Artificial Intelligence Usage Policy
Document owner: VP of Product & Chief Information Security Officer (Joint)
Version: 3.0
Effective date: January 1, 2026
Last updated: January 15, 2026
Classification: Public — Trust Center
Review cadence: Quarterly, and upon material AI program changes
Company: Acme Cloud, Inc.
Address: 1200 Market Street, Suite 400, San Francisco, CA 94103, USA
Primary contacts: trust@acmecloud.com | security@acmecloud.com | privacy@acmecloud.com
1. Executive Summary and Purpose
This Artificial Intelligence Usage Policy ("AI Policy" or "Policy") establishes Acme Cloud, Inc.'s ("Company," "we," "us," or "our") comprehensive framework for the responsible development, deployment, and operation of artificial intelligence and machine learning ("AI/ML") capabilities within our products and services. This Policy supplements and should be read in conjunction with our Privacy Policy, Data Processing Agreement, and Subprocessor List.
Policy Objectives:
This Policy addresses the following objectives critical to enterprise AI governance:
| Objective | Description | Stakeholder Benefit |
|---|
| Transparency | Clear documentation of AI capabilities, data flows, and decision-making processes | Procurement teams can assess AI risk; customers understand what they're enabling |
| Customer Control | Granular controls for enabling, disabling, and configuring AI features | Organizations maintain sovereignty over AI adoption decisions |
| Data Protection | Strict limitations on data retention, usage, and sharing with AI model providers | Customer data never trains foundation models; privacy obligations satisfied |
| Human Oversight | Clear delineation between AI assistance and human decision authority | Users understand AI limitations; appropriate human review maintained |
| Security | Robust protections against prompt injection, data leakage, and adversarial attacks | Security teams can verify AI-specific controls |
| Regulatory Alignment | Proactive compliance with emerging AI regulations (EU AI Act, state laws) | Legal and compliance teams can map controls to requirements |
| Accountability | Defined governance structure with clear ownership and escalation paths | Executive accountability for AI program outcomes |
Scope of This Policy:
This Policy applies to all AI/ML features offered within Acme Cloud products and services, including but not limited to: natural language processing features, automated content generation, semantic search capabilities, recommendation systems, workflow automation suggestions, and any features utilizing third-party AI models. This Policy does not govern customer use of Acme Cloud APIs to build their own AI applications (which is governed by our Terms of Service).
2. Definitions
For purposes of this Policy, the following terms shall have the meanings set forth below:
| Term | Definition |
|---|
| Artificial Intelligence (AI) | Computer systems designed to perform tasks that typically require human intelligence, including but not limited to natural language understanding, pattern recognition, content generation, and decision support. |
| Machine Learning (ML) | A subset of AI involving algorithms that improve performance on tasks through experience (training on data) without explicit programming for each task. |
| Foundation Model | A large-scale AI model trained on broad data that can be adapted to a wide range of downstream tasks (e.g., GPT-4, Claude, LLaMA). |
| Fine-Tuned Model | A foundation model that has been further trained on specific data to improve performance on particular tasks or domains. |
| Inference | The process of using a trained AI model to generate predictions, classifications, or outputs based on new input data. |
| Prompt | Input provided to an AI model to generate a response, including user queries, system instructions, and context. |
| Embedding | A numerical vector representation of text, images, or other data that captures semantic meaning and enables similarity comparisons. |
| Retrieval Augmented Generation (RAG) | A technique combining information retrieval with generative AI to produce responses grounded in retrieved context. |
| Hallucination | AI-generated content that is factually incorrect, fabricated, or inconsistent with provided context or training data. |
| Prompt Injection | An attack technique where malicious input manipulates an AI model's behavior to bypass safety controls or produce unintended outputs. |
| Zero-Retention API | An API configuration where the provider contractually commits to not retaining, storing, or using submitted data for any purpose including model training. |
| Token | A unit of text processed by language models; for GPT models, approximately 4 characters or 0.75 words in English. |
