AI Policy
Last Updated: 11.07.2026
Policy for the Responsible Use of Artificial Intelligence
1. Introduction and purpose
PrivacyRise uses artificial intelligence (AI) tools to support its consulting activities in the areas of cybersecurity, privacy, artificial intelligence, data governance and accessibility. This AI Policy describes, in clear, simple and comprehensive language, which AI systems we use, for what purposes, with what safeguards and with what risk mitigation measures. The document has been drafted in accordance with Regulation (EU) 2024/1689 (the “AI Act”) and Regulation (EU) 2016/679 (the “GDPR”), and draws on the requirements of ISO/IEC 42001:2023 for Artificial Intelligence Management Systems (AIMS).
The publication of this policy is intended to provide clients and other stakeholders with clear, simple and comprehensive information about the artificial intelligence systems used by PrivacyRise, in order to preserve transparency and the relationship of trust between PrivacyRise and its clients.
2. Scope and PrivacyRise’s role
This policy applies to all PrivacyRise personnel, contractors and consultants who use AI tools on behalf of the organisation, as well as to all tools listed in the register referred to in Section 9. Pursuant to Article 3(4) of the AI Act, PrivacyRise operates exclusively as a deployer (user) of AI systems provided by third parties: it does not develop, place on the market or put into service AI systems under its own name or trademark and is therefore not subject to the obligations applicable to providers.
AI is used at PrivacyRise exclusively for activities that are ancillary to and supportive of professional services, while the intellectual work forming the subject matter of those services remains predominant: every deliverable provided to clients is the result of the professional judgement, verification and responsibility of our consultants.
3. Applicable regulatory framework
This policy implements and refers, in particular, to: Regulation (EU) 2024/1689 (AI Act), with specific reference to Article 4 (AI literacy), Article 5 (prohibited practices), Annex III (high-risk systems) and Article 50 (transparency obligations for providers and deployers); the GDPR and Italian Legislative Decree No. 196/2003 concerning the processing of personal data; ISO/IEC 42001:2023 as a voluntary management-system reference; the NIST AI Risk Management Framework and the OECD AI Principles as complementary risk management frameworks.
4. General principles
In line with the human-centric approach of the AI Act, PrivacyRise adopts the following binding principles: human-centricity and human oversight (every AI output is reviewed, validated and approved by a competent person before producing effects for clients or third parties); transparency (we disclose our use of AI to clients and the public in accordance with this policy); proportionality and minimisation (we use AI only where it provides a genuine benefit and limit the data submitted to what is strictly necessary); security and confidentiality (cybersecurity is ensured throughout the lifecycle of the systems used); non-discrimination and accuracy; accountability (responsibility for content and decisions always remains with PrivacyRise and is never delegated to an AI system).
5. Risk classification of AI uses
PrivacyRise has mapped its use cases against the AI Act risk pyramid. The use of systems or functionalities involving any of the prohibited practices listed in Article 5 of the AI Act is not permitted under any circumstances, including subliminal manipulation, social scoring, emotion recognition in the workplace and untargeted scraping of facial images. PrivacyRise also does not use AI systems for any of the high-risk purposes listed in Annex III. In particular, the use of AI for the recruitment, selection, assessment, monitoring of, or any decision concerning, candidates, employees or contractors, as well as for assessing the trustworthiness of natural persons, is expressly prohibited.
All tools listed in Section 9 fall within the categories of limited risk (general-purpose AI systems intended to interact with people or generate content and subject to the transparency obligations under Article 50) or minimal risk (ancillary productivity features). An operational risk assessment is nevertheless carried out for each tool and documented in the same section, using a qualitative scale (Low / Medium / High) that considers: the nature of the data processed, the provider’s reuse of inputs, the expected accuracy of outputs, exposure to third parties and the maturity of the provider’s compliance framework.
6. Transparency towards clients and the public
In implementation of Article 50 of the AI Act, PrivacyRise applies the following rules. Texts published for the purpose of informing the public (articles, regulatory insights, newsletters) that have been prepared with the assistance of AI are always subject to human review and editorial control, with PrivacyRise retaining editorial responsibility, in accordance with the second subparagraph of Article 50(4) of the AI Act. Images and audiovisual content generated or substantially modified using AI are identified as such where this is not evident from the context. Where AI-based conversational assistants are used for external users, users are clearly informed that they are interacting with an AI system no later than at the time of the first interaction.
7. AI literacy and training
Pursuant to Article 4 of the AI Act, PrivacyRise ensures a sufficient level of AI literacy among its personnel and anyone using AI systems on its behalf, taking into account their technical knowledge, experience and the context of use. The internal training programme covers how generative models work and their limitations (hallucinations, bias, outdated information), data input rules, transparency obligations, critical review of outputs and incident reporting procedures. Training is provided during onboarding and updated periodically.
