AI / ML Security & Governance Policy
1. Purpose
This policy defines the principles, controls, and security practices applied to all AI and machine learning components of the Solas Compliance platform.
Its purpose is to ensure privacy, confidentiality, integrity, and responsible AI use across all AI-driven features, pipelines, and services.
2. Scope
This policy applies to:
- All ML pipelines, models, and microservices deployed under the Solas Compliance platform.
- All data used for fine-tuning, inference, evaluation, or compliance review.
- All local and cloud-based infrastructure, including GCP, Docker containers, vector databases, and model inference APIs.
3. Data Privacy & Protection
Data Ownership
All client data remains owned by the client. No data is retained post-inference without explicit client consent by the AI service.
Data Ingestion
Uploaded policies and documents are processed through secure ingestion endpoints using HTTPS/TLS.
PII Handling
Personally identifiable information, or PII, is masked or removed before embedding, training, or evaluation where required.
Data Storage
Vector embeddings, metadata, and logs are encrypted at rest using GCP KMS or equivalent encryption controls.
Data Transmission
All network communication uses HTTPS/TLS 1.2+ encryption.
Data Deletion
Clients can request deletion of stored embeddings, fine-tuning data, and inference logs at any time.
Isolation
Each client’s data is logically isolated using dedicated namespaces, databases, or equivalent access controls.
4. Model Governance
Model Provenance
All base models used for fine-tuning must be open-weight or commercially licensed for the intended use. Examples may include Llama, Mistral, or equivalent approved models.
Fine-Tuning Data
Only sanitized and appropriate policy text is used for model fine-tuning. Sensitive data is excluded unless explicitly approved and protected under agreed controls.
Version Control
All model versions are tagged and tracked through an internal model registry, such as MLflow, Weights & Biases, or an equivalent system.
Reproducibility
Each model version must include metadata including dataset hash, hyperparameters, training date, and owner.
Auditability
Inference logs include timestamp, model version, input reference, output, and decision rationale where required for compliance review.
5. Responsible AI Principles
Fairness
Models are evaluated for bias across policy types, languages, regulatory categories, and client use cases where applicable.
Transparency
AI-driven outputs provide human-readable reasoning, references, and citations where available.
Accountability
Every AI-generated decision or recommendation is logged with traceable metadata.
Explainability
Agents provide supporting context, including retrieved text, rule references, and compliance checks.
Human Oversight
Human reviewers can review, approve, reject, or override AI-generated compliance decisions before final report generation.
6. Security Controls
Infrastructure
Microservices are containerized using Docker and deployed with least-privilege IAM roles.
Access Control
MFA and IAM-based permissions are required for access to GCP resources and sensitive systems.
Model Servers
Local or hosted LLMs are deployed on isolated compute environments and accessed through controlled API gateways.
API Security
External access is protected using JWT-based authentication, rate limiting, and role-based access controls.
Logging & Monitoring
Centralized logging is maintained through GCP Cloud Logging or equivalent systems, with monitoring for abnormal model or system behavior.
Incident Response
In the event of a suspected data breach or security incident, logs are captured, affected services are isolated, and a security review is initiated.
7. Data Retention & Deletion
Temporary inference data is deleted automatically after job completion unless retention is required for operational, legal, or compliance purposes.
Fine-tuning datasets are retained only where required for reproducibility, auditability, or agreed client use cases, unless the client opts out.
Embeddings are retained for the lifetime of the corresponding source policy, or until the policy is deleted, superseded, or deletion is requested by the client.
Logs follow a configurable retention policy based on operational, security, and compliance needs.
8. Compliance Alignment
GDPR
Data minimization, purpose limitation, access control, and right to erasure.
SOC 2
Security, confidentiality, availability, and processing integrity controls.
ISO 27001
Access control, cryptography, operational security, and incident management.
NIST AI RMF
Responsible AI development, governance, risk management, and monitoring.



