This document describes, in plain language, how AYCAS Studios stores, protects, uses, and returns the information the Client shares with us during Discovery and any subsequent engagement. It sits alongside the executed Mutual NDA and NCNDA and is intended to be read by operators and decision-makers, not lawyers.
01 · What we consider Client data
Any information the Client supplies to us in any form, or that we produce on the Client's behalf during the engagement, including:
- Counterparty names and contact details (suppliers, buyers, bankers, logistics, inspection partners);
- Commercial terms, pricing, margins, and trade finance positions;
- Contracts, proposals, and correspondence drafted for the Client;
- Compliance artefacts — licences, certificates, registrations, KYC packs;
- Personnel, shareholder, and governance records;
- Any work product (brand assets, website code, SOPs, dashboards) produced under the engagement.
02 · Where Client data is stored
Client data is stored in the Client's own Google Workspace (Drive) wherever possible — meaning the Client owns the storage and the access. Where AYCAS Studios must hold copies for operational reasons, those copies live in a dedicated AYCAS Studios workspace subject to the controls below.
- Primary storage: Client-owned Google Drive folder, provisioned to the Client at the start of the engagement.
- Working copies: AYCAS Studios Google Workspace, limited to the engagement team, segregated by client.
- Code & site assets: Private Git repositories under AYCAS Studios account; only the engagement team has access.
- No personal devices: Client data is not copied to personal laptops, external drives, or personal email.
03 · Who has access
Access is limited to the engagement team by name. Every person with access is bound by confidentiality obligations at least as strict as the executed NDA. The AI agents used to accelerate the work are also scoped — each operates on the Client's folder under documented instruction, and their actions are logged.
- Principal: Augustine Gabaza (AYCAS Studios), single accountable owner.
- Engagement team: named in the Scope of Work at kick-off; updated in writing if the team changes.
- Subcontractors: engaged only with the Client's prior written consent, under equivalent confidentiality obligations.
04 · How data is protected
- Encryption in transit: all data transfer over TLS (Google Workspace, Cloudflare, GitHub standard).
- Encryption at rest: Google-managed encryption on Workspace; repository encryption on Git hosts.
- Two-factor authentication: enforced on every account with Client-data access.
- Access reviews: quarterly review of who has access to which Client folder.
- No secrets in code: any credentials, API keys, or passwords are stored in a secret manager — never committed to code or documents.
05 · How data is used
Client data is used solely to deliver the engagement. It is not used to train any external AI model, not shared with third parties, not used for AYCAS Studios' own marketing without prior written consent, and not repurposed for any other client.
When we use AI agents during the engagement, they operate against the Client's own data in-context and do not retain Client data beyond the conversation or session unless that is an explicit requirement of the engagement (for example, maintaining a persistent deal log for the Client's own use).
06 · Drafts, not sends
No external communication — email to a counterparty, message to a regulator, filing with a bank — is sent by AYCAS Studios on the Client's behalf without the Client's explicit approval of each message. AYCAS Studios drafts; the Client sends. This is a standing rule, not a preference.
07 · Retention & return
- During the engagement: Client data is retained for as long as needed to deliver the engagement.
- On handover: all Client data and work product is transferred to the Client's own storage; a handover index lists every artefact.
- After handover: AYCAS Studios retains a limited working archive (engagement notes, contracts, billing records) for up to three years, solely for audit, reference, and portfolio purposes, subject to the confidentiality obligations in the NDA.
- On request: at any time, the Client may request secure destruction of all copies held by AYCAS Studios. AYCAS Studios will destroy the data within thirty (30) days and confirm destruction in writing.
08 · Incidents
If AYCAS Studios becomes aware of any unauthorised access to, loss of, or disclosure of Client data, it will:
- notify the Client by the fastest available channel within twenty-four (24) hours of becoming aware;
- provide a written incident report within seventy-two (72) hours, covering scope, cause, containment steps, and next actions;
- cooperate fully with any investigation the Client chooses to conduct.
09 · Regulatory alignment
This policy is designed to be consistent with the Protection of Personal Information Act (POPIA) of South Africa and the Data Protection Act of Zimbabwe. Where the Client is subject to any additional regulatory framework (for example, a specific bank's vendor risk requirements), AYCAS Studios will, on reasonable request, align this policy to those requirements.
10 · Contact
Any concern, question, or request related to this policy — including data subject access requests, deletion requests, or incident reports — should be addressed to:
Augustine Gabaza · Principal, AYCAS Studios
Email: agabaza@aycas.co.zw
Phone / WhatsApp: +263 777 299 904
Postal: AYCAS Investments (Pvt) Ltd, Rosedale, 208–209 Sam Nujoma Street, Harare, Zimbabwe
Nature of this document. This is a statement of AYCAS Studios' commitments to the Client on information handling. It is not a substitute for any specific data processing addendum the Client may require for regulatory purposes. If the Client's counsel or compliance team needs this re-cast as a formal DPA, AYCAS Studios will accommodate that.