AI/LLM Use Policy

AI/LLM Use Policy

Version: 1.0
Valid until: 2025-03-26
Classification: Low

Version Management


Version

Author(s)

Change(s)

Date approved

1.0

Stefan van Aalst

Edward Robinson

Initiation document

2024-03-26

Purpose & Background

anDREa B.V. (hereafter called anDREa) recognizes the potential of Artificial Intelligence (AI) and Large Language Models (LLMs) to improve efficiency, innovation, and decision-making across various business functions. This policy outlines the guidelines and principles for using AI/LLMs responsibly and ethically within the organisation. 

This policy will be regularly reviewed and updated to reflect the evolving nature of AI/LLM technology and regulatory landscape.

Objectives

The objective of this document is:
  1. to ensure that anDREa employees are aware of these guidelines and principles for using AI/LLMs responsibly and ethically within the organisation.

Scope 

  1. The use of AI/LLMs by anDREa employees in anDREa-related processes.

Support and Stimulation

anDREa actively supports and encourages their employees for the exploration and implementation of AI/LLM solutions to:
  1. Streamline processes: Automating repetitive tasks and improving operational efficiency.
  2. Enhance decision-making: Providing data-driven insights and supporting informed choices.
  3. Foster innovation: Identifying new opportunities and driving creative solutions.

Responsible Use

While promoting the use of AI/LLMs, anDREa BV prioritises responsible and ethical application, ensuring:
  1. Transparency: Users are aware of the capabilities and limitations of AI/LLMs.
  2. Fairness: AI/LLMs are used in a non-discriminatory manner, free from bias.
  3. Accountability: The organisation remains accountable for the actions and decisions influenced by AI/LLMs.
  4. Privacy: Personal data is only used by AI/LLMs specifically qualified for such purposes, adhering to ISO 27001 and GDPR requirements.

Personal Information Usage, Security & Compliance

  1. Restriction: AI/LLMs should not process personal data unless explicitly authorised and qualified to do so.
  2. Security Impact Assessments: The AI/LLM should undergo a Security Impact Assessment (SIA) to assess whether the solution adheres to this policy. Please contact the Security Officer to conduct a SIA on the AI/LLM. The Security Officer maintains a list of assessed solutions.
  3. Implementation: Security measures will be implemented to safeguard all data used by AI/LLMs, including personal information, aligned with the requirements of ISO 27001 Annex A: Control Objectives and Controls.
  4. Compliance: AI/LLMs will be used in accordance with applicable laws and regulations, including ISO 27001 and GDPR, specifically:
    1. GDPR Article 5: Principles relating to processing of personal data: https://eur-lex.europa.eu/eli/reg/2016/679/oj#d1e1807-1-1
    2. GDPR Article 6: Lawfulness of processing: https://eur-lex.europa.eu/eli/reg/2016/679/oj#d1e1888-1-1
    3. GDPR Article 24: Responsibility of the controller: https://eur-lex.europa.eu/eli/reg/2016/679/oj#d1e3043-1-1

Training and Awareness

anDREa will provide training and awareness programs its employees to ensure employees understand:
  1. The capabilities and limitations of AI/LLMs, including how to prompt.
  2. The responsible use of AI/LLMs as per this policy.
  3. The importance of data security and privacy when using AI/LLMs, as outlined in ISO 27001:2017 A.7.2.2: Information security awareness, education and training.

Contact

For any questions or concerns regarding this policy, please contact the Security Officer (security@andrea-cloud.com).
    • Related Articles

    • Privacy Policy

      Introduction anDREa is committed to be GDPR Compliant and protect the data and privacy of all stakeholders. The purpose of this document is to describe anDREa’s Data Handling Policy. The rules for acceptable use must take into consideration ...
    • Password Policy

      Introduction anDREa is committed to protecting the security of its business information in the face of incidents and unwanted events and  has implemented an Information Security Management System (ISMS) that is compliant with ISO/IEC/27001:2013, the ...
    • A.14.2.1 Secure development policy

      Version: 3.0 Valid until: 2025-04-10 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Edward Robinson Sarang Kulkarni Johanna Hakonen Initiation document 2022-07-07 1.1 Edward Robinson ...
    • Log-On Policy

      Introduction anDREa is committed to protecting the security of its business information in the face of incidents and unwanted events and  has implemented an Information Security Management System (ISMS) that is compliant with ISO/IEC/27001:2013, the ...
    • Data Handling policy

      First version: 2021-05-13 Last updated: 2023-10-19 Last change: Removed a double negative sentence based on the feedback in our Support Team Agreement. Introduction anDREa B.V. (hereafter called anDREa) is committed to protect the data and privacy of ...