In plain English
We use AI to help with internal work like ticket triage and drafting. We do not paste secrets or regulated data into chat tools. We use business-grade AI services, including approved OpenAI business services where contractual privacy controls apply, Microsoft Copilot for Microsoft 365, and Google Gemini for Workspace, with enterprise controls. AI outputs are drafts and a human reviews before anything goes to clients.
Vendor commitment: Microsoft Copilot for Microsoft 365 and Google Gemini for Workspace business services state that they do not use customer prompts, responses, or tenant data to train foundation models without permission. These are vendor commitments, not Tecnico Desk's own guarantee.
How Tecnico Desk Uses AI
Tecnico Desk may use approved business AI tools to support documentation, summaries, checklists, report drafting, internal planning, service workflows, awareness content, and organizing security findings.
AI may assist with work, but it does not replace human judgment. Client-facing deliverables, security recommendations, and material security actions require human review before delivery or action.
Use of Guardz AI-Assisted Security Features
Tecnico Desk may use Guardz as part of its managed security service. Guardz includes AI-assisted security capabilities that may help analyze security alerts, correlate activity across users, devices, email, cloud services, and identities, summarize incidents, prioritize risk, support phishing investigations, and recommend remediation steps.
Guardz AI-assisted features are used as part of a security workflow, not as a replacement for human review by Tecnico Desk. Tecnico Desk reviews security findings, client-facing recommendations, and material remediation actions before delivery or action, unless a specific automated containment workflow has been separately approved and documented with the client.
Tecnico Desk does not represent Guardz AI features as a guarantee of breach prevention, complete phishing prevention, legal compliance, or full incident response replacement.
Client Data and AI Tools
- Tecnico Desk does not intentionally submit client secrets, passwords, API keys, private keys, payment data, regulated health information, or unnecessary sensitive personal information into general-purpose AI tools.
- Client data used with approved AI tools is limited to the minimum necessary.
- Sensitive information is redacted, summarized, or anonymized where practical.
- AI outputs may be inaccurate and must be verified before use.
Vendor AI Commitments
Tecnico Desk may rely on vendor AI features provided by approved business platforms, including security platforms, Microsoft business services, Google Workspace business services, and approved OpenAI business services where contractual privacy controls apply.
Tecnico Desk reviews vendor privacy, security, and data-use commitments before using AI-assisted features in client workflows. Vendor commitments are made by the vendor and are not Tecnico Desk's own guarantee of vendor model-training practices or vendor configurations.
What AI Does Not Do
- AI does not run client IT.
- AI does not make autonomous final decisions.
- AI does not guarantee breach prevention.
- AI does not replace human review.
- AI does not replace legal counsel.
- AI does not replace insurance advisors.
- AI does not replace digital forensics firms.
- AI does not certify compliance.
1) Purpose and Scope
This policy governs how employees, contractors, and subprocessors use AI systems (Microsoft Copilot for Microsoft 365, Google Gemini for Workspace and Vertex AI, and approved OpenAI business services where contractual privacy controls apply, including API integrations) when handling internal data and client data. It applies to all devices, accounts, and workflows used for company business.
2) Definitions
- PII: Personally identifiable information such as names, emails, phone numbers, addresses, device IDs.
- Sensitive data: PII plus financial data, credentials, PHI, student data, minors data, or any data under contract or regulation.
- AI systems covered: Microsoft Copilot for Microsoft 365, Gemini in Workspace and Google Cloud (Vertex AI), approved OpenAI business services where contractual privacy controls apply, and the OpenAI API.
3) Laws, Standards, and Contracts
We comply with applicable laws and frameworks where clients operate, including the Colorado Privacy Act and any contractual DPAs, BAAs, or SCCs. Client contracts prevail where stricter. We align our oversight with recognized guidance that emphasizes accountability and human review.
Accountability: The Security or Privacy lead owns this policy and performs an at-least annual review. We document AI risks, mitigations, and evidence of human oversight in our QA process.
Regulatory note (Colorado): Colorado SB24-205, as delayed by SB25B-004, has requirements scheduled for June 30, 2026. Tecnico Desk monitors Colorado AG rulemaking and aligns where applicable.
4) Data Classification
- Public: Marketing content and public docs.
- Internal: Non public but low risk items such as generic process docs.
- Confidential: Client names, asset metadata, system configs, invoices.
