Replenit

AI and Machine Learning Data Usage Policy

Last Updated: 14.03.2026

Definitions

  • Artificial Intelligence (AI): Systems that can perform tasks that typically require human intelligence, including learning, reasoning, and pattern recognition.
  • Data Controller: The entity that determines the purposes and means of processing personal data.
  • Data Processor: The entity that processes personal data on behalf of a data controller.
  • Data Subject: An identified or identifiable natural person whose personal data is being processed.
  • Machine Learning (ML): A subset of AI that enables systems to automatically learn and improve from experience without being explicitly programmed.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Privacy-by-Design: An approach that embeds privacy considerations into the design and operation of systems, processes, and technologies from the outset.

1.1 Purpose

This policy establishes comprehensive governance for the use of data in AI and Machine Learning (ML) model training and fine-tuning at Replenit. The policy ensures that all data usage for AI/ML purposes complies with applicable privacy laws (including GDPR, CCPA), contractual obligations, and ethical standards while implementing privacy-by-design principles throughout the AI/ML lifecycle.

1.2 Scope

This policy applies to all AI and ML activities conducted by or on behalf of Replenit, including:

  1. Data collection, processing, and preparation for AI/ML model training
  2. Model training and fine-tuning activities
  3. Third-party AI/ML services and vendor relationships
  4. Pre-trained model implementation and deployment
  5. All employees, contractors, vendors, and third parties handling data for AI/ML purposes

2. Data Processor Role and Customer Responsibilities

2.1 Replenit as Data Processor

Replenit operates as a Data Processor when handling customer data for AI/ML purposes. In this capacity, Replenit processes personal data solely on behalf of customers (Data Controllers) and in accordance with their instructions. Customers retain full control and responsibility for:

  1. Determining the legal basis for data processing
  2. Obtaining necessary consents from data subjects
  3. Ensuring compliance with applicable privacy laws in their jurisdiction
  4. Providing lawful instructions for data processing activities

2.2 Service Model

Replenit’s service architecture utilizes pre-trained models that do not require customer-specific training to begin providing service. This approach:

  1. Minimizes data exposure and processing requirements
  2. Reduces privacy risks by avoiding unnecessary customer data training
  3. Enables immediate service delivery without extensive data preparation
  4. Maintains clear separation between service delivery and any optional model enhancement activities

3. Data Usage Authorization Framework

3.1 Rights and Lawful Basis Verification Procedure

Before any data may be approved for AI/ML model training or fine-tuning, the following verification procedure must be completed:

Step 1: Legal Basis Assessment

  1. Identify the specific legal basis for processing under applicable law (GDPR Article 6, CCPA, etc.)
  2. Document the lawful basis and ensure it supports the intended AI/ML processing activities
  3. Obtain explicit consent where required by law or contract

Step 2: Rights Verification

  1. Confirm Replenit has lawful authority to process the data for AI/ML purposes
  2. Verify customer authorization through executed contracts or data processing agreements
  3. Ensure data subject rights can be honored throughout the AI/ML lifecycle

Step 3: Contractual Review

  1. Review all relevant customer agreements and data processing addendums
  2. Confirm AI/ML usage is within scope of contractual permissions
  3. Document any restrictions or limitations on data usage

3.2 Source Identification and Validation

All data proposed for AI/ML training must undergo source identification and validation:

Source Documentation Requirements:

  1. Complete data lineage documentation from original collection point
  2. Identification of data controller and any prior processors
  3. Chain of custody documentation for data transfers
  4. Verification of data collection methods and consent mechanisms

Validation Criteria:

  1. Data was lawfully collected with appropriate notices and consents
  2. Processing purposes align with original collection purposes
  3. Data quality and integrity meet AI/ML training standards
  4. No evidence of unauthorized acquisition or processing

3.3 Customer Instructions and Legal Compliance Checks

Consistency with Customer Instructions:

  1. Review all customer data processing instructions and limitations
  2. Ensure AI/ML usage aligns with stated customer purposes
  3. Document any conflicts between proposed usage and customer instructions
  4. Obtain customer clarification or approval for any expanded usage

Legal Compliance Verification:

