docs(user-guide): add compliance and data privacy faq entries

.gitleaks.toml

@@ -0,0 +1,8 @@
+[extend]
+useDefault = true
+
+[allowlist]
+paths = [
+  '''build/''',
+  '''.docusaurus/''',
+]

cspell.config.yaml

@@ -240,6 +240,8 @@ words:
   - katas
   - codemieai
   # Other
+  - LFPDPPP
+  - SIEM
   - AITM
   - codereview
   - databasename

faq/does-codemie-comply-with-data-protection-regulations-such-as-gdpr.md

@@ -0,0 +1,33 @@
+# Does CodeMie comply with data protection regulations such as GDPR?
+
+CodeMie is designed for client-controlled deployment, which means the client organization owns and operates the platform and is the data controller for compliance purposes. This model directly supports compliance with GDPR and equivalent regulations such as Mexico's LFPDPPP.
+
+**Data residency**
+
+Because CodeMie runs entirely within your own infrastructure (AWS, GCP, Azure, or on-premises Kubernetes), data residency is determined by the region you select at deployment time. No data leaves the environment you control.
+
+**Built-in privacy controls**
+
+The platform implements the following data protection capabilities out of the box:
+
+| Principle                  | Implementation                                                                          |
+| -------------------------- | --------------------------------------------------------------------------------------- |
+| Data minimization          | Only the prompt and relevant context are sent to AI models                              |
+| Right to erasure           | Users can delete all their conversations from the UI; admin deletion APIs are available |
+| Data subject access rights | All PII data can be provided on request                                                 |
+| Data security              | AES-256 encryption at rest, TLS 1.2+ in transit, KMS-managed key rotation               |
+| Access control             | RBAC via Keycloak with project-scoped permissions and SSO integration                   |
+| Data localization          | Storage region is fully configurable per deployment                                     |
+
+**AI risk management**
+
+The platform aligns with ISO/IEC 42001 (AI risk management standard), including AI safety guardrails, risk assessment, monitoring, and continuous lifecycle reviews.
+
+**Responsibility**
+
+Since the client controls the deployment environment, data handling policies are enforced by the client organization in accordance with their own contractual and regulatory obligations.
+
+## Sources
+
+- [Security & Data Processing](https://docs.codemie.ai/admin/security)
+- [Deployment Overview](https://docs.codemie.ai/admin/deployment/aws/overview)

faq/does-codemie-use-customer-data-to-train-ai-models.md

@@ -0,0 +1,22 @@
+# Does CodeMie use customer data to train AI models?
+
+No. CodeMie does not use customer data to train AI models.
+
+Prompts, chat messages, indexed data sources (Git repositories, Jira, Confluence, files), and AI-generated outputs are used exclusively to deliver the requested assistant functionality within your deployment. No data is used for model training or improvement.
+
+**LLM provider guarantees**
+
+When CodeMie forwards a prompt to an external LLM provider (e.g., Azure OpenAI, AWS Bedrock, Google Vertex AI, Anthropic), the enterprise agreements with these providers guarantee:
+
+- Prompts and completions are not available to other customers
+- Data is not used to improve LLM models or any third-party products
+- Models are stateless unless explicitly fine-tuned with customer data
+- Any fine-tuned models remain exclusively available to the client
+
+**Integration credentials are never sent to LLM models**
+
+API keys, passwords, and datasource credentials are encrypted (KMS/Vault) and exist as plaintext only in memory for the duration of a single API call. They are never included in prompts or persisted to disk.
+
+## Sources
+
+- [Security & Data Processing](https://docs.codemie.ai/admin/security)

faq/what-audit-and-logging-capabilities-does-codemie-provide.md

@@ -0,0 +1,36 @@
+# What audit and logging capabilities does CodeMie provide?
+
+CodeMie provides several layers of logging and audit traceability, all stored within the client's own infrastructure.
+
+**User activity and AI usage logs**
+
+Every AI request is automatically logged with: user identity, model used, token consumption, cost, timestamp, response time, and request metadata. These logs are stored in Elasticsearch within your deployment and accessible via the built-in Analytics Dashboard with role-scoped visibility:
+
+- Platform Admins see all users and projects
+- Project Admins see their project scope
+- Regular users see only their own activity
+
+**Per-request spend logs**
+
+Granular per-request logs capture the full request lifecycle including model, tokens, cost, and user. Retention is configurable and logs can be forwarded to external SIEM solutions such as Splunk, CloudWatch, or Stackdriver.
+
+**Workflow execution history**
+
+For workflow-based AI runs, CodeMie keeps an execution history per project. Project administrators can review all workflow executions triggered by any user within their project scope.
+
+**API request correlation**
+
+When assistants call external services via the OpenAPI tool, a `callback_id` can be included in the request metadata. CodeMie forwards it downstream as a `callback-id` HTTP header, allowing you to correlate CodeMie events with your own API gateway and service logs.
+
+**Cloud-provider audit trails**
+
+Depending on your deployment:
+
+- **AWS**: CloudTrail and CloudWatch
+- **GCP**: Cloud Audit Logs with PostgreSQL DDL logging
+- **Azure**: Log Analytics workspace with Container Insights and Key Vault audit events
+
+## Sources
+
+- [Analytics](https://docs.codemie.ai/user-guide/analytics)
+- [Security & Data Processing](https://docs.codemie.ai/admin/security)

scripts/secrets-check.sh

@@ -31,10 +31,15 @@ fi
 
 echo "Checking for secrets with Gitleaks..."
 
+CONFIG_FLAG=""
+if [[ -f ".gitleaks.toml" ]]; then
+  CONFIG_FLAG="--config /path/.gitleaks.toml"
+fi
+
 if [[ "$1" == "--git" ]]; then
-  $CONTAINER_ENGINE run --rm -v "$(pwd):/path" "$GITLEAKS_IMAGE" git --no-banner --verbose /path
+  $CONTAINER_ENGINE run --rm -v "$(pwd):/path" "$GITLEAKS_IMAGE" git --no-banner --verbose $CONFIG_FLAG /path
 else
-  $CONTAINER_ENGINE run --rm -v "$(pwd):/path" "$GITLEAKS_IMAGE" dir --no-banner --verbose /path
+  $CONTAINER_ENGINE run --rm -v "$(pwd):/path" "$GITLEAKS_IMAGE" dir --no-banner --verbose $CONFIG_FLAG /path
 fi
 
 if [[ $? -ne 0 ]]; then