3. Policy Statements
3.1 KD-POL-AI-24.1: AI Governance and Accountability
Karbon Digital Ltd. shall maintain an AI governance framework that defines accountability for AI decisions, risk acceptance, and compliance obligations for Docufy.ai deployments.
AI governance includes documented model inventories, risk classifications, approval gates, and auditable decision records.
3.1 KD-POL-AI-24.1 Action: Establish an AI Governance Committee (or equivalent) chaired by the AI Governance Lead and including Security, Privacy, Legal, and Product.
Maintain an AI system register for Docufy.ai (models, data sources, vendors, versions, and intended uses).
3.1 KD-POL-AI-24.1 Dependencies & Limitations: Depends on executive sponsorship, cross-functional participation, and access to legal/compliance expertise.
Some customer-specific controls may require contractual alignment and customer implementation.
3.2 KD-POL-AI-24.2: Intended Use, Prohibited Use, and High-Risk Restrictions
Docufy.ai AI capabilities shall be used only for intended enterprise document processing use cases (Example: compliance mapping, governance reporting, risk identification) as documented in product materials and customer agreements.
The platform must not be used for unlawful, discriminatory, or safety-critical decision-making without appropriate human oversight and customer-specific governance controls.
3.2 KD-POL-AI-24.2 Action: Block or restrict use cases involving sensitive profiling, automated eligibility decisions, including credit, insurance, employment, and medical diagnosis, unless an approved, contractually scoped program exists with documented controls.
Require human review for any workflow that could create legal or similarly significant effects on individuals.
3.2 KD-POL-AI-24.2 Dependencies & Limitations: Depends on customer disclosure of intended use and proper configuration of workflows and approvals.
Karbon Digital cannot fully prevent misuse outside the platform or from customer-side downstream actions.
3.3 KD-POL-AI-24.3: Data Classification, Privacy, and Confidentiality
All data processed by Docufy.ai shall be classified and handled in accordance with Karbon Digital data classification standards, contractual confidentiality obligations, and applicable privacy laws (as applicable to the customer and the processing).
Personal data must be processed lawfully, fairly, and transparently, with purpose limitation and data minimization.
3.3 KD-POL-AI-24.3 Action: Implement privacy-by-design controls: minimization, default off for non-essential data collection, and least privilege access.
Support customer instructions for deletion, export, and restriction of processing where contractually required.
Maintain confidentiality obligations for customer content and derived outputs.
3.3 KD-POL-AI-24.3 Dependencies & Limitations: Depends on correct customer data classification and lawful instructions.
Regulatory requirements vary by jurisdiction; customers may be required to execute a Data Processing Addendum (DPA) for specific regions.
3.4 KD-POL-AI-24.4: Cross-Border Data Transfers and Data Residency
When Docufy.ai processes or stores personal data across international boundaries, Karbon Digital shall implement lawful transfer mechanisms and contractual safeguards appropriate to the jurisdictions involved Standard Contractual Clauses, UK addendum/IDTA, or adequacy decisions, as applicable.
Where offered, data residency configurations shall be documented and enforced through technical and administrative controls.
3.4 KD-POL-AI-24.4 Action: Publish and maintain a list of subprocesses and hosting regions; obtain contractual authorization as required.
Conduct Transfer Impact Assessments (TIAs) for regulated transfers when required by applicable law or customer contract.
Ensure encryption in transit and at rest for cross-border transfers and storage.
3.4 KD-POL-AI-24.4 Dependencies & Limitations: Depends on available cloud regions and third-party vendor support.
Certain jurisdictions may require additional approvals, local hosting, or sector-specific compliance not supported by default.
3.5 KD-POL-AI-24.5: Model Development, Evaluation, and Lifecycle Management
AI/ML components used in Docufy.ai shall be developed and operated under controlled MLOps practices to manage quality, bias, security, and drift.
Models must be evaluated against documented acceptance criteria prior to release and re-evaluated after material changes.
3.5 KD-POL-AI-24.5 Action: Maintain versioned training/evaluation artifacts, including datasets lineage (where permitted), prompts/templates, model cards, and test results.
Perform pre-release testing to ensure accuracy, robustness, safety, and security (including prompt injection and data leakage testing) for AI features.
Use staged rollout with rollback capability and change management approvals.
3.5 KD-POL-AI-24.5 Dependencies & Limitations: Depends on access to representative evaluation data and subject-matter expertise.
Performance may vary by document domain, language, and jurisdictional requirements; customers remain responsible for final compliance determinations.
3.6 KD-POL-AI-24.6: Transparency, Explainability, and User Disclosures
Docufy.ai shall provide reasonable transparency about AI-assisted functions, including the fact that outputs may be probabilistic and require human review.
Where feasible, outputs should include traceability signals (Example: citations to source text spans, confidence indicators, or rationale summaries) to support auditability.
3.6 KD-POL-AI-24.6 Action: Provide user-facing notices and documentation describing AI features, limitations, and recommended review steps.
Maintain internal documentation that describes the model's purpose, limitations, and known failure modes.