| Context Window | The maximum amount of text (measured in tokens) an AI model can process in a single request, including both input and output. |
| Temperature | A parameter controlling randomness in AI model outputs; lower values produce more deterministic responses. |
| Model Provider | A third-party organization providing AI model access via API (e.g., OpenAI, Anthropic, Google). |
| Data Residency | The geographic location(s) where data is processed and stored, relevant for regulatory compliance. |
| AI Feature | Any product functionality that utilizes AI/ML capabilities to process, analyze, generate, or transform data. |
| Tenant Isolation | Security controls ensuring one customer's data cannot be accessed by or affect another customer's AI operations. |
3. AI Features and Capabilities
3.1 Current AI Feature Portfolio
Acme Cloud offers the following AI-powered capabilities, all of which are disabled by default for new organizations:
| Feature Name | Description | AI Components | Default State | Plan Availability |
|---|
| Smart Summarize | Generates concise summaries of documents, threads, and conversations | GPT-4o for generation | Disabled | Professional, Enterprise |
| Workflow Assist | Suggests automation steps based on observed patterns and context | GPT-4o-mini for suggestions, internal model for pattern detection | Disabled | Enterprise |
| Semantic Search | Natural language search across workspace content with contextual understanding | Internal embedding model for indexing, RAG for retrieval | Disabled | Professional, Enterprise |
| Content Draft | Generates draft content based on templates and context | GPT-4o for generation | Disabled | Enterprise |
| Sentiment Analysis | Analyzes communication tone and sentiment for feedback categorization | Internal classification model | Disabled | Enterprise |
| Support Copilot | Internal tool assisting Acme Cloud support team (not customer-facing AI) | GPT-4o with RAG on knowledge base | Internal only | N/A |
| Translation Assist | Translates content between supported languages | GPT-4o for translation | Disabled | Enterprise |
| Action Extraction | Identifies action items from meeting notes and conversations | GPT-4o-mini for extraction | Disabled | Enterprise |
3.2 Feature Configuration Matrix
| Feature | Org-Level Toggle | Per-Workspace Toggle | Per-User Opt-Out | Admin Audit Logs | API Access | Data Residency Options |
|---|
| Smart Summarize | Yes | Yes | Yes | Yes | Yes | US, EU (Q2 2026) |
| Workflow Assist | Yes | Yes | No | Yes | No | US only |
| Semantic Search | Yes | Yes | Yes | Yes | Yes | US, EU (Q2 2026) |
| Content Draft | Yes | Yes | Yes | Yes | Yes | US, EU (Q2 2026) |
| Sentiment Analysis | Yes | Yes | No | Yes | Yes | US, EU |
| Translation Assist | Yes | Yes | Yes | Yes | Yes | US, EU |
| Action Extraction | Yes | Yes | Yes | Yes | Yes | US only |
3.3 Feature Enablement Requirements
| Feature Category | Enablement Requirements | Approval Workflow |
|---|
| Basic AI Features | Organization Admin enables via Admin Console | Self-service |
| Advanced AI Features | Organization Admin + CISO/Security Approval (if required by customer policy) | Self-service with customer internal approval |
| PHI/Healthcare Workspaces | Explicitly prohibited unless covered by AI Addendum to BAA | Requires Acme Cloud and customer legal approval |
| Financial Services (GLBA) | Requires AI risk assessment documentation | Self-service with customer risk assessment |
| EU Data Residency | Available for select features with EU inference | Feature-specific availability |
4. Data Handling and Privacy
4.1 Data Processing for AI Features
When AI features are enabled, the following data may be processed:
| Data Category | Processing Purpose | Retention by Acme Cloud | Retention by Model Provider | Processing Location |
|---|
| User Prompts | Generate AI response | Metadata logged 90 days; content processed transiently | Zero retention (OpenAI API) | US (EU Q2 2026) |
| Selected Content | Provide context for summarization, analysis | Processed transiently; not retained | Zero retention | US (EU Q2 2026) |
| Workspace Metadata | Improve search relevance and suggestions | Per customer retention settings | Not shared with provider | Customer-configured region |
| Usage Telemetry | Feature analytics, abuse detection | 90 days aggregated | N/A | US |
| Embeddings | Power semantic search | Encrypted at rest; deleted within 30 days of disable | Generated by internal model | Customer-configured region |
| AI Interaction Logs | Audit trails for compliance | 90 days or customer-configured | N/A | Customer-configured region |
| Feedback Data | Improve AI quality (explicit opt-in only) | Per feedback policy | Never shared | US |
4.2 Absolute Data Prohibitions
