Responsible AI Usage Policy
1. Introduction
Surediligence uses artificial intelligence tools to support the delivery of technology advisory and compliance services. This policy explains what AI tools we use, how we use them, what data we put into them, and what we never do with them.
We believe in full transparency about AI use — particularly because we advise law firms on exactly these questions.
2. How We Use AI
AI tools at Surediligence are used strictly as research and productivity aids. Specific uses include:
- Regulatory research and monitoring (GDPR, EU AI Act, local regulations)
- Drafting and editing reports, proposals, and documentation
- Summarising publicly available vendor documentation and legal texts
- Market and vendor landscape research
- Internal methodology and framework development
AI tools are never used as a substitute for professional judgment. Every output produced with AI assistance is reviewed, verified, and approved by a qualified human expert before delivery to a client.
3. Human Oversight
All client-facing work — assessments, recommendations, reports, and advice — is produced under the direct oversight of a qualified technology and compliance professional. AI-generated content is treated as a draft or research input, not a final output.
Where AI tools contribute materially to a deliverable, this is disclosed to the client on request.
4. What We Never Input Into AI Tools
The following categories of information are never entered into any AI system, including cloud-based AI tools, unless that system has been assessed, has a valid Data Processing Agreement in place, and processes data exclusively within the EU:
- Client names, contact details, or identifying information
- Confidential client documents, contracts, or communications
- Vendor documents received under NDA or marked confidential
- Personal data of any individual
All AI-assisted research and drafting at Surediligence uses only publicly available information, anonymised or generic scenarios, and internally developed frameworks.
5. AI Tools in Use
Surediligence currently uses the following AI tools in its operations:
| Tool | Purpose | Data processed | DPA in place |
|---|---|---|---|
| Perplexity AI Enterprise | Regulatory research, drafting | No client data | Yes |
| Microsoft 365 Copilot | Document drafting, editing | No client data | Yes |
This list is reviewed quarterly. We will update this policy when tools are added or changed.
6. Data Protection
The use of AI tools at Surediligence complies with the General Data Protection Regulation (GDPR) and applicable Dutch data protection law. Specifically:
- We maintain a Data Processing Agreement with each AI tool provider used
- We configure AI tools to use EU-based data processing where available
- We do not permit AI providers to train their models on content we submit
- We apply data minimisation — if a task can be done without inputting personal data, it is done without it
For further information on how we handle personal data generally, see our Privacy Policy.
7. EU AI Act Compliance
Surediligence operates as a deployer of AI systems under the EU AI Act (Regulation 2024/1689). We classify the AI tools we use according to the Act's risk categories and apply appropriate governance accordingly.
We do not deploy AI systems that:
- Make automated decisions with legal or similarly significant effects on individuals
- Process biometric, sensitive, or special category data
- Operate without meaningful human oversight
We maintain an internal register of AI tools in use, including their risk classification, purpose, and applicable controls.
8. Independence and Vendor Neutrality
Our use of AI tools does not compromise our independence. We have no commercial relationship with any AI tool provider beyond a standard subscription. No AI vendor influences our assessments, recommendations, or research conclusions.
When assessing AI tools used by our clients, we apply the same standards to ourselves that we apply to them.
9. Disclosure to Clients
We are transparent about AI use in our work. Clients may request at any time:
- Confirmation of whether AI tools were used in their engagement
- Which tools were used and for what purpose
- What information was processed and how
Such requests will be answered within five (5) working days.
10. Policy Review
This policy is reviewed at minimum every six months, and immediately following any of the following:
- Addition of a new AI tool to our operations
- A material change in EU AI Act or GDPR requirements
- A change in the data processing practices of any tool currently in use
11. Contact
Questions about this policy can be directed to:
Surediligence
Email: info@surediligence.com
Website: www.surediligence.com