Privacy Policy
Last updated May 18st, 2026
Innovative Solutions Company DBA Savvior (variously "Savvior", "we", "our" or "us") values its users' privacy. This Privacy Policy ("Policy") will help you understand how we collect and use personal information from those who use our SavviAIX™ platform (the "Service"), including its artificial intelligence (AI) features for intelligent document processing and AI-assisted chat over customer data, and what we will and will not do with the information collected. Our Policy has been designed and created to make you aware of our commitment and realization of our obligation not only to meet, but to exceed, most existing privacy standards.
We reserve the right to make changes to this Policy at any time. If you want to make sure that you are up to date with the latest changes, we advise you to frequently visit this page. If at any point in time Savvior decides to use personally identifiable information in a manner different from that which was stated when this information was initially collected, the user or users shall be promptly notified by email. Users at that time shall have the option of whether or not to permit the use of their information in this separate manner.
This Policy applies to Savvior and governs any and all data collection and usage by us. By using the Service, you are consenting to the data collection procedures expressed in this Policy, which, together with our Cookie Policy, is incorporated by reference in SavviAIX™'s Terms of Service.
This Policy does not govern AND IS NOT RESPONSIBLE FOR the collection or use of information by YOU WITH RESPECT TO third parties, companies that Savvior does not control, or by individuals not employed or managed by us, EVEN IF IN CONNECTION WITH THE SERVICE. If you visit a website mentioned or linked in the Service, please be sure to review its privacy policy before providing the site with information. It is highly recommended and suggested that you review the privacy policies and statements of any website you choose to use or frequent to better understand the way in which websites garner, make use of and share the information collected.
Specifically, this Policy will inform you of the following:
- What personally identifiable information is collected through the Service;
- Why we collect personally identifiable information and the legal basis for such collection;
- How we use the collected information and with whom it may be shared;
- How information is processed by the AI components of the Service, including disclosures about AI providers, model training restrictions, and abuse-monitoring retention;
- What choices are available to you regarding the use of the information; and
- The security procedures in place to protect against the misuse of your information.
Information We Collect
We collect certain information through the Service that may identify or be used to identify you ("Personal Information"). Some of this Personal Information is collected automatically and some is provided by you when using the Service.
For instance, we collect information you provide to us when you sign up for an account, complete a membership form, purchase the Service, use the Service, respond to surveys, or request to be contacted by us. This information may include your name, email address, mailing address, phone number, login credentials such as username and password, and digital signature.
We also collect certain information automatically when you use the Service. These may include the IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when the Service is used, and other technical information relating to your device that is accessing the Service or document created with the Service.
We may also collect information through cookies, third party tracking technologies and server logs, such as what other websites you may visit before or after using the Service. This may help us better understand your interests so we can provide the best services. See our Cookie Policy for more information.
In addition, we may have the occasion to collect certain demographic information such as age, gender, household income, political affiliation, race and religion, to assist us in providing and maintaining superior quality service. Please be assured this information is anonymized so it cannot identify you personally and is used for general trend purposes only.
It is always up to you whether to disclose Personal Information to us, although if you elect not to do so, we reserve the right not to register you as a user or provide you access to the Service.
Information Submitted to AI Features of the Service
When you use the AI-enabled features of SavviAIX™ — including intelligent document processing (extracting structured data from invoices, forms, and related records) and AI-assisted chat that answers questions based on your organization's data — additional categories of information are processed:
- Document contents: Documents you upload or that are pulled from your connected SharePoint, MySQL, or SQL Server systems for AI-assisted extraction or indexing. These documents may contain Personal Information that naturally appears within business records — for example, names, business contact details, addresses, amounts, dates, and other standard business information.
- Queries and prompts: Questions, prompts, or instructions you submit through the AI-assisted chat interface.
- Retrieved context: Excerpts from your indexed organizational data that the Service retrieves to ground AI-generated answers in your actual records.
