NetX AI Policy

1. Executive Summary

NetX develops and operates two commercial software products — NetX Digital Asset Management (NetX DAM) and NetX AuthorityAI — both of which incorporate artificial intelligence capabilities to serve customers in media, cultural heritage, museum, brand, sports industries, and others. This document defines the principles, controls, and responsibilities governing how AI is used across our products and our internal engineering practices.

NetX does not develop, train, or own AI models. Instead, we integrate proven, commercially available AI services from established cloud providers to deliver AI-powered features within our products. This architectural decision concentrates AI model risk with large, well-resourced providers while allowing NetX to apply consistent governance controls at the integration layer.

Our core commitments are:

• Customer data is never used to train AI models — by NetX or any of our AI providers.
• AI outputs that affect human subjects always include a human review step.
• Each customer’s data is logically isolated; data is never co-mingled across customers.
• Sensitive AI features (such as facial detection) are optional and require deliberate customer activation.
• We are GDPR-compliant, operate under SOC 2-certified infrastructure, and align our practices with ISO 27001 principles.
  
  

2. Scope and Applicability

This policy applies to:

• All AI-powered features within NetX DAM and NetX AuthorityAI.
• All third-party AI service integrations used by NetX products.
• Internal use of AI tools by NetX engineering and product teams.
• All NetX employees, contractors, and agents who interact with customer data or AI systems.

This policy is shared with current and prospective customers under non-disclosure agreement. It is reviewed and updated at least annually, or whenever a material change is made to AI capabilities, providers, or regulatory requirements.


3. AI Governance and Oversight

3.1 Governance Owner

AI governance at NetX is the direct responsibility of the Chief Technology Officer (CTO). The CTO serves as the named owner of this policy and is accountable for:

• Approving the addition of new AI capabilities or providers.
• Reviewing and updating this policy annually.
• Ensuring that AI-related incidents are escalated, investigated, and resolved appropriately.
• Communicating AI policy changes to affected customers.

As the company grows, NetX intends to formalize an AI Governance Committee to broaden oversight across product, legal, and security functions.

3.2 Internal AI Engineering Practices

NetX engineers use AI-assisted development tooling to support software development workflows. NetX is in the process of establishing formal guidelines and playbooks to ensure consistent, safe, and auditable use of AI tools across the engineering organization. These guidelines will cover:

• Acceptable use of AI assistance in code generation and review.
• Review and validation requirements before AI-assisted code is merged.
• Restrictions on providing confidential customer data or proprietary source code to AI development tools.
• Documentation requirements for AI-assisted design decisions.

Until formal playbooks are published, all AI-assisted development is subject to the same peer review, testing, and quality assurance processes applied to all NetX code.

All NetX personnel are required to complete annual security awareness training, which covers AI-relevant topics including data handling requirements and acceptable use of AI tools. Staff also complete annual GDPR training. These programs apply to all employees and ensure a baseline level of awareness of the obligations and risks relevant to AI use across the organization.

3.3 Third-Party AI Provider Oversight

NetX maintains an internal register of all AI service providers integrated into its products. Before any new AI service provider is added, the CTO conducts a review covering:

• Data handling and retention practices.
• Contractual prohibitions on the use of customer data for model training.
• Security certifications and compliance posture.
• Alignment with this policy’s ethical principles.
• An ethics-specific assessment of the proposed AI capability, evaluating its intended use against NetX’s prohibited use framework and the potential for harm, bias, or unintended consequences.

4. AI Capabilities by Product

4.1 NetX Digital Asset Management

NetX DAM is a digital asset management platform serving customers in brand, museum, sports, and cultural heritage sectors. The platform is hosted in SOC 2-compliant data centers and cloud service providers.

The following AI-powered features are available in NetX DAM. All AI inference is performed by third-party cloud AI services via API; NetX does not run or host AI models directly.

Intermediate data passed to AI provider APIs is not retained by providers after the API response is returned. This is confirmed contractually with our AI providers.

