3. Policy Statements
3.1 KD-POL-PRIV-25.1: Lawful, Fair, and Transparent Processing
Karbon Digital shall process personal information only for legitimate, documented purposes and in alignment with applicable privacy laws (as applicable: General Data Protection Regulation (GDPR), Personal Information Protection and Electronic Documents Act (PIPEDA), U.S. state privacy laws, ei Geral de Proteção de Dados Pessoais (LGPD), and Act on the Protection of Personal Information (APPI)). Karbon Digital shall provide clear notices describing processing purposes, categories of data, retention, and sharing.
3.1 KD-PRIV-AI-25.1 Action: Maintain a public-facing Privacy Notice for Docufy.ai and internal records of processing activities (ROPA) for regulated or high-risk processing.
3.1 KD-PRIV-AI-25.1 Dependencies & Limitations: Legal interpretations vary by jurisdiction and by customer role allocation (controller vs processor). Customer-specific contractual terms or sector rules may require additional disclosures.
3.2 KD-POL-PRIV-25.2: Data Minimization and Purpose Limitation
Docufy.ai workflows shall be designed to minimize the collection and retention of personal data. Only the minimum data required to deliver the contracted service, support, security, and compliance obligations may be processed. Secondary use (Example: product analytics) must be proportionate and governed by privacy-by-design review.
3.2 KD-PRIV-AI-25.2 Action: Implement configuration options to limit captured fields, redact or mask non-required PII, and disable non-essential telemetry where feasible.
3.2 KD-PRIV-AI-25.2 Dependencies & Limitations: Customer documents may contain embedded PII beyond the service's intent; automated minimization may not capture all edge cases without customer configuration and oversight.
3.3 KD-POL-PRIV-25.3: Customer Content Ownership and Processing Role
Customers retain ownership of Customer Content uploaded to Docufy.ai. Unless expressly agreed in writing, Karbon Digital acts as a service provider or processor for Customer Content and will process such content solely to provide and secure the service, meet legal obligations, and perform agreed support activities.
3.3 KD-PRIV-AI-25.3 Action: Ensure customer contracts and Terms & Conditions define roles (controller/processor), permitted processing, and customer instructions.
3.3 KD-PRIV-AI-25.3 Dependencies & Limitations: Role allocation may change by use case (Example: direct-to-consumer vs enterprise). Some jurisdictions impose mandatory controller obligations regardless of contract wording.
3.4 KD-POL-PRIV-25.4: Sensitive Data and High-Risk Processing Controls
Processing of sensitive data, including financial account data, government identifiers, health information, biometric data, precise geolocation, or special category data, is prohibited by default unless explicitly enabled by contract, supported by documented safeguards, and approved through a risk assessment.
3.4 KD-PRIV-AI-25.4 Action: Maintain a Sensitive Data Intake Procedure requiring (1) customer authorization, (2) technical safeguards, (3) legal review, and (4) documented risk acceptance before enabling sensitive data workflows.
3.4 KD-PRIV-AI-25.4 Dependencies & Limitations: Automatic detection of sensitive data is probabilistic. Customers remain responsible for ensuring they have the authority to upload and process documents containing sensitive data.
3.5 KD-POL-PRIV-25.5: Encryption and Key Management for PII (Including Unencrypted Source Documents)
Docufy.ai shall protect Customer Content by using encryption in transit (TLS) and at rest for supported storage systems. When customers upload documents containing PII that are not encrypted prior to upload, Docufy.ai will still apply encryption at rest and access controls once the documents are received. Where available, customer-managed keys (CMK/BYOK) or client-side encryption options shall be offered for higher assurance requirements.
3.5 KD-PRIV-AI-25.5 Action: Enforce TLS for all external interfaces; encrypt persistent storage; protect secrets via centralized secret management; restrict and audit key access; and document supported encryption options by deployment model.
3.5 KD-PRIV-AI-25.5 Dependences & Limitations: Customer-controlled encryption prior to upload may be required for certain sectors. Product features, search, preview, and Optical Character Recognition (OCR), Generative AI integration, and others may not be compatible with certain client-side encryption schemes without additional architecture.
3.6 KD-POL-PRIV-25.6: Access Controls, Least Privilege, and Segregation of Duties
Access to Customer Content, derived outputs, and operational data shall be controlled using least privilege, strong authentication (Multi-factor Authentication (MFA) for privileged accounts), role-based access control (RBAC), and segregation of duties for administrative actions. Production access must be time-bound, logged, and approved.
3.6 KD-PRIV-AI-25.6 Action: Implement RBAC, Single Sign-On (SSO) options, MFA, privileged access workflows (JIT/JEA), and quarterly access reviews for staff and subcontractors.
3.6 KD-PRIV-AI-25.6 Dependencies & Limitations: Access control strength depends on customer identity provider integration and customer administrative hygiene for their own user base.
3.7 KD-POL-PRIV-25.7: Logging, Monitoring, and Auditability
Docufy.ai shall maintain security and operational logs sufficient to support incident response, forensic investigation, and compliance reporting. Logs must be protected from tampering and access to logs must be restricted. Customer-facing audit reports may be provided under contract.
3.7 KD-PRIV-AI-25.7 Action: Centralize logs; implement integrity controls and retention policies; enable customer export where feasible; and monitor for anomalous access to PII-bearing content.
