Data Policy
This policy describes the baseline approach to data during AI audits and pilot projects. Specific requirements are fixed in the contract, NDA and statement of work.
1. Access Minimization
For an audit, process descriptions, aggregated metrics, screenshots, integration diagrams and demo data are usually sufficient. Access to production systems and personal data is not requested unless there is a separate, agreed need.
2. What May Be Processed
- Organization structure and role descriptions within the process.
- IT landscape and integration diagrams.
- Aggregated indicators: volumes, timelines, errors and operation costs.
- Anonymized examples of documents or requests.
- Interviews, notes and project working materials.
3. What Is Not Required by Default
- Passwords, tokens, API keys and administrative access.
- Exports of customers’ or employees’ personal data.
- Full databases and copies of production systems.
- Trade secrets not related to the processes under review.
4. Storage and Deletion
Working materials are stored only for the project period and follow-up support. The baseline rule is to delete or return materials within 90 days after completion, unless another period is agreed in the contract.
5. Use of AI Tools
External AI tools do not receive confidential data without approval. If an LLM or another AI service is needed for analysis, anonymized fragments, test data or a pre-agreed protected environment are used.
6. Incidents
If unauthorized access or leakage is suspected, the parties notify each other, identify the affected materials and agree on next steps.
7. Contacts
Questions about data and confidentiality: ai@pozdnyakov.io.