AI features in NetX DAM are implemented as discrete API integrations and do not constitute core platform infrastructure. If an AI service is unavailable or returns an error, the platform continues to operate normally; the affected AI feature degrades gracefully without impacting asset management functionality. For example, if natural language search is temporarily unavailable, keyword-based search remains fully operational.

4.2 NetX AuthorityAI

NetX AuthorityAI is a purpose-built AI application designed for cultural heritage institutions, museums, and organizations with significant archival collections. It is a fully cloud-hosted SaaS product.

AuthorityAI implements a Retrieval-Augmented Generation (RAG) architecture that allows customers to ask natural-language questions about their archival holdings — images, video, audio, documents, and web content — and receive contextually informed answers grounded in that archive.

Key architectural and governance characteristics:

4.3 Internal Developer Tooling

NetX engineers use AI-assisted development tools to support code generation, code review, and documentation workflows. The use of these tools is governed by the internal AI engineering guidelines described in Section 3.2.

Developers are instructed not to input customer data, personally identifiable information (PII), or proprietary credentials into AI development tools. Compliance with this requirement will be formalized in the forthcoming engineering playbooks.

4.4 AI Data Flow Overview

The following describes how customer data moves through AI processing in each NetX product. In both cases, data is processed transiently by AI services and is not retained by providers beyond the API response.

NetX DAM — AI Feature Processing:

• A customer uploads or manages a digital asset (image, video, document) within the NetX DAM platform.
• When an AI feature is invoked (e.g., object recognition, OCR, AI search), the relevant asset or a representation of it is transmitted via encrypted API call (TLS 1.2 minimum) to the applicable cloud AI service.
• The AI service processes the data and returns a result (e.g., object labels, extracted text, semantic embedding). The provider retains no data after the response is returned.
• The result is stored as metadata within the customer’s isolated data environment in NetX DAM.
• The customer accesses and acts on the AI-enriched metadata through the NetX DAM interface.

NetX AuthorityAI — RAG Data Flow:

• Customer archival content (images, video, audio, documents, web content) is ingested into the AuthorityAI platform during onboarding.
• Content is encoded into vector embeddings by a cloud AI service and stored in a dedicated, customer-isolated vector data store. Each customer has their own isolated store; no data is co-mingled.
• When a user submits a query, the system retrieves semantically relevant content from that customer’s vector store.
• Retrieved context is passed to a large language model, which generates a natural-language response grounded in the archive. No customer data is used to train or modify the underlying model.
• If the response is intended for public-facing use, it enters a human approval workflow where historians or subject-matter experts review and approve the content before publication.

5. Data Privacy and Security

5.1 Core Data Principles

• NetX does not use customer data to train, fine-tune, or evaluate any AI model.
• NetX does not sell, share, or license customer data to any third party for any purpose.
• AI processing of customer data is conducted solely to deliver the contracted service features to that customer.
• Transient data passed to AI provider APIs is not retained by the provider after the API response is returned. This is confirmed in our agreements with AI providers

5.2 Customer Data Isolation

NetX operates as a single-tenant SaaS platform, and customer data isolation is a foundational design requirement:

• In NetX DAM, each customer’s assets reside in logically separated cloud storage. AI-processed metadata (e.g., recognition labels, detected text) is stored within that customer’s data boundary.
• In NetX AuthorityAI, each customer’s vector embedding index is stored in a dedicated, isolated data store. No cross-customer queries are possible within the RAG architecture.
• Databases are isolated to each customer tenant.

5.3 Personally Identifiable Information (PII)

Customer archives may contain PII, including historical records referencing individuals and, in some cases, contemporary content. NetX manages PII exposure as follows:

• Facial detection identifies the presence of faces; it does not perform biometric identification. The association of a face with a named individual is always a human-performed action, not an automated one.
• Customers are responsible for ensuring their use of PII-containing assets complies with applicable law, including GDPR, state privacy statutes, and sector-specific regulations.
• NetX does not extract, aggregate, or enrich PII from customer assets beyond the feature functions described in this policy.