- AI outputs: Extracted fields, AI-generated answers, citations, and any human-reviewed corrections applied within the Service.
SavviAIX™ is designed to minimize the Personal Information sent to AI services. The Service transmits only the contents of the document or query being processed and related organizational context necessary for processing, such as company names, addresses, invoice details, and other standard business information that may naturally appear within submitted documents. Savvior does not intentionally provide unnecessary personal information to the language model, and any Personal Information transmitted is limited to what is already present within the customer-provided documents or records being processed.
Why We Collect Information
We collect the Personal Information for several reasons, including:
- to better understand your needs and provide the Service;
- to improve the Service;
- to send you promotional emails containing information we think you may like, when we have your consent to do so;
- to contact you to fill out surveys or participate in other types of market research, when we have your consent to do so;
- to see what other websites you visit and are of interest to you, so we can provide more tailored services; and
- to customize the Service according to your personal preferences.
Use of Information Collected
We may use the Personal Information we collect for a number of purposes, including:
- to provide the Service, including AI-assisted document processing and AI-assisted chat features;
- to operate and improve the Service;
- to analyze traffic and usage of the Service;
- to observe trends in interest across various websites, to improve and tailor the Service to you;
- to contact you if needed for non-marketing purposes (such as security updates, account issues, and/or changes in our products or services);
- to inform you of other products and/or services that may be of interest to you; and
- to provide surveys and/or research questionnaires to obtain your opinion of current or potential future services.
If at any point we desire to use any information in a manner different from that which was stated when this information was initially collected, you shall be promptly notified by email. You will have the option to permit or deny the use of your information in this additional manner at that time.
Use of Artificial Intelligence in the Service
SavviAIX™ uses commercial, enterprise-grade artificial intelligence services to provide two principal AI-enabled capabilities: (a) intelligent document processing, which extracts and validates structured business data from invoices, forms, and related records; and (b) AI-assisted chat using a retrieval-augmented generation ("RAG") architecture, which answers questions based on your organization's connected data sources. This section describes how those AI features work, what data they process, and the contractual and technical safeguards that apply.
Primary AI Platform: Google Cloud Vertex AI
SavviAIX™ utilizes the paid Google Cloud Vertex AI platform to process documents and to generate AI-assisted responses. Information transmitted to the platform is limited to the contents of the document or query itself and related organizational context necessary for processing, such as company names, addresses, invoice details, and other standard business information that may naturally appear within submitted documents.
Because SavviAIX™ uses Google's enterprise-grade Vertex AI services through a paid commercial agreement, submitted data is processed within Google Cloud's secured infrastructure and is not used to train public AI models or shared with other customers. Google provides contractual data protection commitments, enterprise security controls, encryption in transit and at rest, and administrative safeguards designed for business and regulated workloads. As a result, the use of Vertex AI in this manner is materially different and significantly more secure than submitting information to public consumer AI chat platforms.
Alternative Supported AI Providers
Where Customer compliance requirements, vendor relationships, or technical considerations make an alternative preferable, the SavviAIX™ architecture supports the following enterprise AI providers as alternatives to Google Cloud Vertex AI: Microsoft Azure OpenAI and Cohere. Each supported provider operates under an enterprise commercial agreement with the same core data protections described in this Policy — including a contractual prohibition on using Customer data to train or improve AI models. Provider selection is configured per deployment, and each deployment uses a single AI provider and a single vector database provider at a time to ensure clear audit trails and simplified compliance verification.
AI Model Training Prohibition
Your data is never used to train, fine-tune, or otherwise improve AI models. This restriction is contractually enforced through the enterprise commercial agreements governing Savvior's use of Google Cloud Vertex AI and any alternative supported AI provider (Azure OpenAI, Cohere). These enterprise agreements expressly prohibit the provider from using Customer data for model training, model improvement, sharing with third parties, or any commercial purpose beyond processing the immediate request. These protections are verified through SOC 2 Type II audits of the providers.
