🤖 AI Technical & Organizational Measures

  
    This page sets out the technical and organizational measures Dreamdata applies to any artificial intelligence or machine learning capability used in providing the Dreamdata Services ("AI/ML"). It is referenced from the Dreamdata Data Processing Agreement (DPA) and supplements, but does not replace, the [Security TOMs](https://dreamdata.io/technicalandoperationalmeasures). Where there is a conflict between this page and a specific commitment in the DPA on the same subject matter, the DPA prevails.
  

1. Scope

These measures apply to any AI or machine learning capability used by Dreamdata in providing the Services. They cover traditional machine learning, generative AI, large language models, and agentic systems where applicable.

2. Current Use of AI in the Services

Dreamdata currently uses traditional machine learning for most of its AI capabilities in the Services. ML capabilities include attribution modeling, account and contact scoring, identity resolution, pattern recognition, and data matching. These models are deterministic, trained per-tenant on the customer's own data, and produce outputs scoped to that customer.

Dreamdata also uses a large language model in a limited, orchestration role within the natural language report generation feature. The large language model interprets a customer-initiated request and routes it to Dreamdata's deterministic report generation engine, which produces the report from the customer's own data. The large language model does not generate analytics, business data, or insights, and is not used to author content shown to the customer beyond the interpretation of the request itself.

Apart from this specific use, Dreamdata does not currently use generative AI or agentic AI in the Services.

Any future change to this position will be communicated here and on our trust center.

3. Third-Party AI Providers

Dreamdata's ML models are proprietary and run on Dreamdata's own infrastructure in Google Cloud Platform, in EU regions only. No Customer Data is sent to third-party AI providers (including but not limited to OpenAI, Anthropic, Azure OpenAI, AWS Bedrock, or Google) for the training or fine-tuning of any AI model.

Where Dreamdata uses a large language model for natural language understanding within the natural language report generation feature (see Section 2), the model is provided by an enterprise-tier third-party AI provider listed in our sub-processor list. The provider is contractually bound not to use Customer Data to train, fine-tune, or improve its models, and operates under minimal or zero retention terms for Customer Data submitted for inference.

Apart from this specific use, no Customer Data is sent to third-party AI providers for inference.

4. Use of Customer Data for Training

Customer Data is not used to train, fine-tune, or improve:

-- Any third-party foundation model;

-- Any model that processes data belonging to more than one customer;

-- Any aggregated, shared, or cross-tenant model.

The only training that occurs is per-tenant: trained exclusively on the customer's own data, used only within that customer's tenant, and not shared with, accessible to, or influenced by any other customer.

5. Tenant Isolation

Each customer's ML models are trained only on that customer's data and operate only within that customer's tenant. Cross-tenant data flow through model behaviour is structurally prevented by tenant scoping. There is no pooled training set.

6. Categories of Data Processed by AI/ML

ML features process Customer Data already ingested into the Services from connected sources (for example, CRM, marketing tools, website tracking, advertising platforms). This typically includes:

-- Contact-level data (name, business email, company, job title)

-- Account-level data

-- Event and activity data

-- Campaign and cost data

ML features do not process special categories of personal data, health data, data relating to minors, HR data, or other categories of highly sensitive data. Customers contractually agree under the DPA not to submit such data to the Services.

7. Customer Controls

ML-driven features (for example, data-driven attribution modeling) are configurable at the tenant level and can be disabled on request.

Cross-customer benchmarking, where offered, is opt-in and disabled by default.

For any future generative AI feature added to the Services, Dreamdata commits to providing a workspace- or tenant-level administrator toggle to disable that feature.

8. Data Retention and Deletion

Upon termination of the contract, Customer Data — including any per-tenant ML model artefacts trained on that Customer Data — is deleted within 60 days, in line with Dreamdata's standard deletion process. Per-tenant models are not retained, reused, or transferred.

9. AI Risk Classification

Dreamdata's use of AI in the platform are classified as minimal-risk under the EU AI Act. Dreamdata does not build or operate high-risk or prohibited AI systems as defined under the EU AI Act.

10. Security and Operational Controls

AI/ML controls are documented in Dreamdata's Application Security Baseline (SSDLC) and include:

-- Input validation

-- Agent authorization boundaries and tool/function allowlists (applicable to any future agentic features)

-- Data handling and access controls aligned with the Security TOMs

-- Logging and monitoring of model inputs and outputs where appropriate

Dreamdata's AI Governance program is aligned with the NIST AI Risk Management Framework (Govern, Map, Measure, Manage).

11. Personnel

Engineering staff developing AI/ML features follow Dreamdata's Application Security Baseline, which includes specific requirements for AI and agentic systems. Responsible AI practices are embedded in Dreamdata's SSDLC review process.

12. Future AI Features

Dreamdata is evaluating additional ML and AI-assisted features. Any new AI feature will:

a. Pass through Dreamdata's Basic AI Risk Review and, where warranted, a full AI Business Impact and Risk Assessment;

b. Be recorded in Dreamdata's AI Registry;

c. Be disclosed on Dreamdata's Trust Center;

d. Continue to honour the protections in Sections 3, 4, and 5 of this page (no training of third-party foundation models on Customer Data; no cross-tenant pooling);

e. Where the new feature would send Customer Data to a third-party AI provider for inference, be subject to the Sub-processor approval and objection process in the DPA, at least 30 days' prior notice via the Sub-processor Notification mechanism, and a contractual commitment from the provider that Customer Data is not used to train or improve the provider's models, with minimal or zero retention.

13. Changes to These Measures

Material changes to this page (including any change to the categories of AI used, third-party providers, or training-data posture) will be communicated to customers with not less than 30 days' written notice via the Sub-processor Notification mechanism. The Customer's right to object under the Sub-processing section of the DPA applies equally to material changes communicated under this Section.