5.4 AI Provider Data Agreements

Before integrating any AI service provider, NetX reviews and obtains contractual commitments covering:

• Prohibition on using NetX customer content to train AI models.
• Confirmation that data submitted via API is not stored beyond the scope of fulfilling the API request.
• Alignment with GDPR data processing requirements, including Data Processing Addenda where applicable.

5.5 Security Controls for AI Systems

The following security controls apply to all AI service integrations across NetX products:

• Encryption in Transit: All data transmitted between NetX systems and AI service providers is encrypted using TLS, with TLS 1.2 enforced as the minimum standard.
• Encryption at Rest: Customer data stored within NetX systems — including AI-processed metadata and vector embeddings — is encrypted at rest using AES-256 encryption.
• Authentication and MFA: Access to NetX internal systems is controlled through SSO-integrated multi-factor authentication. Privileged access roles and high-sensitivity systems additionally require hardware security key authentication, providing phishing-resistant authentication for the most sensitive access paths.
• Privileged Access Management: AI service API credentials and other privileged system credentials are managed through a privileged access management (PAM) system. Credentials are not directly accessible to end users or general staff.
• Access Reviews and Credential Rotation: Formal access reviews are conducted quarterly. AI service API credentials are rotated on a quarterly (90-day) cycle, consistent with NIST guidance on credential management.
• Vulnerability Management and Patching: NetX conducts automated vulnerability scanning and penetration testing monthly and on each product release. AI-specific threat scenarios — including prompt injection and model output manipulation — are explicitly included in NetX’s threat modeling and vulnerability management scope. Medium and high severity findings are prioritized for remediation. Standard patches are applied monthly; high-severity CVEs are patched the same day they are identified, regardless of release cycle.
• Logging and Monitoring: AI service API calls are logged through NetX’s cloud observability infrastructure. Logs are retained for one year. Monitoring covers API availability, error rates, anomalous request volumes, and unexpected data egress indicators, with alerts configured for conditions indicative of unauthorized access or integration failures.

5.6 Data Breach and Incident Response — AI-Processed Data

NetX maintains a general data breach response process under its information security program. The following provisions apply specifically to AI-processed data:

• Detection: NetX monitors AI service integrations for anomalous behavior, unexpected data egress, and API errors indicative of unauthorized access.
• Classification: Upon detecting a potential incident involving AI-processed data, the CTO (as AI governance owner) is notified immediately. Incidents are classified by severity: (1) no actual data exposure, (2) potential exposure of non-sensitive metadata, (3) potential exposure of PII or content assets.
• Containment: Affected AI service integrations may be suspended pending investigation. If a specific customer’s data is involved, that customer is notified within 72 hours of confirmed breach identification, consistent with GDPR Article 33 obligations where applicable.
• Investigation: NetX will conduct a post-incident review to identify root cause, affected data scope, and remediation steps. Provider agreements are reviewed to confirm the provider’s own incident response obligations.
• Remediation and Disclosure: Customers will receive a written summary of the incident, data affected, and remediation actions taken. Regulatory authorities are notified as required under applicable law.
• Continuous Improvement: All AI-related incidents are reviewed to improve monitoring, access controls, and architectural safeguards.
  
  
  

6. Compliance and Regulatory Framework

6.1 General Data Protection Regulation (GDPR)

NetX is GDPR-compliant. We sell into the European Union through local resellers and have in place the policies, procedures, and supporting documentation required to meet GDPR obligations as a data processor. This includes:

• Data Processing Agreements (DPAs) with customers where required.
• Documentation of lawful bases for processing.
• Processes for honoring data subject rights requests (access, erasure, portability, etc.).
• Data breach notification procedures aligned to GDPR Article 33 and 34 timelines.
• Vendor assessments for AI providers operating as sub-processors.

GDPR obligations related to AI-processed data — particularly AI features that may process images of individuals — are addressed in our DPA and in the customer-facing terms of service. Customers retain responsibility for establishing lawful bases for processing personal data submitted to NetX.

6.2 SOC 2

NetX’s primary data center operates under SOC 2 compliance. SOC 2 Type II reports are available to customers and prospects under NDA upon request.