Acme Cloud commits to the following data handling prohibitions:
| Prohibition | Description | Enforcement Mechanism |
|---|
| No Training on Customer Data | Customer content is never used to train or fine-tune any foundation model | Contractual terms with model providers; technical controls |
| No Cross-Tenant Data Sharing | One customer's data is never visible to or influences another customer's AI outputs | Tenant isolation architecture; security testing |
| No Retention by Model Providers | Model providers contractually prohibited from retaining submitted data | Zero-retention API agreements; annual audit |
| No Secondary Use | Customer data processed only for requested AI features | Data processing agreements; access controls |
| No Third-Party Sharing | AI processing data not shared with parties beyond contracted subprocessors | Subprocessor restrictions; contractual controls |
4.3 Subprocessor and Model Provider Details
| Provider | Services Used | Models | Data Handling Agreement | Processing Location | Last Security Review |
|---|
| OpenAI, L.L.C. | Text generation, summarization, translation | GPT-4o, GPT-4o-mini | Zero-retention API agreement; SOC 2 Type II | US (Microsoft Azure) | Q4 2025 |
| Acme Cloud (Internal) | Embedding generation, classification | Custom embedding model | Internal processing | AWS (customer region) | Continuous |
| Amazon Web Services | Infrastructure for internal AI models | N/A | DPA; SOC 2, ISO 27001 | Customer-configured | Q3 2025 |
Provider Selection Criteria:
| Criterion | Requirement | Verification Method |
|---|
| Security Certification | SOC 2 Type II minimum | Annual certificate review |
| Data Handling | Zero-retention or equivalent commitment | Contractual review, annual audit |
| Privacy Controls | GDPR-compliant processing | DPA review, TIA where required |
| Availability | 99.9% uptime commitment | SLA review, monitoring |
| Incident Response | 24-hour breach notification | Contractual requirement |
| Financial Stability | Viable ongoing operation | Annual vendor risk assessment |
5. Customer Controls and Administration
5.1 Administrative Controls
| Control | Location | Effect | Effective Timing |
|---|
| Organization AI Master Toggle | Admin Console → Security → AI Features | Enables/disables all AI features organization-wide | 15 minutes |
| Per-Feature Toggles | Admin Console → Features → AI | Granular enable/disable for each AI feature | 15 minutes |
| Workspace AI Restrictions | Workspace Settings → Security | Disable AI for specific workspaces (e.g., confidential projects) | Immediate |
| User-Level Opt-Out | User Settings → Privacy | Individual user declines AI features (where permitted) | Immediate |
| API AI Access | Admin Console → API Settings | Control API access to AI endpoints | Immediate |
| Audit Log Export | Admin Console → Compliance → Logs | Export AI usage audit logs | On-demand |
| Data Residency Selection | Admin Console → Security → Data Residency | Select EU inference where available | Per feature migration timeline |
5.2 Disable and Data Deletion Process
| Action | Trigger | Effect | Data Deletion Timeline |
|---|
| Disable AI Organization-Wide | Admin toggles master switch off | All AI inference requests blocked within 15 minutes | Embeddings deleted within 30 days; logs retained per retention policy |
| Disable Semantic Search | Admin disables feature | New indexing stopped; existing search functionality disabled | Embeddings deleted within 30 days |
| Workspace AI Restriction | Admin restricts workspace | AI features unavailable in workspace | Workspace embeddings deleted within 30 days |
| Account Deletion | Customer terminates service | All customer data deleted per DPA | Per standard deletion schedule (30-90 days) |
| Data Export Request | Customer submits DSR | AI-related data included in export | Per DSR timeline (30 days) |
5.3 Enterprise Contract Controls
Enterprise customers may negotiate the following contractual controls:
| Control | Description | Implementation |
|---|
| AI Feature Prohibition | Contractually prohibit AI features for tenant | Technical enforcement, audit verification |
| Model Provider Restrictions | Limit approved model providers | Configuration management, audit |
| Data Residency Requirements | Mandate EU-only processing | Feature availability may vary |
| Audit Rights | Right to audit AI processing controls | Scheduled upon request |
| Custom Retention | Modified AI log retention | Configuration per contract |
| AI Addendum | Detailed AI-specific terms supplementing DPA | Legal attachment |
6. Human Oversight and AI Limitations
6.1 Human Oversight Principles
AI output within Acme Cloud is assistive, not authoritative. The following principles govern human-AI interaction:
