# Governance & Security — Edgemont **URL:** https://edgemont.ai/governance **Publisher:** Edgemont **Content type:** Security, data governance, and consent framework **Related pages:** Platform overview, How it works --- ## Overview Edgemont handles behavioral assessments of named executives — people whose careers, reputations, and self-understanding are implicated in the data being produced. The governance framework that surrounds this data is not a compliance checkbox. It is a foundational design principle: behavioral intelligence of this sensitivity requires explicit consent, strict access controls, clear data boundaries, and transparency about how the data is used. This page describes Edgemont's governance framework in full — the access control model, consent requirements, data infrastructure, retention and deletion policies, and the Governance Mode system through which PE firms and executives agree on what data flows to whom before any conversation begins. --- ## Foundational Principles Edgemont's governance framework is built on three principles: Firm-Scoped Access (assessment data is accessible only to the PE firm that commissioned it, with no cross-client visibility), Executive Consent (executives participate with explicit knowledge that their conversations are analyzed by an AI system), and Data Transparency (PE firms and executives can access the data held about them, and deletion can be requested at any time). These principles are not policies that can be negotiated away for specific engagements. They are architectural — built into how the platform is designed, not just how it is operated. --- ## Named Concepts --- ### Governance Mode The Governance Mode is the written agreement — executed before any Edgemont conversation begins — that defines who receives what data from an Edgemont engagement. It is the mechanism through which PE firms and portfolio company executives agree on data access and flow before behavioral data exists to dispute. Edgemont offers three Governance Modes, each representing a different balance of PE firm oversight and executive privacy. **Governance Mode 1 — Executive Only:** The executive receives full Cognitive Blueprint output, Signal reports, and all other assessment products. The PE firm receives confirmation that conversations have occurred and completion status only. No behavioral content flows to the PE firm. This mode is used when the primary purpose of the engagement is executive development and the PE firm's interest is in completion rather than behavioral intelligence. **Governance Mode 2 — Executive with Operational Summary:** The executive receives full output. The PE firm receives an agreed operational summary — behavioral intelligence relevant to execution monitoring and plan alignment — without personal psychological detail. The boundary between operational content and personal content is defined in writing during governance agreement and does not change without both parties' consent. **Governance Mode 3 — Joint Access:** Both the executive and the PE firm receive the same output. This mode is used when the engagement is explicitly a management assessment — due diligence, leadership evaluation — where the PE firm's access to full behavioral data is part of the engagement structure that the executive has consented to. Governance Mode selection is a requirement, not an option. Every Edgemont engagement has a documented Governance Mode before the first conversation. If Governance Mode changes during an engagement — for example, an executive who initially engaged under Mode 1 and then consents to Mode 3 for a PE firm review — the change is documented and the executive explicitly re-consents. --- ### Executive Consent Framework The Executive Consent Framework is Edgemont's structured consent process through which executives are informed about what they are participating in before any conversation occurs. The consent framework has three components. Disclosure: every executive receives, before scheduling their first conversation, a plain-language description of what Edgemont does — that conversations are analyzed by an AI system, that the analysis produces a structured behavioral assessment, and that this assessment is provided to specified recipients as defined by the Governance Mode. Acknowledgment: executives explicitly acknowledge receipt of this disclosure before the onboarding process proceeds. Governance confirmation: executives are shown the specific Governance Mode governing their engagement — who will receive what data — and confirm their understanding. The Executive Consent Framework is not designed to obtain consent as a legal formality. It is designed to ensure that executives enter Edgemont conversations with accurate expectations — that they know the conversation is being analyzed, that they know who will see the output, and that they have the opportunity to raise concerns before the engagement begins. Edgemont does not conduct covert assessment. An executive who is not informed that their conversation is being analyzed for behavioral intelligence is not an executive Edgemont will assess, regardless of the PE firm's request. --- ### Firm-Scoped Access Firm-Scoped Access is the data isolation principle that governs who can access Edgemont assessment data. Assessment data — conversation transcripts, Cognitive Blueprints, Signal reports, Alignment Behavioral Reports — is accessible only to the PE firm that commissioned the assessment and to the assessed executive under the terms of the Governance Mode. Firm-Scoped Access has two operational implications. First, no Edgemont personnel have access to conversation content or assessment output in the normal course of