# CapitalBench Private Eval Sprint - Data Handling Process

This operational process describes the default handling used for a standard private sprint unless the SOW specifies a different process.

## Data Not Required

The standard sprint does not require source code, model weights, production databases, customer records, brokerage credentials, fund holdings, or access to real capital.

## Credential Handling

- Credentials are requested only after the Evaluation Plan and SOW are approved.
- Credentials should be temporary, restricted, and scoped to the evaluation endpoint.
- Credentials are not submitted through the public intake form.
- Credentials are removed after execution is complete.
- Credential deletion is recorded in the delivery notes or audit packet.

## Private Artifact Retention

- Raw private outputs are retained for 30 days after final delivery unless the SOW states otherwise.
- Final report retention is governed by the SOW.
- Published public benchmark artifacts are not mixed with private-client artifacts unless the client approves publication in writing.

## Provider Transparency

The Evaluation Plan identifies any third-party model providers used. Their handling of API data remains governed by their applicable terms.

## Publication

Private by default. Client identity, system details, prompts, outputs, scores, and reports are not published without written approval.

## Delivery

Private audit packets are delivered through a client-approved method. Delivery metadata should record the packet name, manifest hash, delivery date, and recipient.