Skip to main content

Trust Center / AI Governance

AI governance

How we run AI on customer documents. Which models, under what constraints, with which controls, and how we are aligning toward ISO 42001.

Principles

Four commitments that govern every model call we make.

Accuracy

Every claim in a Co-Pilot memo is traced to a specific page in a source document. Un-cited claims are dropped before the memo reaches the analyst.

Transparency

Models, embeddings, and providers are named on this page. Customers can see exactly what runs against their documents and where.

Traceability

Every AI action is written to a hash-chained, tamper-evident audit log with a 7-year retention window.

Human oversight

Co-Pilot output is a first pass. Every memo is human-reviewable, editable inline, and exportable. Customers can disable AI features per-org.

Model governance

Every model that touches customer data is named below, with its purpose and the rationale for selection.

Anthropic Claude Sonnet 4.6

Co-Pilot default model — orchestration, risk analysis, and memo drafting (MemoAgent)

Selected for instruction-following accuracy on long financial documents and Anthropic’s published safety research. Claude’s commercial API terms exclude submitted content from model training.

Anthropic Claude Opus 4.7

Precision model — extraction and citation verification (ExtractAgent + CitationAgent only)

Used where factual precision is highest-stakes: KPI extraction and citation grounding. Upgraded reasoning capability reduces extraction errors on dense financial tables. Anthropic’s commercial API terms exclude submitted content from model training.

Voyage AI voyage-3-large

Embeddings for precedent search across the customer’s prior deals

Chosen for retrieval accuracy on long-form financial text. Voyage AI’s commercial terms exclude submitted content from model training.

Update cadence

Production model versions are pinned. Upgrades follow a documented evaluation against the prior version on a held-out memo benchmark. Material model changes are noted in the public changelog and communicated to Enterprise customers in advance.

Anti-hallucination measures

What stops the model from inventing numbers, mis-citing pages, or crossing barriers.

CitationAgent

Before any memo claim reaches an analyst, CitationAgent verifies that the claim is anchored to a specific page in a source document. Un-cited claims are removed.

Audit chain

Every AI action — model call, schema choice, retrieval, draft, edit — is written to a hash-chained audit log (migration 085). Each entry is signed against the previous entry’s hash. Tampering is detectable.

Barrier-aware retrieval

Precedent search respects ethical-wall configuration at the database layer. A deal team on one barrier never retrieves a precedent from a barrier they cannot see.

Schema discipline

Co-Pilot uses typed schemas (PE, VC, Credit, M&A) so output structure is bounded. When the schema produces an empty section, we surface the empty section instead of inventing content.

Customer data handling

  • Customer documents are not used to train any AI model, by us or by our providers
  • Embeddings are stored only in the customer’s tenant (migration 101) under RLS-enforced isolation
  • Model providers receive content over TLS 1.3 and process it under their no-train commercial terms
  • Customers can delete documents, analyses, or the entire workspace from the dashboard — embeddings are removed in the same operation
  • No third-party data sharing, advertising pixels, or model-vendor fine-tuning

See the sub-processor list for every vendor in the data path.

Bias and fairness measures

  • Precedent search is constrained to the customer’s own historical deals, not the public web. The fund’s judgement, not aggregate internet content, drives retrieval.
  • Ethical-wall enforcement at retrieval time prevents cross-barrier pollution that would distort precedent matching.
  • Schema-bounded output prevents the model from inferring sensitive characteristics outside the requested fields.

Human oversight

  • Every Co-Pilot run is human-reviewable. Memos open in an editable surface with linked citations next to every number.
  • Run history is auditable from /copilot and /admin/audit. Admins can replay, retry with a different schema, or delete any run.
  • Customers can disable AI features per-org from /settings without affecting non-AI document workflows.
  • A retry-memo button is available on every run to re-execute with an alternative schema or template if the initial draft is unsatisfactory.

Incident response for AI errors

  • In-product flag on every run: report a hallucination or sourcing error to the security team
  • Confirmed model errors trigger a rollback to the prior production model version where applicable
  • Customers can retry any memo run with a different schema or template at no additional cost on Fund and Enterprise
  • Aggregate error reports inform our model selection and prompt versioning each quarter

Path to ISO 42001 alignment

What is already in place and what the formal programme will close. ISO 42001 certification is planned; scoping follows our ISO 27001 programme.

In place today

  • AI risk register maintained for each production model
  • Documented purpose-of-use for every model in the system
  • Tamper-evident audit trail of AI actions
  • No-train commitments from all model providers
  • Per-org AI feature toggle for customer control
  • Human-in-the-loop review surface

Gaps still being closed

  • Formal third-party assessment against ISO 42001 controls
  • Documented impact assessments for each new model
  • Public model card for the Co-Pilot system as a composite product
  • External AI governance committee or advisory board

Questions about how we govern AI?

Email security@dataroomsnap.com with the subject line “AI Governance”.

Back to Trust Center