3.6 KD-POL-AI-24.6 Dependencies & Limitations: Depends on model capabilities and customer workflow configuration.
Explainability may be limited for certain model classes; substitute controls (testing, monitoring, and human review) must be used.
3.7 KD-POL-AI-24.7: Security Controls for AI Systems
Docufy.ai shall implement security controls aligned with recognized frameworks, including ISO 27001, ISO 27002, and System and Organization Controls 2 (SOC 2), and appropriate to the risk profile.
AI-specific security threats (prompt injection, data exfiltration via model outputs, model poisoning, and supply-chain vulnerabilities) shall be addressed through defense-in-depth.
3.7 KD-POL-AI-24.7 Action: Enforce secure Software SDLC, code review, dependency scanning, and secrets management for AI pipelines.
Implement strong authentication, role-based access control, tenant isolation, and logging for administrative and user actions.
Use encryption in transit (Transport Layer Security) and at rest; protect keys with managed key services and access controls.
3.7 KD-POL-AI-24.7 Dependencies & Limitations: Depends on timely patching and coordinated vulnerability management across vendors and cloud providers.
Some customer environments may require additional controls, such as Hardware Security Module (HSM), customer-managed keys, and private networking.
3.8 KD-POL-AI-24.8: Monitoring, Quality Assurance, and Incident Response
Karbon Digital shall monitor Docufy.ai AI features for performance, drift, misuse signals, and security events.
AI incidents of sensitive data exposure, material hallucinations in regulated workflows, or model compromise shall be handled under the Security Incident Response Plan with defined escalation paths.
3.8 KD-POL-AI-24.8 Action: Define and track Key Performance Indicators (KPIs) or Key Risk Indicators (KRIs) for AI quality (accuracy, false positive/negative rates), operational reliability, and security.
Maintain an incident taxonomy that includes AI-specific events, post-incident root-cause analysis, and corrective actions.
3.8 KD-POL-AI-24.8 Dependencies & Limitations: Depends on telemetry availability, customer configuration, and appropriate log retention.
Some quality issues may only be detectable through customer feedback and domain validation.
3.9 KD-POL-AI-24.9: Third-Party Models, Vendors, and Subprocessors
Use of third-party AI models, Application Programming Interfaces (APIs), Model Context Protocols (MCPs), Agents, or subprocessors shall be governed through vendor risk management, contractual safeguards, and security due diligence.
Third-party providers must not use customer content to train their general models unless explicitly permitted by contract and by customer instructions.
3.9 KD-POL-AI-24.9 Action: Perform security and privacy assessments prior to onboarding vendors; maintain DPAs and subprocessors lists.
Contractually require confidentiality, data protection, breach notification, and audit cooperation, as appropriate.
3.9 KD-POL-AI-24.9 Dependencies & Limitations: Depends on vendor transparency and contractual negotiation leverage.
Availability of certain safeguards may vary by vendor and region.
3.10 KD-POL-AI-24.10: Intellectual Property, Training Data, and Customer Content
Karbon Digital shall protect the company's intellectual property while respecting customers' intellectual property and confidentiality in all Docufy.ai operations.
Customer content remains the customer’s property; Karbon Digital receives only the rights necessary to provide and secure the service, as defined by contract.
3.10 KD-POL-AI-24.10 Action: Prohibit use of customer content for generalized model training unless explicitly authorized by the customer in writing and permitted by law.
Maintain employee and contractor IP assignment and invention disclosure processes for AI-related work products.
3.10 KD-POL-AI-24.10 Dependencies & Limitations: Depends on clear contractual terms and customer configuration choices.
Certain jurisdictions have default IP ownership rules that may impose additional requirements or limitations.
3.11 KD-POL-AI-24.11: Records, Auditability, and Continuous Policy Change Management
Docufy.ai is designed to support continuous policy change; therefore, Karbon Digital shall maintain auditable change control for policy ingestion, classification rules, and workflow automations that affect regulated outputs.
Material changes to policy packs, validation logic, or risk scoring must be traceable, reviewable, and reversible.
3.11 KD-POL-AI-24.11 Action: Implement change approval workflows for policy updates, including peer review, testing, and release notes.
Maintain immutable audit logs for policy versions, downstream impact assessments, and customer-facing reporting artifacts.
3.11 KD-POL-AI-24.11 Dependencies & Limitations: Depends on disciplined release management and configuration management.
Customer-side processes (Example: internal approvals) may delay adoption even when Docufy.ai updates are available.
3.12 KD-POL-AI-24.12: Workforce Training and Acceptable Use
All personnel with access to Docufy.ai systems or customer data shall complete security, privacy, and AI acceptable-use training.
Personnel must not input sensitive customer data into unapproved tools or environments and must follow least-privilege and need-to-know principles.
3.12 KD-POL-AI-24.12 Action: Require annual training refreshers and onboarding training before system access is granted.
Maintain role-specific playbooks for support, engineering, and sales on safe AI usage and customer communications.
3.12 KD-POL-AI-24.12 Dependencies & Limitations: Depends on training program quality and enforcement through access controls.
Human error risk cannot be eliminated; monitoring and preventative controls remain necessary.