- Restricted (Sensitive): PII, PHI, credentials, payment data, minors data, or client IP marked confidential.
5) Allowed Use Matrix
| Data class | Gemini Workspace | Gemini (Vertex AI) | Approved OpenAI business services | OpenAI API | Personal or free AI tools |
|---|---|---|---|---|---|
| Public | Allowed | Allowed | Allowed | Allowed | Not for company work |
| Internal | Allowed | Allowed | Allowed | Allowed | Not for company work |
| Confidential | Allowed with redaction and approval | Allowed with project controls | Allowed with redaction and approval | Allowed with zero-data-retention (ZDR) where contractually enabled on eligible endpoints, plus contract controls | Not for company work |
| Restricted (Sensitive) | Prohibited | Permitted only under DPA/BAA, encryption, access controls, and project isolation | Prohibited | Permitted only with ZDR where contractually enabled on eligible endpoints, regional controls, and explicit client consent | Not for company work |
Redaction means removing PII, secrets, hostnames, tenant IDs, keys, or uniquely identifying context before prompt submission. Zero-data-retention is a vendor mode where prompts and outputs are not retained for logs.
6) Prohibited Content in Prompts
- Passwords, secrets, API keys, tokens, private certificates.
- Full client datasets or exports. Use small representative samples after redaction.
- Content protected by attorney-client privilege or marked do not disclose.
- Children or minors data or biometric data unless the contract allows it and compliance has signed off.
7) Client Consent and Disclosures
Use AI with client data only when one of the following is true:
- The MSA/SOW/DPA/BAA explicitly authorizes AI processing for defined purposes, or
- The client has provided written consent referencing this policy and the specific workflow.
8) Data Residency and Cross-Border Transfer
- Prefer US processing for US-only clients and EU/EEA processing for EU clients.
- Use vendor features to constrain regions where available (for example Vertex AI project regions, OpenAI regional endpoints if enabled).
- Execute SCCs or relevant mechanisms for cross-border transfers and keep a Record of Processing per client.
9) Prompt, Output, and Retention Rules
- Default: retain only metadata (timestamp, user, purpose, tool) in our PSA/ITSM. Do not store full prompts or outputs that contain client data.
- If tickets require retention of AI outputs, store them in the client record with the same classification as the source data.
- All outputs must be fact-checked and scanned for malware before use.
- Outputs are drafts. Technicians validate before delivery.
10) Vendor Configuration
OpenAI business services: Tecnico Desk uses approved OpenAI business services where contractual privacy controls apply. We rely on the contractually applicable privacy and data-use commitments for the specific OpenAI business plan in use, and we still avoid entering credentials, secrets, or unredacted regulated data into conversational interfaces.
OpenAI API: API inputs and outputs may be retained for abuse monitoring unless zero-data-retention is enabled. Tecnico Desk uses zero-data-retention where contractually enabled on eligible endpoints, and uses regional controls where available and approved for sensitive workflows.
Microsoft Copilot for Microsoft 365: Operates within Microsoft's enterprise data boundaries and Microsoft Graph with tenant controls, auditing, and retention policies. Microsoft commits that Microsoft 365 Copilot business services do not use customer prompts, responses, or tenant data to train foundation models without permission. This is a vendor commitment, not a Tecnico Desk guarantee.
Gemini for Google Workspace: Google commits that Workspace Gemini business services do not use customer prompts, responses, or tenant data to train foundation models without permission, and Workspace Gemini prompts and responses are not retained after the session ends. These are vendor commitments, not a Tecnico Desk guarantee.
We disable optional data sharing where offered, enforce SSO/MFA and least-privilege access, and maintain a current vendor register with regions, retention defaults, and security attestations.
11) Security Controls
- Identity: SSO and MFA for all AI tools. Least privilege via groups.
- Network: Allowlist official endpoints. Block unknown AI sites.
- DLP: Enforce clipboard/attachment controls and use DLP for web and email.
- Redaction gateway: Prefer middleware that scrubs PII and secrets before API submission.
- Prompt safety: Train staff to spot prompt injection and data-exfiltration attempts.
- Malware scanning: Scan AI-generated files and scripts before use.
- Logging: Centralize access logs and alert on anomalous use.
12) Human in the Loop and Quality
- All AI outputs provided to clients require human review.
- Technicians remain accountable for accuracy, licensing, and policy compliance.
