🤖 AI Technical & Organizational Measures

This page sets out the technical and organizational measures Dreamdata applies to any artificial intelligence or machine learning capability used in providing the Dreamdata Services ("AI/ML"). It is referenced from the Dreamdata Data Processing Agreement (DPA) and supplements, but does not replace, the [Security TOMs](https://dreamdata.io/technicalandoperationalmeasures). Where there is a conflict between this page and a specific commitment in the DPA on the same subject matter, the DPA prevails.

1. Scope

These measures apply to any AI or machine learning capability used by Dreamdata in providing the Services. They cover traditional machine learning, generative AI, large language models, and agentic systems where applicable.

2. Current Use of AI in the Services

Dreamdata currently uses traditional machine learning only in the Services. Current ML capabilities include attribution modeling, account and contact scoring, identity resolution, pattern recognition, and data matching. These models are deterministic, trained per-tenant on the customer's own data, and produce outputs scoped to that customer.

Dreamdata does not currently use generative AI, large language models, or agentic AI in the Services.

Any future change to this position will be communicated here and on our trust center.

3. Third-Party AI Providers

No customer data is sent to third-party AI providers (including but not limited to OpenAI, Anthropic, Azure OpenAI, AWS Bedrock, or Google) for training, fine-tuning, or inference. All ML models used in the Services are proprietary to Dreamdata and run on Dreamdata's own infrastructure in Google Cloud Platform, in EU regions only.

4. Use of Customer Data for Training

Customer Data is not used to train, fine-tune, or improve:

-- Any third-party foundation model;

-- Any model that processes data belonging to more than one customer;

-- Any aggregated, shared, or cross-tenant model.

The only training that occurs is per-tenant: trained exclusively on the customer's own data, used only within that customer's tenant, and not shared with, accessible to, or influenced by any other customer.

5. Tenant Isolation

Each customer's ML models are trained only on that customer's data and operate only within that customer's tenant. Cross-tenant data flow through model behaviour is structurally prevented by tenant scoping. There is no pooled training set.

6. Categories of Data Processed by AI/ML

ML features process Customer Data already ingested into the Services from connected sources (for example, CRM, marketing tools, website tracking, advertising platforms). This typically includes:

  • Contact-level data (name, business email, company, job title)
  • Account-level data
  • Event and activity data
  • Campaign and cost data

ML features do not process special categories of personal data, health data, data relating to minors, HR data, or other categories of highly sensitive data. Customers contractually agree under the DPA not to submit such data to the Services.

7. Customer Controls

ML-driven features (for example, data-driven attribution modeling) are configurable at the tenant level and can be disabled on request.

Cross-customer benchmarking, where offered, is opt-in and disabled by default.

For any future generative AI feature added to the Services, Dreamdata commits to providing a workspace- or tenant-level administrator toggle to disable that feature.

8. Data Retention and Deletion

Upon termination of the contract, Customer Data — including any per-tenant ML model artefacts trained on that Customer Data — is deleted within 60 days, in line with Dreamdata's standard deletion process. Per-tenant models are not retained, reused, or transferred.

9. AI Risk Classification

Dreamdata's use of AI in the platform are classified as minimal-risk under the EU AI Act. Dreamdata does not build or operate high-risk or prohibited AI systems as defined under the EU AI Act.

10. Security and Operational Controls

AI/ML controls are documented in Dreamdata's Application Security Baseline (SSDLC) and include:

-- Input validation

-- Agent authorization boundaries and tool/function allowlists (applicable to any future agentic features)

-- Data handling and access controls aligned with the Security TOMs

-- Logging and monitoring of model inputs and outputs where appropriate

Dreamdata's AI Governance program is aligned with the NIST AI Risk Management Framework (Govern, Map, Measure, Manage).

11. Personnel

Engineering staff developing AI/ML features follow Dreamdata's Application Security Baseline, which includes specific requirements for AI and agentic systems. Responsible AI practices are embedded in Dreamdata's SSDLC review process.

12. Future AI Features

Dreamdata is evaluating additional ML and AI-assisted features. Any new AI feature will:

a. Pass through Dreamdata's Basic AI Risk Review and, where warranted, a full AI Business Impact and Risk Assessment;

b. Be recorded in Dreamdata's AI Registry;

c. Be disclosed on Dreamdata's Trust Center;

d. Continue to honour the protections in Sections 3, 4, and 5 of this page (no training of third-party foundation models on Customer Data; no cross-tenant pooling);

e. Where the new feature would send Customer Data to a third-party AI provider for inference, be subject to the Sub-processor approval and objection process in the DPA, at least 30 days' prior notice via the Sub-processor Notification mechanism, and a contractual commitment from the provider that Customer Data is not used to train or improve the provider's models, with minimal or zero retention.

13. Changes to These Measures

Material changes to this page (including any change to the categories of AI used, third-party providers, or training-data posture) will be communicated to customers with not less than 30 days' written notice via the Sub-processor Notification mechanism. The Customer's right to object under the Sub-processing section of the DPA applies equally to material changes communicated under this Section.