Last updated: 30 March 2026

AI Policy

Purpose

This Policy defines Trace Space, Inc.'s approach to the development, deployment, and use of artificial intelligence and machine learning technologies ("AI Systems") within its Platform and Services. It is designed to ensure that AI features operate responsibly, transparently, and in compliance with applicable law - including the EU Artificial Intelligence Act (EU AI Act), GDPR, CCPA, and the data protection obligations set out in the Terms of Service, Master Service Agreement ("MSA"), the Data Processing Addendum ("DPA"), and the Privacy Policy.

This Policy is incorporated by reference into the Terms, DPA and the MSA and forms part of the contractual framework governing Trace.Space's Services.

Scope

This Policy applies to all AI Systems operated by Trace.Space in connection with the Platform and Services, including:

  • proprietary NLP and classification models operated by Trace.Space;
  • third-party LLM integrations available for use in the Cloud Software;
  • AI Systems selected, configured, and operated by Customers within their own environments (Self-Hosted Software); and
  • embedding generation, vectorisation, and semantic search capabilities.

Deployment-Specific Scope

The obligations and protections in this Policy apply differently depending on deployment mode and AI configuration:

  • Cloud Software with Trace.Space-operated AI. Where a Customer uses the Cloud Software with Trace.Space's default AI Systems, Trace.Space operates those systems directly. All provisions of this Policy apply in full.
  • Cloud Software with Customer-configured AI (BYOK/BYOM). Customers may disable Trace.Space's default AI Systems and connect their own large language model API keys or model endpoints ("Bring Your Own Model") through the Organization settings. Where a Customer does so:
    • Customer Personal Data submitted to AI features is transmitted directly to the Customer's chosen third-party provider. Trace.Space does not process, intercept, store, or have visibility into that data in its capacity as AI operator;
    • The Customer acts as the controller and is solely responsible for ensuring that its chosen provider processes Customer Personal Data in compliance with applicable data protection laws, the EU AI Act, and any sector-specific regulatory requirements;
    • Trace.Space's obligations under this Policy apply only to processing performed by Trace.Space's own infrastructure (such as routing, session management, and proprietary NLP features that remain active independently of the LLM configuration). They do not extend to processing performed by the Customer's external model provider;
    • Customers are responsible for reviewing the privacy, security, and AI compliance practices of their chosen provider before enabling the integration, and for maintaining any required data processing agreements with that provider directly;
    • Trace.Space will clearly indicate within the Platform which AI provider is active for the Customer's organisation at any given time.
  • Self-Hosted Software. Customers deploy and operate the Platform on their own infrastructure. Trace.Space does not access or control AI processing within the Customer's environment. Customers are solely responsible for the selection, configuration, security, and compliance of any AI Systems they operate within their Self-Hosted environment, including compliance with the EU AI Act, applicable data protection laws, and any sector-specific regulatory requirements. Trace.Space's obligations under this Policy apply only to the extent that Customer Personal Data is explicitly provided to Trace.Space.

Core Commitment

Trace.Space does not use Customer Data or Customer Personal Data to train, fine-tune, retrain, or improve AI Systems, except where a Customer has expressly opted in to improve their AI in writing via a separate addendum, as set out in the MSA. Customer-specific AI improvement is strictly opt-in, may be revoked at any time.

Customer Data processed through AI inference features is processed transiently and is not stored, cached, or incorporated into model weights or training pipelines. Embeddings generated from Customer Data are stored persistently to support semantic search and related features, but are held exclusively within that Customer's dedicated database - isolated from all other customers' data and never accessible across organisational boundaries. Embeddings are used solely to provide the Services to that Customer.

Trace.Space does not use Customer-specific embeddings, vector representations, feature extractions, statistical models, or other derivative analytical artifacts from Customer Data, except where such information is anonymised and aggregated across multiple customers such that it cannot be reverse-engineered, re-identified, or used to reconstruct Customer-specific patterns.

System Architecture

  • Modular LLM interface. The Cloud Software provides a configurable AI interface through which Organisation Administrators may select or supply their preferred LLM. Customers using the Self-Hosted Software bear sole responsibility for the AI models they deploy and operate within their environment.
  • Proprietary NLP capabilities. Trace.Space operates in-house NLP models for tasks including requirements classification or quality checks. These models do not use third-party inference and do not transmit data outside Trace.Space's controlled infrastructure.
  • Embedding and vectorisation. Requirements data is vectorised to support search and semantic features. For Cloud Software, embeddings are generated using self-hosted models and stored securely within Trace.Space's database. No Customer Data is transmitted to external providers during embedding generation. Embeddings are organisation-specific and isolated by design. Customer-specific embeddings, vector stores, and analytical datasets derived from Customer Data are not shared across customers.
  • Third-party LLM integrations. Where Customers enable third-party LLM features within the Cloud Software, Trace.Space will clearly indicate which provider is being used. Third-party providers are subject to Trace.Space's vendor compliance programme and are required to meet applicable security and data protection standards.

AI Principles

Trace.Space has implemented the following AI Principles:

  • Privacy and data isolation. Customer Data is never used to improve AI performance for any other customer. Embedding, inference, and storage are organisation-specific and isolated by design.
  • Transparency. AI-generated content and decisions are clearly indicated within the Platform. Customers are informed when and how AI Systems are involved in features.
  • Human oversight and reliability. All AI Systems are monitored for performance, safety, and compliance. Human review is required before any AI-generated action that could alter requirement data or change workflow state is executed. AI Systems do not make legally binding or materially impactful decisions without human review.
  • Security. All AI-related data processing adheres to Trace.Space's information security programme, which is aligned with SOC 2 Type II and ISO 27001 standards. Third-party AI providers are restricted to those meeting Trace.Space's security and compliance standards.
  • No sale of AI-processed data. Trace.Space does not sell data processed through AI features to third parties.