Provider-Side Temporary Retention and Abuse Monitoring
AI providers used by SavviAIX™ may temporarily retain submitted prompts and generated outputs solely for the purpose of detecting abuse, monitoring safety, and complying with legal obligations. This retention is a security feature of the underlying AI platforms, not a use of your data for commercial purposes or model training.
For Google Cloud Vertex AI, retention occurs as follows:
- Automated safety classifiers scan requests for potential violations of Google's Acceptable Use Policy and Prohibited Use Policy.
- If a request is flagged, Google may log the associated prompt for further review. Such logged data is stored securely for up to 90 days in the same region or multi-region the Customer selects for its project, and adheres to Google Cloud assurances including Data Residency, Access Transparency, and VPC Service Controls.
- Logged data is not used to train or fine-tune any AI or machine learning models.
- Authorized Google employees may review flagged prompts and may contact Savvior or the Customer for clarification. Recurring or severe violations may result in suspension or termination of access to the underlying AI services.
- Customers with a Google Cloud Master Agreement are exempt from prompt logging for abuse monitoring by default. Other Customers may request an opt-out by submitting Google's abuse-logging exception form; if approved, Google will not store prompts associated with the approved Google Cloud account.
For other supported providers (Azure OpenAI and Cohere), the typical abuse-monitoring retention window is approximately 30 days under similar protections. In all cases, temporarily retained data is not accessible to Savvior or to other customers, is not used for model training or commercial purposes, is automatically deleted after the retention period, and is subject to the provider's SOC 2 audit controls.
Abuse-monitoring exemption: If your organization has security or regulatory requirements that necessitate an abuse-monitoring exemption, please contact Savvior at hello@savvior.com. A customized enterprise agreement may be required, and Savvior will work with you and the relevant AI provider to implement the exemption where available.
How the AI Components Process Your Data
The AI components of SavviAIX™ operate as follows:
Intelligent Document Processing
- A document is uploaded by an authorized user or pulled from a connected SharePoint repository.
- The Service transmits the document's contents to the configured AI provider, which extracts key fields such as vendor, amount, and date.
- The Service classifies the document, applies the appropriate schema, and normalizes the extracted data to a standardized internal format.
- A human user reviews the extracted data within the Service, makes any necessary corrections, and approves the result before it flows to downstream business processes.
AI-Assisted Chat (Retrieval-Augmented Generation)
- During an indexing phase, the Service reads data from connected MySQL, SQL Server, and SharePoint sources, converts the text into vector embeddings using the configured AI provider, and stores those embeddings in the vector database with associated metadata.
- When an authorized user submits a question, the Service searches the vector database for the most relevant excerpts.
- Optionally, results are reranked for improved relevance.
- The top results, together with the user's question, are sent to the configured AI provider to generate an answer.
- The Service returns the answer with citations to the underlying source documents so the user can verify the basis for the response.
AI-generated answers are grounded in your organization's actual source data, not in speculative content produced by the model. Final business decisions based on AI-extracted or AI-generated information are reviewed by a human user; the Service is not designed to make automated decisions about individuals without human involvement.
Architectural Safeguards
- Source data stays under your control. MySQL databases, SQL Server databases, and SharePoint repositories remain within your environment. The Service accesses only the specific records or documents required for a given operation; it does not perform bulk data exports to AI providers.
- Vector database deployment options. The searchable index can be deployed self-hosted on your internal infrastructure using Qdrant, leaving the embedded representation of your data within your environment, or as a managed cloud service using Qdrant Cloud or Pinecone, both of which are SOC 2 Type II–certified with encryption at rest.
- Network isolation. AI providers have no direct network connection to your source databases. All AI interactions occur via outbound API calls initiated by the SavviAIX™ application layer, which controls what data is sent on a per-request basis.
- Encryption in transit. All communications between SavviAIX™ and external AI providers use TLS 1.2 or higher.
