-imposed limits on access and reuse. |
| Sensitive | Health-related, identifiable, or high-risk data requiring enhanced security, logging, and approval controls. |
Retention and Access Approval
CredenceX applies the following workflows for data lifecycle management:
Retention
Data is retained only for as long as needed to support stated research, legal, contractual, or operational purposes. When retention periods expire or data is no longer required, secure disposal or de-identification is performed in line with classification requirements and documented procedures.
Access Approval
Access to internal, restricted, or sensitive data requires documented approval from data owners or designated governance leads. Approved access is logged, limited to the minimum necessary scope, and reviewed periodically or when roles or project needs change.
Sensitive and Health-Related Data
For sensitive or health-related data, CredenceX applies additional safeguards such as:
- Controlled access workflows and logging.
- De-identification or pseudonymization where appropriate and permissible.
- Strict separation of identifiers from analytical data when feasible.
- Clear documentation of restrictions on reuse and redistribution.
Data Sharing and Openness
CredenceX supports open science where appropriate, but openness must be balanced with privacy, consent, security, and misuse considerations. When data cannot be shared openly, we aim to:
- Explain the constraint (privacy, contractual, legal, ethical, or security).
- Share derived artifacts where feasible (e.g., code, model cards, synthetic examples, documentation).
- Consider controlled-access or restricted sharing mechanisms when appropriate.
Incident Response
CredenceX treats suspected data incidents seriously. When an incident is identified, we seek to promptly assess scope, mitigate risk, document actions taken, and update controls to prevent recurrence, consistent with applicable obligations.
Effective Date: March 2026
Questions about our data governance practices?
Contact Us