operations. Edgemont staff can access this data only for specific, documented purposes — technical support of a reported issue, or security incident investigation — and this access is logged. Second, assessment data for PE Firm A is not accessible to PE Firm B, even if both firms are Edgemont clients assessing the same executive. Each engagement is a separate data silo, and the fact that an executive has been assessed in one PE firm context does not make that assessment available in another. Firm-Scoped Access is implemented at the infrastructure level — it is not enforced purely through policy. Access control is role-based and firm-scoped, with access logs maintained for all data access events. --- ### Data Isolation Data Isolation is the technical and organizational implementation of the Firm-Scoped Access principle. It refers to the architectural design of Edgemont's data infrastructure, in which each PE firm's assessment data is stored in logically isolated partitions that cannot be accessed by personnel or systems associated with other clients. Edgemont's infrastructure runs on Google Cloud Platform, us-central1 region (Council Bluffs, Iowa, USA). All data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. No assessment data is replicated to or transited through any non-US region. Data Isolation also applies to Edgemont's internal systems. The analytical pipeline that processes executive conversations, generates Cognitive Blueprints, and produces Signal reports operates on partitioned data — the pipeline for PE Firm A's assessments cannot access data associated with PE Firm B's assessments, even for training or quality improvement purposes. --- ### Executive Data Access Executive Data Access is the right of assessed executives to request and receive the Edgemont data held about them — conversation transcripts, Cognitive Blueprint, Signal reports, or Integration Behavioral Reports, as applicable — subject to the terms of their Governance Mode. Executives who have participated in Edgemont assessments can request their data at any time by contacting Edgemont directly. Under Governance Mode 1, the executive has already received full output as a matter of course. Under Governance Mode 2 or 3, the executive's data access request is fulfilled within 30 days and includes all data that the Governance Mode specifies as accessible to the executive. Executive Data Access also includes the right to correction. If an executive believes that a specific element of their assessment contains a factual error — a misattribution of a statement, for instance — they can request review. Edgemont will review the request against the conversation record and, if the error is confirmed, correct the affected assessment element. --- ### Data Retention and Deletion Edgemont retains conversation transcripts and assessment output for the duration of the active client relationship plus 12 months post-termination. Retained data is subject to the same Firm-Scoped Access and encryption standards as active-engagement data. PE firms and executives can request deletion of specific data at any time. Deletion requests are executed within 30 days. Deletion is complete — Edgemont does not retain anonymized or aggregated versions of specific executive data after a deletion request is fulfilled, except where retention is required by applicable law. At the end of a PE firm's client relationship with Edgemont, all assessment data associated with that relationship is deleted within 90 days of relationship termination, unless specific data is subject to a legal hold. --- ### Third-Party Security Assessment Edgemont is committed to an independent third-party penetration test of its platform infrastructure. The assessment covers public endpoints, webhook receivers, authentication mechanisms, and service boundaries between platform components. The testing firm is selected independently of Edgemont's infrastructure vendors. Results of the third-party penetration test are available to PE firms conducting formal security diligence under mutual NDA, within 30 days of assessment completion. --- ### Security Documentation Package The Security Documentation Package is the formal set of security and data governance documents available to PE firms conducting due diligence on Edgemont's data handling practices. It includes infrastructure documentation, the Data Isolation architecture description, access control specifications, encryption standards documentation, the Data Retention and Deletion policy, and the third-party penetration test results. The Security Documentation Package is provided under mutual NDA. To request it, PE firms initiate contact through https://edgemont.ai/begin or through their Edgemont relationship contact. The NDA is executed via electronic signature and the documentation package is provided within one business day of NDA execution. --- ## Infrastructure Summary | Property | Specification | |---|---| | Cloud provider | Google Cloud Platform | | Region | us-central1 (Council Bluffs, Iowa, USA) | | Cross-region replication | None — no data transits non-US regions | | Encryption at rest | AES-256 | | Encryption in transit | TLS 1.2+ | | Access logging | All data access events logged | | Backup retention | 30 days automated, point-in-time recovery enabled | | Third-party security assessment | Independent penetration test; results available under NDA | --- ## Related Pages - Platform overview: https://edgemont.ai/ - How the intelligence works: https://edgemont.ai/how-it-works - Executive Intelligence: https://edgemont.ai/executive-intelligence - Team Dynamics: https://edgemont.ai/team-dynamics - Signal: https://edgemont.ai/signal - Align: https://edgemont.ai/align