| Principle | Implementation | User Responsibility |
|---|
| Review Before Reliance | AI-generated content is clearly labeled as AI output | Users must review AI output before using in decisions or communications |
| No Autonomous Actions | AI features suggest but do not execute actions without user confirmation | Users approve any actions based on AI suggestions |
| Context Limitations | AI operates only on provided context; cannot access external systems without explicit integration | Users provide appropriate context; understand AI cannot know information not provided |
| Accuracy Not Guaranteed | AI may produce incorrect, incomplete, or outdated information | Users verify critical information through authoritative sources |
| Bias Awareness | AI models may reflect biases present in training data | Users apply judgment to AI output, especially for sensitive decisions |
6.2 Known AI Limitations
| Limitation | Description | Mitigation | User Guidance |
|---|
| Hallucination | AI may generate plausible-sounding but incorrect information | Output validation, citation requirements | Verify facts independently; do not rely on AI for accuracy-critical information |
| Context Window | Limited amount of text processable in single request | Chunking strategies, summarization | Large documents may be processed in parts; summary quality may vary |
| Recency Cutoff | Foundation models trained on historical data | RAG for current information | AI may not reflect information after training cutoff |
| Reasoning Limits | Complex multi-step reasoning may be unreliable | Problem decomposition | Break complex problems into steps; verify intermediate reasoning |
| Bias | Potential biases in model outputs | Bias testing, model selection | Apply critical judgment; seek diverse perspectives for important decisions |
| Consistency | Same input may produce different outputs | Temperature controls, determinism settings | Outputs may vary; verify important outputs |
| Security | Potential for prompt injection attacks | Input sanitization, output validation | Report suspicious AI behavior to security |
6.3 Prohibited Use Cases
Customers and users must not use Acme Cloud AI features for the following purposes:
| Prohibited Use | Rationale | Enforcement |
|---|
| Autonomous decision-making affecting individual rights | Regulatory compliance, ethical AI | Terms of Service, technical controls |
| Generation of content for illegal purposes | Legal compliance | Abuse detection, terms enforcement |
| Processing of special category data without appropriate safeguards | GDPR, privacy law | Configuration restrictions |
| PHI processing without BAA AI Addendum | HIPAA compliance | Technical enforcement |
| Content that deceives individuals about AI involvement | Ethical AI, regulatory compliance | Terms of Service |
| Circumventing safety controls | Security, ethical AI | Abuse detection, account suspension |
| Processing children's data without appropriate consent | COPPA, GDPR | Age verification controls |
| Generating content that impersonates individuals | Fraud prevention, ethics | Abuse detection |
7. Security Controls for AI
7.1 AI-Specific Security Measures
| Control Category | Control | Implementation | Testing Frequency |
|---|
| Input Validation | Prompt injection prevention | Input sanitization, pattern detection | Quarterly |
| Output Validation | Sensitive data leakage prevention | Output scanning, PII detection | Quarterly |
| Tenant Isolation | Prevent cross-tenant data exposure | Architectural isolation, access controls | Continuous |
| Rate Limiting | Abuse prevention | Per-organization, per-user limits | Continuous monitoring |
| Content Filtering | Block prohibited content generation | Pre and post-generation filters | Quarterly review |
| Audit Logging | Comprehensive AI operation logging | Structured logging, tamper-proof storage | Continuous |
| Encryption | Protect data in transit and at rest | TLS 1.3 in transit, AES-256 at rest | Annual certification |
| Access Control | Limit AI feature access | RBAC, feature toggles | Continuous |
| Kill Switch | Emergency AI disable capability | Organization-level and platform-level | Quarterly testing |
7.2 AI Red Team Testing
| Test Type | Frequency | Scope | Findings Action |
|---|
| Prompt injection testing | Quarterly | All customer-facing AI features | Critical/High: 72 hours remediation; Medium/Low: standard SLA |
| Output data leakage testing | Quarterly | All features processing customer data | Per severity |
| Adversarial input testing | Semi-annual | Customer input paths | Per severity |
| Model manipulation testing | Annual | Internal and external models | Per severity |
| Jailbreak attempt testing | Quarterly | Content generation features | Per severity |