- Single-provider deployments. Each deployment uses one AI provider and one vector database at a time, which simplifies audit trails, prevents data fragmentation across providers, and supports compliance verification.
Data Transfer
We are located primarily in the United States. Your information, including Personal Information, may be transferred to and maintained on computers or servers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction. For instance, they may be transferred to and stored on servers operated and maintained in the United States. Any data transfers of information from people located within the European Union (EU), United Kingdom (UK) or the People's Republic of China will be protected as required under the EU GDPR, UK GDPR, Personal Information Protection Law ("PIPL") and their guidelines, respectively.
In addition, when you use the AI features of the Service, data may be transmitted to the regional endpoints of the configured AI provider (Google Cloud Vertex AI by default, or an alternative provider as configured). Data residency for AI processing is governed by the region selected for the underlying Google Cloud project (or equivalent configuration for alternative providers), and the provider's data residency assurances apply to both processing and any temporary abuse-monitoring retention. The vector database that stores embedded representations of your data may be deployed within your own infrastructure (self-hosted) or in a SOC 2 Type II–certified managed cloud region.
By providing Personal Information to us, you are consenting to its transfer, storage and use as described in this Policy, or represent that you have obtained the required consent if the Personal Information is a Contractee's information.
If you are in China, you may be asked for specific consent before transferring your data outside of China.
Retention of Information
The Personal Information we collect will be stored for no longer than necessary. The length of time we retain this information will be determined based upon the following criteria:
- the length of time needed to fulfill our duties and obligations, such as providing the Service or to fulfill a contract;
- the length of time the information remains relevant for evaluating trends and to the user-specific database;
- any limitation periods within which claims might be made;
- any retention periods prescribed by law or recommended by regulators, professional bodies or associations;
- the type of contract or agreement we have with you;
- the existence of your consent; and
- our legitimate interest in keeping such information as stated in this Policy.
Vector database indexes containing embedded representations of your data are retained for as long as the underlying source data remains active and the Service is in use. You may request deletion of indexed data at any time as described under "Privacy Rights" below; deletion from the vector database is performed promptly upon request. Any data already transmitted to an AI provider and held within that provider's abuse-monitoring retention window will be deleted automatically by the provider at the end of that window, in accordance with the provider's policies.
Disclosure of Information
We use various third-party vendors to help us provide, maintain, and improve the Service. For example, these may include email delivery, website hosting, data hosting, customer service, payment processing, data analysis, marketing efforts, and the AI and vector database services described in this Policy. We may share the Personal Information with these vendors but only so far as required for them to provide their services to us.
Each of our vendors is contractually required to only use the Personal Information for the limited purpose for which we have shared it, and to use the same level of security and protection of your personal information as we use consistent with this Policy. These vendors are responsible for their use of your Personal Information. You can find out more information about their privacy policies by reviewing their policies here:
Vendors providing AI and vector database services to support the AI features of the Service include:
- Google Cloud (Vertex AI) — primary AI provider. https://cloud.google.com/terms/cloud-privacy-notice
- Microsoft Azure (Azure OpenAI) — supported alternative AI provider. https://www.microsoft.com/en-us/trust-center/privacy
- Cohere — supported alternative AI provider. https://cohere.com/privacy
- Qdrant — vector database (self-hosted or managed). https://qdrant.tech/legal/privacy-policy/
- Pinecone — managed vector database. https://www.pinecone.io/privacy/
The Service may also include social media features, such as plug-ins, including but not limited to Facebook, LinkedIn and other interactive programs. These may collect your IP address and require cookies to work properly. These services are governed by the privacy policies of the providers and are not within Savvior's control. You can learn more about how they treat your personal information here:
- https://www.facebook.com/about/privacy/
- https://www.linkedin.com/legal/privacy-policy
- https://help.instagram.com/519522125107875/?helpref=uf_share
We will only share Personal Information with third parties as described in this Policy, if we have your consent to do so, or as required by law.