8. Governance, data and human oversight
PrivacyRise maintains a register of authorised AI tools (Section 9). The use of unregistered tools (“shadow AI”) is not permitted, and every new tool is subject to a prior assessment (including due diligence on the provider, security, data-use terms and transfers outside the EU) before adoption. The following rules apply when data is submitted to AI tools:
A) It is prohibited to enter clients’ or third parties’ personal data, information covered by confidentiality agreements, trade secrets or client documents into tools that do not provide appropriate contractual safeguards (a DPA pursuant to Article 28 GDPR and exclusion of input use for training purposes);
B) Special categories of personal data under Article 9 GDPR must never be submitted to generative AI systems;
C) Every relevant output is verified by a professional before use, with particular attention to legal and regulatory references, which are always checked against official sources (EUR-Lex, Normattiva). Any malfunction, harmful output or AI-related security incident is reported internally to the AI Officer, Lorenzo Ghini (lorenzo.ghini@privacyrise.pro), and handled in accordance with the company’s incident management procedure.
The use of AI in the workplace is managed in a safe, reliable and transparent manner, and personnel are informed about the tools adopted. Should automated decision-making or monitoring systems be introduced, the information notice required under Article 1-bis of Italian Legislative Decree No. 152/1997 would be provided.
9. Register of AI tools: description, risk assessment and mitigation measures
The public register below lists the tools used by PrivacyRise, together with a description of their integrated AI functionalities (as documented by the respective providers), the risk assessment and the mitigation strategy adopted. The register is reviewed at least annually and whenever a significant change occurs. PrivacyRise has a medium-to-low risk tolerance.
| Tool | Provider | Business use cases | AI Act classification | Residual risk |
|---|---|---|---|---|
| ChatGPT Business | OpenAI | Productivity, processes, quality control, marketing and sales | GPAI | limited risk (Article 50) | Low |
| Claude Pro | Anthropic | Productivity, processes, quality control, marketing and sales | GPAI | limited risk (Article 50) | Low |
| Canva | Canva Pty Ltd | White papers, ebooks, presentations, brochures, images | Generative features | limited risk | Low |
| Gemini | Charts from spreadsheets, text review, videos, AI note-taking | GPAI | limited risk (Article 50) | Medium / low | |
| WordPress 7.0 | WordPress.org (open source) | Website CMS | Optional AI infrastructure | minimal risk | Low |
| Google Workspace Business Standard | Document repository and Gemini integration | Integrated GPAI | limited risk | Low | |
| Brevo | Brevo (Sendinblue SAS) | CRM and contact management | Integrated AI features | limited risk | Medium / low |
| StreamYard | StreamYard (Bending Spoons) | Recorded or live streaming events | Ancillary AI features | minimal risk | Medium / low |
| LinkedIn (Microsoft) | Corporate marketing | Generative features | limited risk (Article 50) | Low |
9.1 ChatGPT Business (OpenAI)
AI functionalities and use cases. Conversational assistant based on general-purpose AI (GPAI) models, used to enhance productivity, improve processes, perform content quality control and support marketing and sales activities (drafting, summarisation, analysis and document review).
Provider security and compliance. OpenAI’s Trust Portal documents SOC 2 Type 2, ISO/IEC 27001:2022, 27017, 27018, 27701 and ISO/IEC 42001:2023 (AI management system) certifications, as well as CSA STAR, a bug bounty programme, a DPA and a list of subprocessors.
For business plans, customer data is not used to train models by default, and workspace administration controls are available.
Risk assessment. The main risks are inaccurate outputs (hallucinations, incorrect legal or regulatory references), improper disclosure of personal or confidential data, and reliance on a non-EU provider involving data transfers. The residual risk is Low, provided the adopted mitigation measures are in place.
Mitigation strategy. Exclusive use of the Business plan with a signed DPA and data training disabled; prohibition on entering clients’ personal data, special-category data and unnecessary confidential information; mandatory human review of every output and verification of legal and regulatory references against official sources; centralised access management with multi-factor authentication; periodic staff training pursuant to Article 4 of the AI Act.
9.2 Claude Pro (Anthropic)
AI functionalities and use cases. GPAI conversational assistant used to enhance productivity, improve processes, perform quality control and support marketing and sales, with particular use for analysing complex regulatory documents and assisting with the drafting of deliverables, always under professional supervision.
Provider security and compliance. In its Trust Center, Anthropic states that it holds SOC 2 Type I and Type II, ISO 27001:2022 and ISO/IEC 42001:2023 certifications for its AI management system, as well as HIPAA-ready configurations. By default, data submitted under commercial terms is not used to train models.
Risk assessment. The main risks are similar to those associated with GPAI assistants, including output accuracy, input confidentiality and transfers outside the EU. The residual risk is Low.
