The terms on which we hold your data.

The family office, board, deal team, matter team or other closed group that engages Steward is the controller of the personal data it places into the workspace. ANA Wealth AG, trading as Steward, is the processor. The distinction matters: the controller decides why and how the data is processed; the processor executes those instructions and nothing else.

Our commitment is bounded by your instructions. Steward acts on the documented instructions of the controller as set out in the Data Processing Agreement and the configuration of the workspace itself — its House Rules, its permissions, its retention settings. We do not process the data for purposes of our own, we do not aggregate it across tenants, and we do not use it to inform any product decision beyond serving the controller who placed it there.

Where Steward retains a sub-processor to operate part of the service — most materially, PHOENIQS AG, which provides the hosting and inference infrastructure — that sub-processor is bound by terms back-to-back with the controller's own DPA. Section 03 of this page names that sub-processor explicitly.

All controller data — documents, queries, model outputs, derived metadata, audit logs — is stored, processed and transmitted exclusively within Switzerland. The physical infrastructure is operated by PHOENIQS AG from a data centre located in Basel [REVIEW: confirm specific facility designation with PHOENIQS]. Backups and disaster-recovery replicas, where they exist, remain within Switzerland and within PHOENIQS-operated facilities. On the Hosted tier the deployment is multi-tenant, running in a shared Phoeniqs Swiss OpenShift namespace; on the Dedicated tier it is single-tenant.

Data does not cross the Swiss border at rest or in transit between Steward services. There is no fall-back to providers in the United States, the European Union, or any other jurisdiction. There is no overflow capacity in a foreign region. Where a model is invoked to answer a query, that model is served from inside the same Swiss boundary — the request, the context, and the response do not leave the country.

The Swiss Federal Data Protection Act (FADP) and, where applicable, the General Data Protection Regulation, govern the relationship. The United States CLOUD Act and equivalent extraterritorial demands by other jurisdictions do not reach Swiss-owned infrastructure operated under Swiss law; we describe the consequences of that for compelled-disclosure scenarios in the Data Processing Agreement.

A complete list of the sub-processors that Steward engages to deliver the service is set out below. Steward uses one sub-processor. There are no others. We do not retain analytics vendors, customer-success tooling, support platforms, or third-party model providers that would expose controller data outside the Steward–PHOENIQS boundary.

The open-source language models served through PHOENIQS are compute, not separate parties. A model running inside the PHOENIQS environment is a function being evaluated against your data, not an entity that receives a copy of it. No model weights, no inference requests, and no inference outputs are transmitted to a third party — including the publishers of the open-source models themselves.

Where Steward proposes to add or replace a sub-processor, the controller is notified at least thirty days in advance, with the right to object. [REVIEW: confirm 30-day notice period and objection mechanism with counsel]

Steward does not use controller data — documents, queries, outputs, House Rules, or any derivative — to train any model. This is not an opt-out toggle, not a tier-dependent setting, and not subject to a development-partner programme. The commitment is uniform across every engagement.

The models that Steward serves are open-source language models hosted inside the PHOENIQS environment. Because those models are open-source does not mean that prompts sent to them leak: the models run on infrastructure under Swiss control, with no telemetry to the model's original publisher and no path by which a query or its response leaves the controller's encrypted boundary. Open-source describes how the model was produced and licensed, not who can observe its use.

Steward does not employ third-party model providers in the United States or elsewhere whose terms of service would otherwise permit training on customer data. The inference path is Steward and PHOENIQS — no other party participates.

For client-facing chat and drafting work, Steward uses Phoeniqs MAAS -GRC model aliases where they are available. The GRC gateway runs inside Phoeniqs MAAS before inference and may block or mask content before the request reaches the model. The current model inventory is published at /models.

Controller data is encrypted at rest. Workspace isolation is enforced by application-level controls — the security suite that runs against every production change tests these boundaries by construction, and cross-workspace access is not possible through the application path.

On the Hosted tier, two categories of operator have technical access to controller data. ANA Wealth operators have audited application and database access, used for operational support and incident response; every such access event is logged and surfaced to the workspace administrator. Phoeniqs operators have access at the storage layer — their theoretical reach is to encrypted-at-rest data, where encryption is the only barrier, and they do not have credentials to the Steward application or to your workspace data through the application path. What this means in plain terms: at the Hosted tier, neither ANA Wealth nor Phoeniqs is a no-knowledge custodian of your data. If you require infrastructure where even the platform operators cannot decrypt your data, the Dedicated tier exists for that purpose — see the callout below or /pricing.

Controllers may exercise an annual audit right under the Data Processing Agreement: on reasonable notice, at the controller's cost, under NDA, with access to the controls relevant to the processing performed for that controller. [REVIEW: confirm audit cost allocation and scope with counsel]

On termination of the engagement — whether at the end of the contract term, for cause, or at the controller's election — controller data is returned to the controller and then deleted from Steward and PHOENIQS systems. The procedure has two phases.

First, within thirty daysof the termination effective date, Steward provides an export of the entire workspace to the controller. Documents are returned in their original formats. Notes are returned as Markdown. Metadata and the knowledge graph are returned as JSON and a folder of wiki-style pages. Audit logs are returned as a structured file. The export is delivered through a mechanism agreed in writing with the controller's administrator.

Second, within thirty daysof the controller's confirmation that the export has been received, Steward and PHOENIQS delete all copies of controller data from production systems, backup systems and any operational caches. A certificate of deletion is provided to the controller. Residual entries in operational audit logs — to the extent required for the integrity of the audit trail itself — are retained in pseudonymised form for a period not exceeding twelve months, after which they are deleted in the next scheduled rotation. [REVIEW: confirm 30-day export window, 30-day deletion window, 12-month residual log retention, and breach notification window of 48 hours Steward→Customer / 24 hours PHOENIQS→Steward with counsel]

No part of the foregoing is contingent on Steward's commercial relationship with the controller continuing. A controller may exercise the export and deletion right at any time, on notice, including before the contract term ends.