  1. GDPR compliance assessment including lawfulness, fairness, and transparency
  2. CCPA compliance review including notice, consent, and purpose limitations
  3. Jurisdiction-specific privacy law compliance (Colorado Privacy Act, Virginia CDPA, etc.)
  4. Sector-specific regulatory requirements (HIPAA, GLBA, etc.)
  5. International data transfer compliance (adequacy decisions, Standard Contractual Clauses)

4. Data Sensitivity and Transfer Assessment

4.1 Data Classification and Sensitivity Review

All data must be classified according to Replenit’s Data Management Policy before AI/ML usage approval:

Confidential Data Requirements:

  1. Enhanced security controls throughout AI/ML pipeline
  2. Encrypted storage and transmission
  3. Access limited to authorized personnel with business need
  4. Special handling procedures for PII and sensitive personal data

Restricted Data Requirements:

  1. Standard security controls with documented access management
  2. Need-to-know access principles
  3. Management approval for external sharing or processing

Public Data Requirements:

  1. Standard handling procedures
  2. No additional restrictions on AI/ML usage

4.2 Cross-Border Transfer Assessment

For any international data transfers in AI/ML processing:

  1. Assess adequacy of destination country privacy protections
  2. Implement appropriate safeguards (Standard Contractual Clauses, Binding Corporate Rules)
  3. Document transfer mechanisms and legal basis
  4. Ensure data subject rights remain enforceable

5. Privacy-by-Design Implementation

Replenit implements privacy-by-design principles throughout the AI/ML data lifecycle:

5.1 Proactive Prevention

  1. Risk assessment before any data processing begins
  2. Privacy impact assessments for new AI/ML initiatives
  3. Preventive controls rather than reactive measures

5.2 Privacy as Default

  1. Minimal data processing by default
  2. Automatic privacy protections without user action required
  3. Opt-in rather than opt-out for expanded data usage

5.3 Privacy Embedded in Design

  1. Technical and organizational measures integrated into AI/ML systems
  2. Privacy considerations in all development decisions
  3. Regular privacy reviews throughout system lifecycle

5.4 Full Functionality and Lifecycle Protection

  1. Privacy protections that don’t compromise AI/ML system effectiveness
  2. End-to-end security throughout data and model lifecycle
  3. Comprehensive privacy safeguards from collection to disposal

5.5 Transparency and User-Centricity

  1. Clear documentation of AI/ML data processing activities
  2. Accessible privacy notices and consent mechanisms
  3. Individual control over personal data usage in AI/ML systems

6. Formal Approval Workflows

6.1 Standard Approval Process

All AI/ML data usage requests must follow this approval workflow:

Level 1: Technical Review

  1. Data science team conducts technical feasibility assessment
  2. IT security reviews data protection and security measures
  3. Legal team validates compliance with applicable laws and contracts

Level 2: Risk Assessment

  1. Privacy Officer conducts privacy impact assessment
  2. Security team performs risk assessment and mitigation planning
  3. Compliance team validates regulatory compliance

Level 3: Executive Approval

  1. Chief Privacy Officer (CPO) or designated Privacy Officer approval required
  2. Additional approvals based on data sensitivity:
    • Confidential data: CPO + VP of Engineering approval
    • High-risk processing: CPO + CEO approval
    • International transfers: CPO + Legal Counsel approval

6.2 Expedited Approval Process

For low-risk, pre-approved AI/ML activities:

  1. Pre-approved data sources and processing activities documented
  2. Expedited review by Privacy Officer or designated representative
  3. Standard approval requirements apply for any deviation from pre-approved parameters

6.3 Emergency Procedures

In urgent business situations:

  1. Interim approval may be granted by CPO or CEO
  2. Full approval process must be completed within 5 business days
  3. Enhanced monitoring and review required for emergency approvals

7. Data Processing Safeguards

7.1 Technical Safeguards

  1. Encryption of data at rest and in transit
  2. Access controls and authentication mechanisms
  3. Data masking and pseudonymization where appropriate
  4. Regular security assessments and vulnerability testing

7.2 Organizational Safeguards

  1. Staff training on AI/ML data handling requirements
  2. Regular audits and compliance monitoring
  3. Incident response procedures for data breaches
  4. Vendor management and third-party oversight

