1. Purpose
The purpose of these Terms of Use is to enable the responsible use of Generative AI technologies while protecting the Company’s information, systems, clients, employees, and reputation. Generative AI can improve productivity, research, drafting, and ideation, but it also creates material risks relating to confidentiality, privacy, legal compliance, cybersecurity, accuracy, and bias.
2. Scope
These Terms of Use apply to any use of Generative AI, large language models, machine learning assistants, AI copilots, AI image tools, AI summarization tools, code generation tools, and similar services, whether browser-based, integrated into software, embedded into workflows, or accessed through APIs.
3. Approval Required Before Use
No employee, contractor, or other authorized user may use any Generative AI tool or service for Company business unless that tool has first been requested and approved by IT Management.
Only approved vendors and tools may be used for business purposes. Approved vendors have been vetted to confirm they meet Company requirements for privacy, security, legal, and data protection controls.
Link: Approved Vendor List
Any employee who wishes to use a new AI tool must submit a request to IT Management for review and approval before use. Use of an unapproved AI vendor or service may result in disciplinary action, particularly where such use creates a risk of data leakage, privacy breach, contractual breach, or security incident.
4. Prohibition on Unapproved AI Use
The following activities are prohibited unless expressly approved in writing by IT Management:
- Using any unapproved AI/ML/LLM or Generative AI service for Company business
- Entering Company, client, tenant, employee, vendor, or confidential information into an unapproved AI tool
- Connecting any AI tool to Company systems, applications, storage locations, email, documents, or data repositories
- Using browser extensions, plugins, desktop tools, SaaS integrations, or APIs that invoke unapproved AI services
- Using personal AI accounts, consumer-grade free tiers, or trial accounts to perform Company work
- Circumventing technical restrictions, security controls, or licensing requirements related to AI use
5. No Access to Company Data or Systems Without Explicit Permission
Generative AI tools must not be granted access to Company data, Company systems, customer information, employee information, financial information, operational records, leases, contracts, maintenance records, email, internal documents, or any other business information unless explicit prior approval is granted by Management.
Where AI access is exceptionally approved, only the minimum data required for the approved purpose may be used. The data must be structured, minimized, and sanitized so that, if disclosed, intercepted, or retained by a third party, the disclosure would not reasonably cause harm to the Company, its customers, tenants, employees, contractors, vendors, or other stakeholders.
Under no circumstances may users submit the following into any AI tool unless expressly authorized and technically protected through an approved arrangement:
- Confidential or proprietary business information
- Client, tenant, employee, or applicant personal information
- Financial, payroll, banking, or tax information
- Legal advice, privileged documents, or litigation materials
- Security configurations, credentials, keys, or system architecture details
- Lease data, payment histories, complaint records, or incident records
- Any information classified by the Company as confidential, restricted, or sensitive
6. Data and System Security Requirements
If a Generative AI solution is approved to process Company data, the following controls are mandatory before use:
- The dataset must be reviewed by the business owner and IT.
- The dataset must be minimized and anonymized or pseudonymized where possible.
- A security and privacy review must be completed before implementation.
- A documented Privacy Impact Assessment must be completed where required by law, regulation, contract, or Company policy, including GDPR-related assessment requirements where applicable.
- The AI use case must be classified according to Company data classification and risk management standards.
- The use of the AI application, including approved purpose, dataset, owner, and retention requirements, must be logged centrally.
- Access must be limited to authorized users on a least-privilege basis.
- Output handling, retention, and deletion requirements must be defined in advance.
- IT Management may require additional controls including legal review, vendor due diligence, contract review, security testing, audit logging, or data processing terms.
7. Human Oversight and Accountability
All AI-generated outputs must be reviewed by a responsible employee before being relied upon, actioned, published, shared, or incorporated into business decisions, documents, reports, code, communications, or customer-facing materials. Employees remain fully accountable for the accuracy, appropriateness, legality, and quality of any work product that includes or is informed by AI output. AI may assist with drafting or analysis, but it must not replace human judgment.
At a minimum, the reviewer must confirm:
- factual accuracy
- completeness
- absence of bias or discriminatory content
- compliance with Company policies
- appropriateness for the intended audience
- no inclusion of confidential or sensitive information
- that the output does not create legal, regulatory, reputational, or operational risk
8. Transparency and Disclosure
Where AI-generated content is used internally or externally, the responsible employee must ensure appropriate transparency.
All AI-generated content, or content materially assisted by AI, must include a disclaimer stating that all or part of the content was generated with the assistance of AI, unless IT Management, Legal, or Communications has approved an exception for a specific internal use case.
Sample disclaimer:
“This document includes content generated with the assistance of artificial intelligence and has been reviewed by [Company/Employee Name] prior to use.”
For external or client-facing use, additional approval requirements may apply.
9. Ethical Use
Generative AI must be used in a manner consistent with the Company’s ethical standards and professional responsibilities.
Users must not use AI to:
- mislead, deceive, or impersonate others
- discriminate against individuals or groups
- invade privacy
- produce harmful, offensive, harassing, or defamatory content
- create false records or misleading business communications
- generate content that violates intellectual property, contractual, or legal obligations
- make significant decisions about individuals without proper human review and lawful authority
AI use must respect privacy, fairness, accountability, transparency, and the interests of clients, tenants, employees, and the public.
10. Compliance With Laws, Regulations, and Internal Policy
All AI use must comply with applicable laws, regulations, contractual obligations, and internal Company policies, including those related to privacy, data protection, records retention, cybersecurity, confidentiality, acceptable use, intellectual property, and vendor management.
Approval to use an AI tool does not remove or reduce any employee’s obligations under Company policy or applicable law.
11. Monitoring, Logging, and Audit
The Company may monitor, log, review, restrict, suspend, or revoke access to AI tools and related usage where necessary to protect Company interests, investigate misuse, maintain compliance, or respond to security or privacy concerns.
Approved AI use cases may be subject to audit at any time.
12. Incident Reporting
Any suspected or actual:
- unauthorized AI use
- submission of sensitive information into an AI tool
- data leakage
- inaccurate or harmful AI output
- privacy breach
- security event
- contractual non-compliance must be reported immediately to IT Management and, where applicable, the Privacy Officer or Legal.