Savvior does not sell or otherwise provide Personal Information to any third parties for valuable consideration.
We do not collect or process any payment information, however, we do provide a secure gateway to our payment processing partner, FiServ, if you choose to pay by credit card. The payment information they collect, such as credit card information, is encrypted and transmitted in a secure way. You can verify this by looking for a lock icon in the address bar and looking for "https" at the beginning of the address of the webpage. Please see their privacy policy at https://www.fiserv.com/en/about-fiserv/privacy-notice.html for more information on how they protect your payment information.
Security
Savvior takes precautions to protect your Personal Information. When Personal Information is submitted through the Service, the information is protected both online and offline. Wherever we collect sensitive information, that information is encrypted and transmitted to us in a secure way. You can verify this by looking for a lock icon in the address bar and for "https" at the beginning of the address of the webpage. We also use Secure Socket Layer (SSL) for authentication and private communications provide simple and secure access and communication of information.
While we use encryption to protect sensitive information transmitted online, we also protect your information offline. Employees are only granted access to the Personal Information they need to perform a specific job (for example, billing or customer service) through the use of password protected access and user-defined roles. The computers and servers in which we store Personal Information are kept in a secure environment restricted to only those personnel who need access and are further protected by firewalls and anti-malware software. This is all done to prevent loss, misuse, unauthorized access, disclosure or modification of the user's personal information under our control.
With respect to the AI features of the Service, all API communications with AI providers and vector database services use TLS 1.2 or higher encryption in transit. Managed cloud vector database deployments apply encryption at rest under the controls of the hosting provider. Self-hosted vector database deployments are encrypted under the controls of the Customer's own infrastructure. AI providers maintain enterprise compliance certifications including SOC 2 Type II, and in the case of Azure OpenAI, additional certifications including HIPAA-eligibility and FedRAMP authorization. Detailed provider certifications are listed in the Appendix to this Policy.
Do-Not-Track Features
Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online activities monitored and collected. We do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online.
Children under the age of 13
The Service is not directed to and we do not knowingly collect Personal Information from children under the age of thirteen (13). If it is determined that such information has been inadvertently collected from anyone under the age of thirteen (13), we shall immediately take the necessary steps to ensure that such information is deleted from our system's database, or in the alternative, that verifiable parental consent is obtained for the use and storage of such information. Anyone under the age of thirteen (13) must seek and obtain parent or guardian permission to use this Service.
Unsubscribe or Opt-Out
All users of our Service will have the option to discontinue receiving communications from us by way of email or newsletters. To discontinue or unsubscribe from the Service, please send an email that you wish to unsubscribe to hello@savvior.com. If you wish to unsubscribe or opt-out from any third-party websites that may be linked to through the Service, you must go to that specific website to unsubscribe or opt-out.
If you are a resident of certain countries or states, as described below, you may also have the right to opt-out of Savvior's collection, use and retention of the Personal Information. To opt-out of certain processing of your personal information, you may email your instructions to hello@savvior.com. We will follow-up to verify your identity and comply with your request or otherwise explain why we cannot.
Customers may also opt out of specific AI features of the Service by adjusting deployment configuration. Disabling AI features may reduce platform functionality. Customers seeking an exemption from AI-provider abuse-monitoring retention should contact Savvior to coordinate the request with the underlying AI provider.
Links to Other Websites
Our Website contains links to affiliate and other websites. Savvior does not claim or accept responsibility for any privacy policies, practices and/or procedures of other such websites. Therefore, we encourage all users and visitors to be aware when they leave our website and to read the privacy statements of every website that collects personal information. This Privacy Policy applies only to the information collected through the Service.
Privacy Rights
Depending on your location or where you are a resident, you may have certain privacy rights regarding your personal data according to that country's or state's privacy laws, such as but not limited to the EU, UK, China, California, Virginia and Colorado. These rights may include:
- Right of access: You can request further details regarding your personal information that we process, such as the types of personal information we process, the source of such information, the purpose for which we process the personal information, the expected duration that we anticipate holding that personal information, and the technical safeguards for that information, subject to the limitations set out in applicable laws and regulations.