Mitigation strategy. Application of the same data input rules applicable to all generative assistants (Section 8); systematic human review; separation of work contexts by client; periodic review of the provider’s contractual terms and compliance documentation; update of the register whenever a material change is made to the service.
9.3 Canva
AI functionalities and use cases. Graphic design platform used to create white papers, ebooks, presentations, brochures and images. It integrates generative features (the Magic Studio suite: text generation and rewriting, and image generation and editing) that rely on AI subprocessors disclosed in the Trust Portal, including OpenAI, Google and Black Forest Labs.
Provider security and compliance. Canva’s Trust & Security Portal documents SOC 2 Type 2, ISO/IEC 27001, PCI DSS, participation in the EU-US Data Privacy Framework, GDPR compliance and a dedicated section on AI Security, AI Monitoring and AI Governance, as well as a DPA and a public list of subprocessors.
Risk assessment. The main risks concern ownership and originality of generated content, possible similarity to protected works, the involvement of non-EU subprocessors for generative features, and the uploading of images containing personal data. The residual risk is Low.
Mitigation strategy. Prohibition on generating images depicting identifiable real persons; verification of content usage rights before publication; no uploading of third-party photographs to generative editing features without a legal basis; labelling of fully AI-generated images where required by the context (Article 50 AI Act); human graphic and editorial review of every item intended for clients.
9.4 Gemini (Google)
AI functionalities and use cases. Google’s GPAI model integrated into the Workspace ecosystem, used to create charts from spreadsheets, improve text, create videos and provide AI note-taking (automatic meeting transcription and minute-taking).
Provider security and compliance. Google has announced its adherence to the GPAI Code of Practice under the AI Act and documents ISO/IEC 42001 certification for its AI Management System in the Cloud Compliance Center, in addition to SOC 1/2/3 and the ISO 27001/27701/27017/27018 family of standards. Workspace customers are subject to a “Training Restriction”: prompts and customer content are not used to train models outside the customer’s domain without authorisation. DLP controls, European data regions and prompt-injection defences are also available.
Risk assessment. The main risks concern AI note-taking, which involves processing meeting participants’ personal data (voice, opinions and identifying information); the accuracy of automatic summaries; and the model’s access to confidential documents stored in Drive. The residual risk is Medium / low, mainly due to the meeting transcription component.
Mitigation strategy. All meeting participants are informed in advance that recording or automatic transcription/minute-taking will be enabled and are given the opportunity to object; minutes are reviewed by a person before being shared; to reduce the risk of unnecessary access to corporate data and client information, PrivacyRise has disabled the integration between the Gemini app and Google Workspace services at administrator level; the accuracy of generated charts and texts is verified before professional use.
9.5 WordPress 7.0
AI functionalities and use cases. Open-source CMS used for the company’s websites. From version 7.0 “Armstrong” (May 2026), WordPress integrates native AI infrastructure: AI Client (a provider-agnostic interface to models), Abilities API (which defines what AI can do within the installation) and a Connectors screen for linking providers such as OpenAI, Anthropic and Google via API keys. AI functionalities are optional and disabled by default.
Provider security and compliance. As this is open-source software, security depends on the configuration of the installation. The 7.0 architecture centralises the management of AI providers and permissions, reducing plugin fragmentation and improving administrative control.
Risk assessment. Main risks: management of AI provider API keys; write permissions granted to AI features in plugins; third-party plugin supply chain. Residual risk: Low.
Mitigation strategy. AI connectors may be activated only with the prior authorisation of AI Officer Lorenzo Ghini; API keys are stored securely and rotated periodically; the principle of least privilege is applied to the Abilities granted to plugins; AI plugins are vetted in advance; core and plugins are updated promptly; backups and staging environments are used for testing.
9.6 Google Workspace Business Standard
AI functionalities and use cases. Suite used to manage the company’s document repository and as the integration platform for Gemini features (Section 9.4) in Gmail, Docs, Sheets, Drive and Meet.
Provider security and compliance. Under the Google Workspace Service Specific Terms, user prompts are treated as customer data under the Cloud Data Processing Addendum and are not used to train models without authorisation; interactions with Gemini remain within the organisation, with existing controls (DLP, data regions and IRM) applied automatically, and SOC 1/2/3, ISO 27001, 27701, 27017, 27018 and ISO/IEC 42001 certifications in place.
Risk assessment. Main risks: the potentially broad scope of AI access to the document repository, including confidential client documents; misaligned administrative configurations. Residual risk: Low.
Mitigation strategy. To reduce the risk of unnecessary access to corporate data and client information, PrivacyRise has disabled the integration between the Gemini app and Google Workspace services at administrator level. As a result, users cannot use the Gemini app to search, retrieve or directly analyse content in Google Drive, Docs, Gmail, Calendar and Google Chat; role-based access controls and periodic review of sharing permissions; centralised administration of Gemini features by organisational unit; activity logging and export for audit purposes.
