Contract effective date: September 18, 2024. Runtime consent, request, security, audit, and deployment timestamps remain factual records.
AI Governance Policy for Web and Mobile Apps
Scope
This policy applies to AI, machine learning, generative AI, automated decision systems, recommendation systems, classifiers, chatbots, agents, retrieval augmented generation, personalization engines and analytics models used in web apps, mobile apps, APIs and developer tools.
Risk classification
Before launch, every AI system must be classified by:
- user group, including children, patients, employees, applicants, students, consumers and vulnerable users;
- output impact, including health, legal, financial, employment, education, insurance, housing, credit, essential services and safety;
- model type, including generative, biometric, emotion inference, identity verification, clinical, cybersecurity, safety-critical, recommender or low-risk productivity;
- jurisdiction, including EU/EEA AI Act exposure and country-specific AI rules;
- data inputs and training/fine-tuning sources;
- whether outputs are used for automated decisionmaking, profiling or high-impact decisions.
Required controls
- Maintain an AI system register and model/vendor register.
- Complete an AI impact assessment before production use.
- Document model purpose, limits, evaluation results, bias tests, red-team tests, safety mitigations and human oversight.
- Prevent prohibited, illegal, deceptive, discriminatory, exploitative, unsafe, self-harm, CSAM, extremist, hateful, violent, medical misinformation and privacy-invasive outputs.
- Provide in-app reporting for AI-generated content when the app permits user-facing generated content.
- Disclose AI use when users may reasonably believe they are interacting with a person or when generated content could mislead.
- Keep logs sufficient for audit without overcollecting sensitive data.
- Do not use user content for model training unless disclosed, legally justified and configurable where required.
- Provide human review and appeal for consequential decisions.
Third-party AI providers
Third-party AI providers must pass privacy, security, retention, training-use, data residency, subprocessors, abuse reporting, deletion, incident notice, confidentiality and IP review. User data must not be routed to a provider until vendor risk is approved and app-store disclosures are updated.
AI release blockers
Release is blocked when: data flows are unknown; privacy labels are inconsistent; high-risk use lacks human oversight; safety evaluation is missing; children/health/financial/employment use lacks counsel review; generated-content reporting is absent where required; or the product makes unsupported claims.