7.3 AI/ML Specific Controls

  1. Model versioning and data lineage tracking
  2. Bias detection and fairness assessments
  3. Explainability and transparency measures
  4. Regular model performance and accuracy reviews

8. Data Subject Rights and Response Procedures

8.1 Data Subject Rights Support

Replenit supports data subject rights exercise in AI/ML contexts:

  1. Right of access to personal data used in AI/ML processing
  2. Right to rectification of inaccurate data
  3. Right to erasure (right to be forgotten)
  4. Right to restrict processing
  5. Right to data portability
  6. Right to object to processing

8.2 Response Procedures

  1. Data subject requests forwarded to appropriate customer/data controller
  2. Replenit assistance provided for technical implementation of rights
  3. Documentation maintained of all data subject rights responses
  4. Response timeframes per applicable law (30 days GDPR, varies by jurisdiction)

9. Monitoring and Compliance

9.1 Ongoing Monitoring

  1. Regular audits of AI/ML data processing activities
  2. Automated monitoring of data access and usage patterns
  3. Privacy compliance dashboards and reporting
  4. Annual review of all approved AI/ML data usage

9.2 Documentation Requirements

  1. Comprehensive records of all data processing activities
  2. Audit trails for all approval decisions
  3. Data mapping and inventory maintenance
  4. Regular compliance reporting to executive leadership

10. Training and Awareness

10.1 Mandatory Training

All personnel involved in AI/ML data processing must complete:

  1. Privacy law and regulation training (annually)
  2. AI/ML ethics and responsible AI practices training
  3. Replenit-specific policy and procedure training
  4. Role-specific technical training as required

10.2 Awareness Programs

  1. Regular communications on privacy and AI/ML developments
  2. Best practices sharing and lessons learned sessions
  3. Industry trend monitoring and training updates
  4. Executive briefings on privacy and AI/ML risks

11. Incident Response and Breach Notification

11.1 AI/ML Specific Incident Response

In addition to standard incident response procedures:

  1. Immediate assessment of AI/ML model integrity and data exposure
  2. Notification of affected customers within 24 hours of discovery
  3. Regulatory notification per applicable breach notification laws
  4. Model quarantine and investigation procedures

11.2 Breach Assessment Criteria

Special consideration for AI/ML contexts:

  1. Potential for algorithmic discrimination or bias
  2. Model inversion or extraction attack risks
  3. Inference attacks on training data
  4. Unauthorized access to sensitive AI/ML outputs

12. Vendor and Third-Party Management

12.1 AI/ML Vendor Requirements

All third-party AI/ML service providers must:

  1. Execute comprehensive data processing agreements
  2. Demonstrate compliance with applicable privacy laws
  3. Provide transparency into data usage and model training practices
  4. Submit to regular audits and assessments
  5. Maintain appropriate security certifications (SOC 2, ISO 27001, etc.)

12.2 Ongoing Vendor Oversight

  1. Regular vendor risk assessments and reviews
  2. Monitoring of vendor AI/ML practices and updates
  3. Incident notification requirements and procedures
  4. Contract termination and data return procedures

13. Policy Governance and Updates

13.1 Policy Review

This policy will be reviewed:

  1. Annually by the Privacy Officer and Legal Counsel
  2. Following any significant regulatory changes
  3. After any material changes to AI/ML processing activities
  4. Following any privacy incidents or breaches

13.2 Policy Updates

  1. Updates require approval by CPO and Legal Counsel
  2. Material changes require executive leadership approval
  3. Staff notification and training on policy updates
  4. Documentation of all policy changes and rationale

14. Exceptions and Violations

14.1 Exception Process

Requests for policy exceptions must:

  1. Be submitted in writing to the Privacy Officer
  2. Include detailed justification and risk assessment
  3. Receive approval from CPO and appropriate executive leadership
  4. Be documented and monitored for compliance

14.2 Violations and Enforcement

  1. Suspected policy violations must be reported immediately
  2. Investigation procedures per incident response policy
  3. Disciplinary action up to and including termination
  4. Regulatory reporting where required