- Right of correction/rectification: At your request, we will correct incomplete or inaccurate parts of your personal information.
- Right to be forgotten/erasure/deletion: At your request, we will delete your personal information if it is no longer necessary for us to retain it, though we may decline your request if we must continue the processing of your personal information to complete services or provide requested products to you or to comply with legal requirements. This right extends to embedded representations of your information stored in the vector database.
- Right to restrict processing: At your request, we will restrict processing of your personal information, though we may decline this request if we must continue the processing of your personal information to comply with legal requirements.
- Right to data portability: At your request, we will provide you with your personal information in a commonly used format.
- Right to decide on processing for marketing: Depending on the country or state, you may have the right to opt-in or opt-out of processing of your personal data for targeted advertising, sale of personal data and profiling in connection with decisions that produce legal or similarly significant effects. However, we do not use personal information for targeted advertising, profiling or sale.
- Right to withdraw consent: You have the right to withdraw any consent you may have previously given us at any time.
- Right regarding automated decision-making: Where applicable law provides such a right, you may request human review of decisions made about you. SavviAIX™ is designed so that AI-extracted and AI-generated outputs are reviewed by a human user before being applied to downstream business processes; the Service is not used to make solely automated decisions about individuals that produce legal or similarly significant effects.
- Right regarding AI processing: You may request information about which AI provider is configured for your deployment, which of your data sources are indexed for AI search, and whether an abuse-monitoring exemption has been applied. You may also request configuration changes consistent with your applicable agreement.
- Non-discrimination: You have the right to not be discriminated against in price or service for exercising your privacy rights.
- Right to Appeal: Virginia and Colorado residents have a right to appeal our decision regarding a privacy request if it is not provided within 45 days from receiving your request. You may first appeal to us at hello@savvior.com. If the appeal is denied, you may submit a complaint to the Attorney General's office of the state.
To exercise any of the above rights, please contact us at +1-412-321-7006, hello@savvior.com.
Contractees
We may collect and store certain personal information of individuals who sign contracts made by a user through the Service (each a "Contractee"). This information may include the name, contact information (such as email address, mailing address, and phone number), location and digital signature of a Contractee. Contractees' information may be provided by a user when inputting the information in the Service, such as when preparing a contract, or by the Contractee such as when digitally signing a contract made with the Service.
All Contractee Personal Information is treated the same as Personal Information discussed above, including use, security, retention and disclosure, as well as the AI-related protections set forth in the "Use of Artificial Intelligence in the Service" section. Contractee Personal Information is only accessible to users of the Service with whom they have contracted; it is not shared, disclosed or accessible to other users of the Service or third parties except as explained in this Policy.
We have no control over what Contractee personal information is collected. If you are a Contractee and have questions or concerns about your personal information, including exercising your privacy rights, please contact the user with whom you have contracted. We will work with them to respond to your request.
How to Contact Us
If you have any questions or concerns regarding the Privacy Policy, please feel free to contact us at the following email, telephone number or mailing address.
800 Vinial St STE B208r
Pittsburgh, Pennsylvania 15222r
Appendix A
AI Architecture and Compliance Reference
This Appendix provides additional technical and compliance reference information about the AI features of SavviAIX™. It supplements, and is incorporated into, the body of the Privacy Policy above. In the event of any conflict between this Appendix and the body of the Policy, the more protective standard for the data subject applies.
