Questions we get asked before every engagement.
Procurement-level answers so the discovery call covers actual work. If yours isn't here, email hello@theft.studio.
Engagement basics
Who actually does the work?
The studio. The team that runs the research runs the eval harness. No offshore layer, no relay between research and engineering.
How do you scope an engagement?
A 30-minute discovery call, then a written proposal within the week covering scope, timeline, and deliverables. If the brief needs reshaping, we say so before quoting.
Do you work in sprints or all-in?
Both. UX Research runs as a 2 to 3 week sprint. AI Product Build is a 6 to 10 week engagement. Retained Partnership is a six-month block. See /services for the full breakdown.
Can you fit under our MSA or do we use yours?
Either direction works. We hold a standard MSA for engagements that need one, and we sign enterprise MSAs the other way regularly. DPA and NDA on request.
Terms and ownership
How do payments work?
A deposit holds the calendar and starts the work. The remainder is invoiced at deliverable acceptance, or on a milestone schedule for engagements longer than 6 weeks. Wire, invoice, or direct billing in most cases.
What happens if evals fail or the research disproves the hypothesis?
You receive the research, the evidence, and our recommendation. If the research says do not ship, we say so, even when it ends the engagement. Some engagements close at this point.
Who owns the IP?
You own everything produced for your engagement: code, research, artifacts, evals, documentation. We retain rights to our methodology, internal tools, and redacted case-study material, with client approval before publication.
Compliance & data
Are you SOC 2 Type II certified?
No. We operate aligned with SOC 2 Type II controls (MFA, least-privilege access, AES-256 at rest, TLS 1.3 in transit, audit-logged access) without holding the formal certification. GDPR and EU AI Act practices are active by default. Full posture at /trust. We complete client security questionnaires directly.
Where does our data live?
On systems you control or provision. We do not run a shadow data copy. For engagements that require us to touch your data, work happens inside your infrastructure: your cloud, your VPN, your auth. No data retention on our side beyond the engagement.
Do you train AI models on our data?
No. Client data is not used to train models, ours or anyone else's. Model training, fine-tuning, or embedding generation happens only when explicitly scoped, on data you authorize.
Are you insured?
Yes. Professional liability and E&O coverage, underwritten by a US-registered carrier with international scope. Certificate of insurance provided before engagement start on request.
Process specifics
How do you integrate with our team?
Slack or Discord for day-to-day. A shared Linear or Jira project if you run one. Weekly 30-minute syncs and a structured end-of-engagement handoff doc. No surprise invoices, no mid-phase disappearance.
What if we need to terminate?
Engagements terminate at any phase boundary, for any reason. You pay for work delivered up to that point. The MSA covers the mechanics. No lock-in clauses, no penalty fees.
How fast can we start?
From discovery call to signed SOW is typically 10 business days. From signed SOW to work start is the following Monday. Current availability is published on /contact.