- For code/scripts, require peer review and testing in non-production before deployment.
Accuracy and claims: AI can be wrong. We validate outputs and avoid marketing statements that overstate accuracy or safety.
13) Incident Response
Treat unauthorized AI disclosure as a potential data incident. Steps: contain, preserve logs, assess data classes/jurisdictions, notify clients per contract or law, report to regulators if required, and update controls after a post-mortem.
14) Training and Enforcement
- Mandatory onboarding and annual refresher on this policy and vendor settings.
- Quarterly spot checks of prompts and outputs for compliance.
- Violations may result in access revocation and disciplinary action.
15) Exceptions
Exceptions must be approved by the Security or Privacy lead with justification, scope, compensating controls, and an expiration date.
16) Automated Decisionmaking
Tecnico Desk does not use AI or automated decisionmaking technology to make final decisions about employment, lending, housing, education, healthcare, insurance, legal services, account access, pricing, eligibility, or other legally significant decisions.
If that changes, Tecnico Desk will review the workflow, document risks and controls, provide required notices, maintain human review, and honor applicable opt-out, access, appeal, and correction rights.
17) Automated Containment and Security Actions
Some security platforms may support automated containment actions, such as quarantining malicious email, revoking suspicious sessions, escalating confirmed threats, or generating recommended remediation steps.
Tecnico Desk enables, configures, and reviews these workflows based on client scope, risk level, vendor capability, and documented authorization. AI-assisted recommendations do not replace Tecnico Desk judgment or client-approved security procedures.
AI tools may not independently:
- Disable accounts without approved workflow
- Change DNS records
- Modify Conditional Access
- Change SharePoint permissions
- Change Google Drive permissions
- Delete data
- Send client communications
- Approve payments
- Make legal decisions
- Make compliance certification decisions
- Make final breach or incident-response decisions
Security actions of this kind require human review and human authorization within the agreed change-control process, unless a specific automated containment workflow has been separately approved and documented with the client.
18) AI Privacy Change Notice
Tecnico Desk will not retroactively expand the use of client or consumer data for AI training or new AI purposes through quiet privacy-policy changes. Material AI data-use changes require updated notice and, where required, client approval or consent.
19) AI-Use Boundaries
- AI may assist with drafts, summaries, checklists, documentation, report preparation, internal planning, and awareness content.
- Human review is required before client-facing delivery or security action.
- AI outputs may be inaccurate and must be verified.
- AI is not legal, insurance, compliance, forensic, or breach counsel.
Appendix C: Vendor Register (snapshot)
| Vendor | Product | Use case | Regions | Default retention | Training on data | Contract |
|---|---|---|---|---|---|---|
| Microsoft | Copilot for Microsoft 365 | AI assistance in Microsoft 365 apps | US tenant region | Admin set | Not used for training outside tenant | Microsoft DPA |
| Gemini (Workspace) | Drafts and Docs help | US or EU | Not retained after session ends (Workspace Gemini prompts/responses) | Not used for training without permission | MSA and DPA | |
| Vertex AI or Gemini | API workflows | Project region | Configurable | Off by default | DPA and SCCs | |
| OpenAI | Approved OpenAI business services | Drafts and internal assistance | Per business plan | Per business plan and admin configuration | Per applicable business-plan privacy commitments | Per business plan terms |
| OpenAI | API | Server-to-server | Endpoint region | 0 to 30 days (ZDR where contractually enabled on eligible endpoints) | Per applicable API privacy commitments | DPA or SCCs |
| Microsoft | Microsoft 365 | Productivity and collaboration | US tenant region | Admin set | Not used for training outside tenant | Microsoft DPA |
| Microsoft | Intune | UEM/MDM | US tenant region | Admin set | N/A | Microsoft DPA |
| Cloudflare | Edge security | DNS, CDN, WAF | Global edge | Service defaults | N/A | DPA and SCCs |
| HubSpot | CRM | Leads and forms | US tenant | Admin set | N/A | DPA and SCCs |
| Formspree | Forms relay | Web form submissions | US | Admin set | N/A | DPA |
| Monday.com | Project management | Tasks and users | US tenant | Admin set | N/A | DPA and SCCs |
| Azure | Cloud infrastructure | Internal systems | US regions | Admin set | N/A | DPA and SCCs |
| AWS | Cloud infrastructure | Internal systems | US regions | Admin set | N/A | DPA and SCCs |