9.7 Brevo
AI functionalities and use cases. CRM platform used to manage contacts and communications. Its AI features (the Aura assistant) include generating email copy and subject lines, assisted audience segmentation, optimisation of send times based on open behaviour, contact enrichment and conversation summarisation. The provider is European and states that its AI agents are developed on servers in the European Union in compliance with the GDPR.
Provider security and compliance. Brevo documents its AI features on its official website and operates as a European company (France), with EU infrastructure for internally developed AI components, thereby reducing reliance on transfers outside the EU.
Risk assessment. Main risks: optimisation and segmentation features involve light forms of contact profiling (analysis of open and interaction behaviour), which require transparency towards data subjects; the accuracy of automatic contact data enrichment. Residual risk: Low/Medium.
Mitigation strategy. The marketing privacy notice is updated to explain personalisation logic and data subject rights; the legal basis is assessed (legitimate interest with a balancing test, or consent) for behavioural optimisation features; automatically generated segments are reviewed by a person before campaigns are launched; special-category data must not be entered into the CRM; a DPA is in place with the provider, and the database is cleaned periodically.
9.8 StreamYard
AI functionalities and use cases. Browser-based platform for managing recorded or live streaming events (webinars and LinkedIn/YouTube live streams). It includes ancillary AI features such as automatic clip generation from recorded content.
Provider security and compliance. StreamYard states that it holds ISO/IEC 27001 and ISO/IEC 27701 (privacy information management) certifications, uses Google Cloud infrastructure, encrypts audio-video streams using TLS/DTLS, applies encryption at rest, conducts annual penetration tests, provides a DPA with Standard Contractual Clauses for transfers and publishes a list of subprocessors.
Risk assessment. Main risks: recordings contain speakers’ and participants’ personal data (image, voice and opinions); streams are decrypted on the provider’s servers for mixing; AI processing of recorded content; transfers outside the EU. Residual risk: Low/Medium.
Mitigation strategy. A privacy notice is provided to speakers and participants before each event, specifying that the event will be recorded and describing subsequent processing; guest speakers’ consent is obtained; automatically generated clips are reviewed by a person before publication; a DPA incorporating SCCs is in place; the data collected during event registration is minimised.
9.9 LinkedIn
AI functionalities and use cases. Platform used for corporate marketing (company page, technical content and professional networking). LinkedIn integrates AI features such as a writing assistant for posts and profiles, campaign suggestions and AI tools for recruitment (the latter are not used by PrivacyRise).
Provider security and compliance. LinkedIn (part of the Microsoft group) documents its AI-powered features on its official pages and applies a responsible AI framework to the platform’s features.
Risk assessment. Main risks: publication of AI-generated content without adequate review, with potential reputational consequences and implications for transparency obligations; improper use of AI recruitment tools, which would fall within the high-risk use cases listed in Annex III to the AI Act. Residual risk: Low.
Mitigation strategy. Every published item is subject to PrivacyRise’s editorial review and responsibility (Article 50(4) AI Act); the writing assistant is used only as an editorial aid, with tone control and verification of technical content; the use of LinkedIn’s AI features for candidate selection, screening or assessment is strictly prohibited; access to the company page is restricted to authorised personnel.
10. Intellectual property and generated content
PrivacyRise uses AI as a tool to support creation, ensuring that every item published or delivered incorporates a predominant human creative and professional contribution. Before publication, we verify that generated content does not reproduce third-party protected works and we comply with providers’ licensing terms for outputs.
11. Personal data protection
AI tools are used in compliance with the GDPR: for each provider processing personal data on our behalf, a data processing agreement pursuant to Article 28 GDPR is in place; transfers outside the EU are supported by appropriate safeguards (adequacy decisions, the EU-US Data Privacy Framework or Standard Contractual Clauses); privacy notices addressed to clients, contacts and event participants describe any processing involving AI systems; the data minimisation principle is applied and, where processing may present a high risk, a data protection impact assessment is carried out pursuant to Article 35 GDPR. No decision producing legal effects concerning data subjects is based solely on automated processing.
12. Review, updates and contact details
This policy is reviewed at least once a year and whenever there is a relevant regulatory change (including developments concerning the Digital Omnibus package, whose dates currently remain legislative proposals not yet in force), a change to the tool inventory or a significant incident. The tool register and risk assessments are kept up to date by PrivacyRise’s AI Officer, Lorenzo Ghini. For questions about this policy or the use of AI in our services, please contact us through the channels indicated on the company website.
Document drafted in accordance with Regulation (EU) 2024/1689 and Regulation (EU) 2016/679, and with reference to ISO/IEC 42001:2023.