AI DATA RIGHTS & SUBPROCESSOR CONTROL PACK (FOUNDER-READY) Use this to get from “we think we’re fine” to “we can prove it” in a security review. 1) ONE-PAGE DATA FLOW MAP (fill this out) - Inputs: What data enters the system? (text, files, tickets, code, emails) - Processing: Where is data transformed? (RAG chunking, embeddings, tool calls) - Outputs: Where do outputs go? (UI, email, ticketing, exports) - Storage: List every store that can contain customer content: * Primary DB * Object storage * Vector DB / embeddings * Caches * Logs/traces/error reports * Analytics/event streams * Support tools (tickets, attachments) 2) SUBPROCESSOR INVENTORY (must match prod) Create a table with columns: Vendor, Purpose, Data types shared, Environment (prod/dev), Retention/controls, Link to DPA/terms. Rules: - If a vendor can see prompts/outputs, call it out explicitly. - Separate “core service” vendors (cloud, model provider) from “convenience” vendors (session replay, support, analytics). - Publish a subprocessors page and keep it current. 3) DEFAULTS POLICY (non-negotiable product stance) - Default: customer content is used only to deliver the service. - Any “improvement” use (evaluation, fine-tuning, human review) is explicit opt-in per tenant. - Debug logging of payloads is off by default. 4) ACCEPTANCE TESTS (run these before every enterprise deal) - Logging test: Can we produce application logs for a request that show IDs/metrics but not raw prompt/output? - Deletion test: If we delete a user/tenant, can we enumerate every store to purge (DB, objects, vector DB, logs) and execute it? - Access test: Can we answer “which employees accessed this tenant’s data in the last 30 days” with an audit trail? - Connector test: Can an admin restrict connector scope (repo/project/folder) and is least-privilege the default? 5) CONTRACT + PRODUCT ALIGNMENT CHECK For each statement below, verify it is true in code/config, not just in an MSA: - “No training on customer data by default” - “Retention period is X (or admin-configurable)” - “Subprocessors are disclosed and changes are notified” - “Customer can request deletion and export” 6) IMPLEMENTATION TO-DO (practical order) - Step 1: Add a config flag to disable LLM payload logging globally; ship redaction middleware. - Step 2: Create separate buckets/DB schemas for serving vs improvement datasets. - Step 3: Build an admin retention control and wire it to actual deletion jobs. - Step 4: Add an “AI improvement opt-in” toggle with audit logging (who enabled it, when). - Step 5: Create a subprocessors page and a quarterly review calendar. Bring this pack to your next architecture review and treat any unanswered line item as a product bug.