6.3 ISO 27001 Alignment

NetX has aligned its information security management practices with the ISO 27001 framework. While NetX has not pursued independent third-party ISO 27001 certification at this time, the framework informs our risk assessment, access control, incident management, and supplier relationship management practices — including oversight of AI service providers.

6.4 NIST AI Risk Management Framework

NetX aligns its AI governance practices with the NIST AI Risk Management Framework (AI RMF 1.0), which provides a structured approach to managing risk across the AI system lifecycle. Our alignment spans the four core functions of the framework:

• Govern: The CTO serves as the named AI governance owner with defined accountability. The AI Policy formalizes roles, responsibilities, and ethical principles. A formal AI Governance Committee is planned as the organization scales.
• Map: An internal register of AI service providers and integrations is maintained by the CTO. Pre-integration reviews assess risk, data handling, and compliance alignment for each AI capability. Prohibited and restricted use categories are defined in Section 8.
• Measure: AI service integrations are monitored through cloud observability tooling. An AI-specific incident classification framework (Section 5.6) defines severity tiers. Human oversight requirements provide a qualitative check on output quality for high-stakes uses.
• Manage: Identified risks are addressed through contractual controls with providers, architectural decisions (data isolation, graceful degradation), human review workflows, and the incident response process. Policy review is triggered by incidents and material changes.

NetX has not yet commissioned a formal independent assessment against the NIST AI RMF. Such an assessment is under consideration as part of ongoing governance maturation.

6.5 Facial Detection — Regulatory Awareness

NetX is aware that facial recognition technology is subject to specific regulatory requirements in certain jurisdictions, including the Illinois Biometric Information Privacy Act (BIPA), similar statutes in other U.S. states, and relevant provisions of GDPR Article 9 (biometric data as a special category).

NetX’s implementation is deliberately scoped to facial detection (the identification that a face is present in an image) rather than facial recognition or biometric identification (the matching of a face to a named individual). This distinction is material to the regulatory analysis:

• NetX does not store biometric templates or facial embeddings.
• The association of a detected face with a named individual is performed by a human user, not by the NetX platform.

Customers who enable the facial detection feature and subsequently perform identification workflows within their own systems are responsible for compliance with applicable biometric privacy laws in their jurisdiction. Customers are encouraged to review their BIPA, GDPR Article 9, and equivalent obligations before enabling this feature.

6.6 Other Regulatory Frameworks

NetX does not store medical records (HIPAA does not apply) or payment card data (PCI DSS does not apply). If your organization operates in a regulated sector and requires specific compliance documentation, please contact your NetX account representative.

7. Ethical AI Principles

NetX’s approach to AI is grounded in a set of principles that reflect our values as a company and our responsibility to customers, their end users, and the individuals whose content or likenesses may be present in customer archives.

7.1 AI as an Augmentation Tool

NetX believes that AI is most valuable when it enhances human expertise rather than replacing it. Our products are designed to surface information, accelerate workflows, and reduce manual effort — while keeping human judgment in the decision loop. We do not seek to automate away the expertise of archivists, curators, historians, photographers, or other specialists who are our customers’ most important assets.

7.2 Transparency

NetX is transparent with customers about which AI features are active and how AI-generated content or metadata is produced. We do not present AI outputs as definitive facts without appropriate disclosure that they are AI-generated.

7.3 Human Oversight

AI outputs in our products are subject to human review wherever those outputs are used to make or inform decisions about individuals, or wherever they are surfaced in public-facing contexts:

• Facial Detection: The NetX platform identifies that a face is present. A human user must take the additional step of identifying and tagging that face with a person’s name. NetX does not automate identification.
• NetX AuthorityAI: All LLM-generated responses intended for public-facing publication must pass through a structured approval workflow. Historians, archivists, and subject-matter experts review and approve AI-generated content before it reaches any public audience.

7.4 Accuracy and Bias Awareness

NetX acknowledges that AI models can produce inaccurate, biased, or incomplete results. We take the following steps to manage this risk:

• AI-generated metadata and responses are labeled as AI-generated in the user interface, enabling users to apply appropriate skepticism.
• Customers are encouraged to use human review workflows — particularly for historically significant or sensitive content.
• We monitor AI provider announcements for known bias or accuracy issues and communicate material changes to affected customers.