A.1 AI Service Functions
The AI features of SavviAIX™ rely on the following functional components:
| Function | Technology | Purpose |
|---|---|---|
| Document Text Extraction | LLM (Vertex AI / alt.) | Reads document content and extracts fields such as vendor, amount, and date. |
| Chat Response Generation | LLM (Vertex AI / alt.) | Generates answers to user questions, grounded in retrieved customer data. |
| Searchable Index Creation | LLM embeddings | Converts customer text into vector representations used for semantic search. |
| Search Result Ranking | Reranking API (optional) | Improves the relevance of search results returned during RAG queries. |
| Vector Storage | Qdrant or Pinecone | Stores the embedded representation of customer data; may be self-hosted. |
A.2 Supported Providers
Large Language Model (LLM) Providers
- Google Cloud Vertex AI (Gemini) — primary. Full support for chat, embeddings, and document extraction.
- Microsoft Azure OpenAI — supported alternative. Full support for chat, embeddings, and document extraction.
- Cohere — supported alternative. Support for chat, embeddings, document extraction, and reranking.
Vector Database Providers
- Qdrant — managed cloud service.
- Pinecone — managed cloud service.
A.3 Provider Compliance Certifications
| Provider | Compliance Certifications |
|---|---|
| Google Cloud Vertex AI | SOC 2 Type II; ISO 27001, 27017, 27018; HIPAA-eligible under a signed Business Associate Agreement; additional Google Cloud certifications applicable to underlying infrastructure. |
| Microsoft Azure OpenAI | SOC 2 Type II; HIPAA-eligible; FedRAMP authorized. |
| Cohere | SOC 2 Type II. |
| Qdrant (managed cloud) | SOC 2 Type II. |
| Pinecone | SOC 2 Type II. |
Savvior's own information security program is also audited under SOC 2 Type II. Audit reports and additional compliance documentation are available to qualifying customers under non-disclosure agreement.
A.4 Google Cloud Vertex AI — Abuse Monitoring Detail
For the primary AI platform (Google Cloud Vertex AI), Google's abuse-monitoring process is described in Section 4.3 ("Generative AI Safety and Abuse") of the Google Cloud Platform Terms of Service. The process operates as follows:
- Automated detection: Google uses automated safety classifiers to detect potential abuse and violations of the Acceptable Use Policy and Prohibited Use Policy.
- Prompt logging: If automated classifiers detect suspicious activity, Google may log Customer prompts solely for the purpose of examining whether a policy violation has occurred. Such data is not used to train or fine-tune AI/ML models, is stored securely for up to 90 days in the same region or multi-region the Customer selected, and adheres to Google Cloud assurances including Data Residency, Access Transparency, and VPC Service Controls.
- Action: Authorized Google employees may review flagged prompts and may contact the Customer for clarification. Failure to address violations — or recurring or severe abuse — may result in suspension or termination of access.
- Customers in scope: Only customers governed by the standard Google Cloud Platform Terms of Service. Customers with a Google Cloud Master Agreement are exempt from prompt logging for this abuse monitoring by default.
- Customer opt-out: Customers may request an exception via Google's opt-out form. If approved, Google will not store any prompts associated with the approved Google Cloud account.
Reference: Google Cloud abuse monitoring documentation — https://docs.cloud.google.com/gemini-enterprise-agent-platform/models/abuse-monitoring.
A.5 Data Residency Summary
- Source data (MySQL, SQL Server, SharePoint) remains within the Customer's controlled environment.
- Vector database hosted in a SOC 2 Type II–certified managed cloud region (Qdrant Cloud or Pinecone).
- AI processing occurs in the region selected for the underlying Google Cloud (or alternative provider) project. Any temporary abuse-monitoring retention occurs in the same region or multi-region.
A.6 Comparison to Public Consumer AI Platforms
Use of paid, enterprise-tier AI services through a commercial agreement — as with SavviAIX™'s use of Google Cloud Vertex AI — is materially different from, and significantly more protective than, submitting information to free, public consumer AI chat platforms. The enterprise tier provides contractual prohibitions on training, enterprise security controls, encryption in transit and at rest, third-party audit verification, and administrative safeguards designed for business and regulated workloads. Customers can rely on these protections as binding obligations of the AI provider rather than as discretionary commitments.