How we use AI responsibly
AI powers our platform, but your data stays yours. Here's exactly how we use it, which models we employ, and our "burn after reading" approach.
Our AI principles
The commitments that guide every AI feature we build.
Burn after reading
When you use AI features, your data is sent to the model, processed, and immediately discarded. No logs. No storage. No training. Every request is ephemeral.
Your data, never training data
We have explicit agreements with all AI providers that prohibit using customer data for model training. Your compliance documents won't end up teaching AI—ever.
Transparency by default
We tell you exactly which AI model processes each request. You can see what data is sent and understand how results are generated.
Human oversight required
AI generates suggestions, not decisions. Every policy, every questionnaire response, every recommendation requires human review before use.
AI models we use
Complete transparency about which models power which features.
Claude (Anthropic)
Claude 3.5 Sonnet
Policy generation, questionnaire responses, gap analysis recommendations
Zero retention. Data processed in isolated sessions, immediately discarded after response generation.
GPT-4
GPT-4 Turbo
Document analysis, evidence extraction, control mapping suggestions
Zero retention via API. Enterprise agreement prohibits training on customer data.
Embeddings
text-embedding-3-large
Semantic search across policies and evidence, similar document matching
Embeddings stored for search functionality. Source text not retained by provider.
AI in action
How AI assists each feature—and where humans stay in control.
What we never do
- Train AI models on your data
- Share your data with other customers
- Store prompts or responses beyond your session
- Make compliance decisions without human approval
- Use AI for access control or authentication decisions
- Process data in jurisdictions without your consent
What we always do
- Use AI to accelerate manual compliance work
- Maintain audit trails of AI-assisted actions
- Allow you to disable AI features entirely
- Provide non-AI alternatives for all core features
- Regularly audit AI outputs for accuracy and bias
- Update you when we change AI providers or models
Data flow architecture
How your data moves through AI processing
You initiate
You click "Generate Policy" or similar AI-powered action
We prepare
Relevant context is assembled (your profile, framework requirements)
AI processes
Request sent via API, processed in isolated session
Data discarded
AI provider discards input immediately after response
You review
Output returned for your review and approval
Want to use vCISO Lite without AI?
All core functionality works without AI features. You can disable AI-powered suggestions in your account settings and use traditional templates and manual workflows instead. Contact support if you need help configuring a non-AI setup.
Questions about our AI practices?
We're happy to discuss our AI implementation, data handling, or provide additional documentation for your security review.