7.5 No Workforce Displacement Intent

NetX does not position its AI capabilities as a mechanism for reducing human headcount in our customers’ organizations. We actively design our AI features to support and extend the capabilities of archivists, librarians, curators, and related professionals, not to supplant them.

8. Prohibited and Restricted Uses

NetX’s AI features are intended to support digital asset management, archival research, content organization, and similar legitimate creative and institutional purposes. The following uses are prohibited under NetX’s Terms of Service and this policy.

8.1 Absolute Prohibitions

The following uses are prohibited regardless of customer configuration or contractual arrangement:

• Generating AI-derived content intended to deceive, defame, or misrepresent real individuals.
• Using NetX AI features to infer or classify individuals based on protected characteristics (race, ethnicity, religion, gender, sexual orientation, disability, or similar attributes).
• Scraping or aggregating NetX AI outputs to build derivative AI models or training datasets.
• Any use that violates applicable law, including privacy statutes, anti-discrimination law, or export controls.

8.2 Restricted Uses Requiring Customer Accountability

The following uses are technically possible within the platform but require customers to take explicit responsibility for compliance with applicable laws and internal policies:

• Enabling the Facial Detection feature: Customers must review relevant biometric privacy obligations in their jurisdiction (see Section 6.4) before activating this feature.
• Processing archives containing images of minors: Customers must ensure their use of AI analysis on content depicting minors complies with applicable child privacy laws (e.g., COPPA, GDPR provisions for children’s data).
• Publishing AI-generated content without review: Customers who choose to publish AuthorityAI outputs without using the approval workflow assume full responsibility for the accuracy and appropriateness of published content.

NetX reserves the right to suspend AI features for customers where prohibited use is identified, pending investigation and remediation.

9. Customer Responsibilities

As a SaaS provider, NetX establishes the platform and controls described in this policy. Customers are responsible for how they configure and use those features within their organizations. Customer responsibilities include:

• Enabling only the AI features appropriate for their use case and regulatory context.
• Establishing and enforcing internal policies for the review and approval of AI-generated metadata and content before use in consequential decisions or public communications.
• Ensuring that end users are informed, where required by law, that AI is being used to analyze or process assets.
• Complying with applicable privacy laws governing the personal data present in their asset collections, including obtaining necessary consents before processing images of individuals.
• Promptly notifying NetX of any suspected misuse of AI features or of any security incidents that may have exposed customer data.
• Reviewing and accepting applicable terms of service for AI features, including any feature-specific terms.

10. AI Incident Reporting

NetX maintains a formal channel for customers to report concerns, unexpected behaviors, or suspected incidents related to AI features. This process is integrated with NetX’s general security incident response process.

10.1 What to Report

Customers are encouraged to report:

• AI outputs that appear materially inaccurate, biased, or harmful.
• Unexpected AI behavior (e.g., a feature producing results outside its documented scope).
• Evidence of prohibited use of NetX AI features by other parties.

10.2 Reporting Process

AI-related incidents or concerns should be reported via NetX’s standard support channel, with ‘AI Incident’ noted in the subject line. Reports are escalated to the CTO within one business day. NetX will acknowledge the report within one business day and provide a substantive response within five business days.

10.3 NetX Reporting to Customers

Where NetX becomes aware of an AI-related incident that may have affected a customer’s data or AI outputs, we will notify affected customers promptly — and no later than 72 hours following confirmation of a data breach, in accordance with GDPR Article 33. Notifications will describe the nature of the incident, the data or features affected, and the steps taken or planned in response.

11. Policy Review and Updates

This policy is reviewed at minimum annually by the CTO. A review is also triggered by any of the following:

• Addition of a new AI feature or AI service provider.
• A material change in applicable law or regulation (e.g., new AI-specific legislation).
• A significant AI-related incident.
• A change in NetX’s product architecture that materially affects AI data flows.
  
  

Appendix: Definitions