3.7 KD-PRIV-AI-25.7 Dependencies & Limitations: Excessive logging can increase privacy risk; log design must balance observability with minimization by excluding content payloads unless necessary for security.
3.8 KD-POL-PRIV-25.8: Cross-Border Transfers and International Processing
When Customer Content or personal data is processed across borders, Karbon Digital shall use appropriate transfer safeguards, including contractual clauses, adequacy mechanisms, and vendor controls, and shall disclose processing locations as required. Data residency options may be offered by plan or deployment model.
3.8 KD-PRIV-AI-25.8 Action: Maintain a data location matrix by environment, implement subprocessor due diligence, and include transfer safeguards and notice obligations in customer agreements.
3.8 KD-PRIV-AI-25.8 Dependencies & Limitations: Transfer rules evolve. Some customers may require single-jurisdiction processing and dedicated tenancy.
3.9 KD-POL-PRIV-25.9: Subprocessors and Third-Party AI Services
Docufy.ai may rely on subprocesses (cloud providers, observability vendors, model providers) to deliver the service. Subprocessors must be contractually bound to confidentiality, security controls, and privacy obligations consistent with this policy. Customer Content shall not be used to train general-purpose models unless explicitly authorized in writing by the customer and configured to operate in opt-in mode.
3.9 KD-PRIV-AI-25.9 Action: Maintain a subprocess or register, perform risk-based due diligence, enforce data processing agreements, and provide customer notice mechanisms where required.
3.9 KD-PRIV-AI-25.9 Dependencies & Limitations: Certain Artificial Intelligence (AI) features may require sending content to third-party model endpoints; availability varies by region and customer configuration.
3.10 KD-POL-PRIV-25.10: Data Quality, Human Review, and Model Output Governance
Docufy.ai outputs are decision-support artifacts and may contain errors. For regulated workflows, Karbon Digital requires customers to implement human review and validation before relying on outputs for legal, compliance, financial, or personnel decisions. Docufy.ai will provide provenance, confidence indicators, and audit trails where feasible.
3.10 KD-PRIV-AI-25.10 Action: Provide User Interface (UI), Application Programming Interface (API), Agentic AI, and Model Context Protocol (MCP) features for reviewer workflows, approvals, and evidence links; document limitations; and prohibit use of outputs as the sole basis for high-impact decisions.
3.10 KD-PRIV-AI-25.10 Dependencies & Limitations: The platform cannot guarantee the correctness of extracted facts or interpretations. Customers control final decisions and must calibrate thresholds and review policies.
3.11 KD-POL-PRIV-25.11: Retention, Deletion, and Customer-Controlled Lifecycle
Customer Content shall be retained only as long as necessary to provide the service, support contractual obligations, resolve disputes, and comply with legal requirements. Docufy.ai shall support configurable retention where feasible and provide deletion mechanisms consistent with customer instructions and legal holds.
3.11 KD-PRIV-AI-25.11 Action: Implement retention configurations, deletion workflows, lifecycle controls for backups, and secure disposal for storage media and cryptographic material.
3.11 KD-PRIV-AI-25.11 Dependencies & Limitations: Backups may remain available for a limited time. Certain logs may be retained for security purposes and may not be immediately erasable without affecting integrity.
3.12 KD-POL-PRIV-25.12: Incident Response and Breach Notification
Karbon Digital shall maintain an incident response program that includes detection, containment, eradication, recovery, and post-incident review. Where required by law or contract, Karbon Digital will notify customers without undue delay after confirming a personal data breach affecting Customer Content.
3.12 KD-PRIV-AI-25.12 Action: Maintain an incident response playbook, 24x7 on-call escalation procedures, a breach assessment checklist, and customer notification templates.
3.12 KD-PRIV-AI-25.12 Dependencies & Limitations: Notification timelines depend on the completeness of the investigation and jurisdictional thresholds. Customer cooperation may be required to validate impacted records.
3.13 KD-POL-PRIV-25.13: Data Subject Rights and Request Handling
Where Karbon Digital receives a verified request from an individual regarding access, deletion, correction, portability, or objection, Karbon Digital will respond in accordance with applicable law and contractual role (processor instructions vs controller obligations).
3.13 KD-PRIV-AI-25.13 Action: Maintain a DSAR workflow, identity verification standards, and internal SLAs; route requests to the appropriate customer when Karbon Digital is acting as a processor.
3.13 KD-PRIV-AI-25.13 Dependencies & Limitations: Some requests must be fulfilled by the customer (controller). Identity verification requirements vary by jurisdiction.
3.14 KD-POL-PRIV-25.14: Privacy by Design, Assessments, and Change Management
All material changes to data processing (new data types, new model providers, new regions, new analytics) require privacy and security review prior to release. High-risk processing requires a documented Privacy Impact Assessment/Data Protection Impact Assessment (PIA/DPIA) and a mitigation plan.
3.14 KD-PRIV-AI-25.14 Action: Embed privacy gates into Software Development Life Cycle (SDLC), threat modeling, vendor assessment, and release management.
3.14 KD-PRIV-AI-25.14 Dependencies & Limitations: Rapid iteration may increase change volume; tooling and governance must keep pace to avoid control drift.