| Cross-tenant isolation testing | Quarterly | All AI features | Critical if breach detected |
7.3 AI Incident Classification
| Incident Type | Severity | Example | Response Timeline |
|---|
| Cross-tenant data exposure via AI | Critical | Customer A sees Customer B's data in AI output | Immediate disable, 4-hour executive notification |
| Successful prompt injection with impact | High | Attacker extracts sensitive information | 24-hour remediation, customer notification |
| AI generates prohibited content | Medium | Content filter bypass | 72-hour fix, process review |
| Unexpected AI behavior | Low | Quality degradation without security impact | Standard bug tracking |
| Model provider incident | Variable | OpenAI security incident | Per provider notification, assess customer impact |
8. Regulatory Compliance
8.1 EU AI Act Alignment
Acme Cloud monitors EU AI Act requirements and currently classifies features as follows:
| Feature | EU AI Act Risk Classification | Rationale | Compliance Actions |
|---|
| Smart Summarize | Limited/Minimal Risk | Content generation without high-risk decision-making | Transparency documentation |
| Workflow Assist | Limited Risk | Suggestion only, human approval required | User notification of AI involvement |
| Semantic Search | Minimal Risk | Search assistance without significant impact | Standard documentation |
| Sentiment Analysis | Limited Risk | Analysis only, not automated decision-making | Transparency, human review requirement |
| All Features | Not High-Risk | No safety components, biometric identification, or high-risk categories | Monitoring for scope changes |
8.2 Compliance Framework Mapping
| Regulation | Applicability | Acme Cloud Compliance Approach |
|---|
| EU AI Act | EU users, EU customers | Risk classification, transparency documentation, human oversight requirements |
| GDPR | EU data subjects | Lawful basis documentation, DPIA where required, data subject rights |
| CCPA/CPRA | California residents | Consumer rights, disclosure requirements |
| HIPAA | PHI processing | AI features disabled for PHI workspaces unless AI Addendum |
| SOC 2 | All customers | AI controls mapped to Trust Services Criteria |
| ISO 27001 | All customers | AI processing within ISMS scope |
| State AI Laws | Variable | Monitoring emerging state requirements (Colorado, Connecticut, etc.) |
8.3 DPIA Support
For customers requiring Data Protection Impact Assessments for AI feature usage:
| Resource | Availability | Access |
|---|
| AI Processing Description | Standard template | Trust Center download |
| Technical Security Measures | Documentation | Trust Center |
| Subprocessor Details | Current list | Subprocessor List page |
| AI-Specific DPA Terms | For Enterprise customers | Legal request |
| DPIA Template | Pre-filled for common scenarios | Enterprise customer request |
| Consultation | For complex assessments | Professional services |
9. AI Governance Structure
9.1 AI Governance Committee
Acme Cloud maintains a cross-functional AI Governance Committee with the following structure:
| Role | Committee Member | Responsibilities |
|---|
| Chair | VP Product | Meeting facilitation, decision escalation |
| Security Lead | CISO | Security controls, risk assessment, incident review |
| Privacy Lead | Chief Privacy Officer | Data protection, regulatory compliance |
| Engineering Lead | VP Engineering | Technical implementation, model operations |
| Legal Lead | General Counsel | Contractual, regulatory, liability |
| Ethics Advisor | External (Advisory) | Ethical AI principles, bias review |
Committee Cadence and Authorities:
| Activity | Frequency | Authority Level |
|---|
| Regular meetings | Monthly | Recommendation to executive team |
| New AI feature review | Per feature launch | Approval required before launch |
| Model provider change | Per change | Approval required |
| Incident review | Per AI-related incident | Findings and remediation oversight |
| Regulatory update review | Quarterly | Compliance program updates |
| Annual AI program assessment | Annual | Report to Board (via Audit Committee) |
| Emergency decisions | As needed | VP Product + CISO joint authority |
9.2 Governance Decision Framework
| Decision Type | Approval Authority | Documentation Required |
|---|
| New AI feature (minor) | Product Lead + Security Review | Feature specification, security assessment |
| New AI feature (significant) | AI Governance Committee | Full AI impact assessment |
| New model provider | AI Governance Committee + Legal | Provider assessment, DPA review, security evaluation |
| Model change (same provider) | Engineering Lead + Security Review | Change documentation, testing results |
