Privacy Policy

Privacy Policy

This Privacy Policy describes how data is processed within the AI agents platform provided to financial institutions for AML compliance operations.

1. Scope

This Privacy Policy governs the processing of data within the AI agents platform ("Product") provided to financial institutions for AML compliance operations. It applies to customer data processed by the Product and related support activities.

2. Data Classification

Customer Content

Data submitted by customers, which may include:

  • Transaction and account data
  • Customer and counterparty identifiers
  • Alerts, cases, investigations, and reports
  • Analyst notes, decisions, and supporting documentation

Operational Metadata

  • User access logs and authentication events
  • Audit logs and timestamps
  • System performance and error logs

3. Purpose Limitation

Customer data is processed solely to:

  • Perform AML alert investigation and analysis
  • Assist with case resolution and documentation
  • Generate investigation summaries and reports
  • Maintain system security, availability, and integrity
  • Comply with contractual, legal, and regulatory obligations

Customer data is not used for advertising, marketing, or unrelated analytics.

4. AI Processing Controls

  • AI agents process data only within customer-configured workflows
  • Outputs are intended to support, not replace, human compliance decisions
  • Customer data is not used to train generalized or third-party models without explicit written authorization
  • Model behavior is constrained to task-specific inference

5. Access Controls

  • Role-based access control (RBAC) and least-privilege principles
  • Administrative access restricted and logged
  • All access events are auditable

6. Subprocessors

  • Subprocessors are limited to vetted infrastructure and service providers
  • All subprocessors are contractually bound by confidentiality and security obligations
  • Subprocessor list available upon request

7. Data Retention and Deletion

  • Data retention follows contractual terms
  • Customer may request deletion or return of data, subject to legal/regulatory retention requirements
  • Backups retained for limited disaster recovery periods

8. Security Safeguards

Controls aligned with SOC 2 Trust Services Criteria, including:

  • Encryption in transit and at rest
  • Network segmentation and access monitoring
  • Logging and alerting
  • Incident response and escalation procedures

9. Incident Response

  • Documented incident response plan
  • Timely customer notification of confirmed security incidents
  • Post-incident remediation and review

10. Regulatory Alignment

The Product is designed to support AML compliance workflows. Customers retain responsibility for regulatory determinations, reporting, and final decisions.

11. International Processing

Data may be processed in jurisdictions where approved infrastructure or subprocessors operate, subject to appropriate safeguards.

12. Updates

Material changes to this policy will be communicated in accordance with contractual terms.