| AI feature disable (planned) | Product Lead | Customer communication plan |
| AI feature disable (emergency) | CISO or VP Product | Incident documentation |
| Customer AI addendum | Legal | Contract negotiation |
9.3 AI Incident Governance
| Incident Severity | Notification | Investigation Lead | Resolution Authority |
|---|
| Critical | CISO (immediate), CEO (4 hours), Board (24 hours) | CISO | CEO |
| High | CISO (4 hours), VP Product (4 hours) | Security Engineering | CISO + VP Product |
| Medium | Security Engineering Manager | Security Engineering | Security Engineering Manager |
| Low | Standard ticketing | Engineering | Engineering Lead |
10. Transparency and Documentation
10.1 Customer-Facing Documentation
| Document | Location | Update Frequency | Content |
|---|
| AI Feature Guide | Help Center | Per feature release | Feature descriptions, use cases, limitations |
| AI Security Overview | Trust Center | Quarterly | Security controls, compliance information |
| AI Data Flow Documentation | Trust Center | Quarterly | Data processing diagrams, retention information |
| Model Provider Information | Subprocessor List | Per change (30-day notice) | Provider details, data handling |
| AI FAQs | Help Center | Monthly | Common questions and answers |
10.2 Transparency Metrics
Acme Cloud publishes the following AI metrics to Enterprise customers quarterly:
| Metric | Description | Current Status |
|---|
| AI feature adoption rate | Percentage of eligible organizations with AI enabled | 34% (Q4 2025) |
| Average AI response latency | P50 latency for AI feature responses | 1.2 seconds |
| AI availability | Uptime for AI features | 99.94% |
| Security incidents (AI-related) | Count of AI-related security incidents | 0 (FY2025) |
| Model accuracy feedback | Customer-reported accuracy issues | 0.3% of interactions |
| AI feature satisfaction | NPS for AI features | +42 |
10.3 AI Model Card Information
For transparency regarding AI models used:
| Model | Provider | Capabilities | Limitations | Training Data Cutoff | Version |
|---|
| GPT-4o | OpenAI | Text generation, summarization, translation, analysis | Hallucination risk, context window limits, reasoning errors | ~Oct 2023 + web | gpt-4o-2024-08-06 |
| GPT-4o-mini | OpenAI | Lightweight text tasks | Same as GPT-4o, lower quality on complex tasks | ~Oct 2023 | gpt-4o-mini-2024-07-18 |
| Internal Embedding Model | Acme Cloud | Text embedding for semantic search | Domain-specific accuracy varies | Internal training data | v2.1 |
11. AI Feature Roadmap
11.1 Planned Enhancements
| Feature/Enhancement | Target Quarter | Customer Impact | Prerequisites |
|---|
| EU-hosted inference (Smart Summarize, Semantic Search) | Q2 2026 | EU data residency compliance | Infrastructure deployment |
| Enhanced citation in Smart Summarize | Q1 2026 | Improved source attribution | Model capability |
| Multi-language support (French, German, Spanish) | Q2 2026 | Broader accessibility | Localization, model evaluation |
| Custom model routing (Enterprise) | Q3 2026 | Customer model selection | Architecture, security review |
| AI risk assessment template | Q1 2026 | DPIA support | Documentation |
| Detailed AI usage analytics | Q2 2026 | Admin visibility | Dashboard development |
| AI feature API expansion | Q3 2026 | Programmatic AI access | API development, security |
11.2 Feature Deprecation Policy
| Stage | Timeline | Customer Communication |
|---|
| Deprecation announcement | 180 days before removal | Email to admins, in-app notification, Trust Center update |
| Feature freeze | 90 days before removal | No new functionality |
| Migration support | 90 days before removal | Documentation, support resources |
| Soft disable | 30 days before removal | Warning on feature use |
| Hard disable | Target date | Feature removed |
| Data cleanup | 30 days after removal | Associated data deleted per retention policy |
12. SOC 2 and ISO 27001 Control Mapping
12.1 SOC 2 Trust Services Criteria Mapping
| Control ID | Control Description | AI Policy Implementation |
|---|
| CC1.1 | Integrity and ethical values | AI ethics principles, prohibited uses, human oversight |
| CC1.2 | Board oversight | AI Governance Committee reports to Board via Audit Committee |
| CC2.2 | Information and communication | AI documentation, transparency reporting |
| CC3.1 | Risk identification | AI-specific risk assessments |
| CC3.2 | Risk assessment | Model provider evaluation, AI security testing |
| CC3.3 | Risk management | AI security controls, incident response |
| CC4.1 | Monitoring controls | AI audit logging, metrics monitoring |
| CC5.2 | Control activities | Technical and administrative AI controls |
| CC6.1 | Logical access controls | AI feature access controls, API security |
| CC6.7 | Data classification and handling | AI data flows, retention policies |
| CC7.2 | Incident monitoring | AI-specific incident detection |
| CC7.4 | Incident response | AI incident procedures |
| CC8.1 | Change management | AI feature and model change procedures |
| PI1.1 | Processing integrity | AI output validation, human oversight |
| P3.1 | Personal information collection | AI data collection transparency |
| P4.2 | Personal information retention | AI data retention limits |
| P6.1 | Data subject rights | AI data deletion, export |
12.2 ISO 27001:2022 Annex A Control Mapping
| Control | Control Title | AI Policy Implementation |
|---|
| A.5.1 | Policies for information security | This AI Policy as component of security policy |
| A.5.8 | Information security in project management | AI feature security review process |
| A.5.19 | Information security in supplier relationships | Model provider security requirements |
| A.5.21 | Managing ICT supply chain | Model provider evaluation and monitoring |
| A.5.23 | Information security for cloud services | AI infrastructure security |
| A.6.3 | Information security awareness | AI security training |
| A.8.2 | Privileged access rights | AI admin access controls |
| A.8.3 | Information access restriction | AI feature access controls |
| A.8.4 | Access to source code | Model and AI code security |
| A.8.12 | Data leakage prevention | AI output validation |
| A.8.16 | Monitoring activities | AI audit logging |
| A.8.23 | Web filtering | AI content filtering |
| A.8.25 | Secure development lifecycle | AI feature development security |
| A.8.28 | Secure coding | AI integration security |
13. Customer Responsibilities
13.1 Customer Obligations for AI Feature Use
Customers enabling AI features are responsible for:
| Responsibility | Description | Verification |
|---|
| User Consent | Obtain appropriate consent from end users for AI processing where required | Customer responsibility |
| Regulatory Assessment | Assess AI feature use against applicable industry regulations | Customer responsibility |
| Use Case Appropriateness | Ensure AI features are used for appropriate purposes | Terms of Service compliance |
| PHI Restrictions | Do not enable AI for PHI workspaces without AI Addendum | Technical and contractual enforcement |
| Special Category Data | Apply appropriate safeguards for sensitive data | Customer responsibility |
| Output Review | Review AI-generated content before reliance | User training |
| Access Control | Properly configure AI feature access within organization | Admin console configuration |
| Incident Reporting | Report suspected AI security issues | Security contact |
13.2 Shared Responsibility Model for AI
| Responsibility Area | Acme Cloud | Customer |
|---|
| AI model security | ✓ | |
| Infrastructure security | ✓ | |
| AI feature access controls | ✓ (capability) | ✓ (configuration) |
| Input data appropriateness | | ✓ |
| Output review | | ✓ |
| Regulatory compliance (platform) | ✓ | |
| Regulatory compliance (use) | | ✓ |
| User training | | ✓ |
| Data classification | | ✓ |
| Consent management | | ✓ |
Related Trust Center documents
privacy policy, dpa, subprocessor list, security overview, encryption standards, compliance frameworks, hipaa statement
Document revision history
| Version | Date | Author | Summary of changes |
|---|
| 1.0 | 2024-06-01 | Legal & Compliance | Initial Trust Center publication |
| 2.0 | 2025-03-15 | GRC Program | SOC 2 Type II alignment refresh; expanded subprocessors |
| 2.5 | 2025-09-01 | Security Engineering | Encryption standards update; ISO 27001 mapping |
| 3.0 | 2026-01-15 | Trust Center Program | Full procurement-grade expansion; 34-document set |
Contact
Acme Cloud, Inc.
1200 Market Street, Suite 400
San Francisco, CA 94103, USA
14. Policy Updates and Communication
14.1 Policy Change Notification
| Change Type | Advance Notice | Communication Channels |
|---|
| Material changes to AI data handling | 30 days | Email to admins, Trust Center, in-app notification |
| New AI feature launch | 14 days (Enterprise), at launch (others) | Email, product announcements |
| Model provider change | 30 days | Email to admins, Subprocessor List update |
| Security control changes | 30 days | Trust Center update |
| Pricing changes (AI features) | 60 days | Email to billing contacts |
| Feature deprecation | 180 days | Per deprecation policy |
14.2 Contact Information
Primary AI Policy Contact: ai-trust@acmecloud.com
This Policy is effective as of January 1, 2026. Acme Cloud reserves the right to update this Policy at any time. Material changes will be communicated in accordance with the notification procedures above. Continued use of AI features after notification constitutes acceptance of updated terms.
Visit EthicPages