Our AI Policy

1. Purpose

This policy establishes the framework for the responsible development, deployment, operation, and use of artificial intelligence (AI) tools at BlockSurvey, ensuring compliance with data protection laws, cybersecurity standards, and ethical principles. It applies to all AI systems, including those used for survey creation, data analysis, and user interaction, and covers the processing of input and output data.

2. Scope

This policy applies to all BlockSurvey employees, contractors, vendors, and third parties involved in the development, deployment, operation, or use of AI tools. It encompasses all AI systems, including machine learning (ML) models, and the handling of personal and non-personal data.

3. Definitions

  • AI System: A system that uses machine learning or other AI technologies to perform tasks, as defined by ISO/IEC 22989:2022.
  • Personal Information: Any data relating to an identified or identifiable individual, as per applicable data protection laws (e.g., GDPR, CCPA).
  • Privacy-Enhancing Technologies (PETs): Technologies that minimize personal data use and maximize data security while enabling functionality.

4. AI Development and Maintenance Practices

BlockSurvey adheres to industry best practices and recognized standards for secure AI system development, as outlined below:

4.1 Development Standards
  • ISO/IEC 22989:2022: BlockSurvey uses standardized AI terminology and concepts to ensure clear communication and interoperability across AI development processes.
  • ISO/IEC 23053:2022: AI systems are developed using a framework that defines system components and roles, ensuring responsible design and interoperability.
  • ISO/IEC 23894:2023: Risk management processes are integrated into AI development, identifying and mitigating risks such as bias, data misuse, and transparency issues.
  • ISO/IEC 42001:2023: An AI Management System (AIMS) is implemented, following the Plan-Do-Check-Act methodology to manage risks and ensure ethical governance
  • NIST AI Risk Management Framework: Development aligns with NIST’s framework, focusing on explainability, robustness, fairness, and accountability across the AI lifecycle (Map, Measure, Manage, Govern).
  • NCSC/CISA Guidelines: BlockSurvey follows the Guidelines for Secure AI System Development, including secure design, threat modeling, and protection against adversarial attacks (e.g., data poisoning, model inversion).
4.2 Secure Development Practice
  • Threat Modeling: Regular threat modeling using frameworks Ascend, STRIDE, and OWASP frameworks to identify vulnerabilities such as adversarial attacks, data poisoning, and model extraction.
  • Adversarial Testing: AI models are tested for resilience against evasion, poisoning, and extraction attacks.
  • Secure Coding: Developers adhere to secure coding practices, minimizing superfluous functionalities to reduce attack surfaces.
  • Model Validation: Models undergo white-box, grey-box, and black-box testing to ensure ethical alignment and performance reliability.
  • Version Control and Documentation: All AI system changes are documented and version-controlled to ensure traceability and auditability.
4.3 Maintenance and Monitoring
  • Continuous Monitoring: AI systems are monitored for performance, security, and ethical outcomes, with annual AI Impact Assessments (AIIAs) to evaluate societal, ethical, and legal impacts.
  • Regular Updates: Models are updated based on performance evaluations, emerging threats, and regulatory changes to ensure ongoing compliance and security.

5. Data Protection and Privacy

BlockSurvey is committed to protecting personal information in compliance with applicable data protection laws, including GDPR, CCPA, SOC 2, ISO, and HIPAA.

5.1 Collection, Use, Processing, and Disclosure
  • Data Minimization: BlockSurvey collects only the minimum personal information necessary for AI tool functionality, such as user account data (e.g., email, name) and survey responses.
  • Purpose Limitation: Personal data is processed solely for the purposes of providing survey services, analytics, and user support, as outlined in BlockSurvey’s Privacy Policy.
  • Consent: Users provide explicit consent for data processing during account creation or survey participation.
  • Disclosure: Personal data is not shared with third parties except as required by law or with user consent (e.g., for third-party integrations explicitly authorized by users).
  • Data Retention: Personal data is retained only as long as necessary for the stated purpose, after which it is securely deleted or anonymized.
5.2 Compliance with Data Protection Laws
  • GDPR: BlockSurvey implements Data Protection Impact Assessments (DPIAs) for high-risk AI processing, ensuring compliance with GDPR requirements.
  • CCPA: Users are provided with rights to access, delete, or opt-out of the sale of their personal information.
  • SOC 2: BlockSurvey adheres to SOC 2 Type II standards, ensuring security, availability, processing integrity, confidentiality, and privacy of customer data.
  • ISO: Compliance with ISO/IEC 27001 ensures robust information security management systems.
  • HIPAA: BlockSurvey implements safeguards to protect health-related data, ensuring compliance with HIPAA regulations for any applicable survey data.
  • Audit Trail: All data processing activities are logged and auditable to demonstrate compliance.

6. Privacy-Enhancing Technologies (PETs)

BlockSurvey employs the following PETs to enhance user privacy:

  • End-to-End Encryption: End-to-end encryption with custody of encryption keys given to the end customer. BlockSurvey has zero knowledge of users keys and data.
  • Anonymization: Where possible, survey data is anonymized to prevent identification of respondents.
  • Differential Privacy: Statistical noise is added to aggregated survey analytics to protect individual responses while maintaining data utility.
  • Secure Multi-Party Computation: Used in specific cases to enable collaborative data processing without exposing raw data.
  • Access Controls: Role-based access controls limit employee access to personal data to only what is necessary for their role.

7. Regulatory Compliance and Monitoring

BlockSurvey maintains robust policies to monitor and comply with AI-related regulatory developments:

  • Regulatory Tracking: A dedicated compliance team monitors global AI regulations (e.g., EU AI Act, UK data protection laws) and updates policies accordingly.
  • Compliance Audits: Annual audits are conducted to ensure adherence to ISO/IEC 42001, NIST AI RMF, SOC 2, and HIPAA standards.
  • Vendor Management: Third-party AI vendors are assessed for compliance with BlockSurvey’s ethical and security standards through contractual safeguards and independent audits.
  • Incident Response: A documented incident response plan addresses potential data breaches or AI system failures, with prompt notification to affected users and regulators as required.

8. AI Governance Policies

  • Ethical AI Use: AI systems are designed to avoid bias, ensure transparency, and respect user autonomy, in line with ISO/IEC 38507 guidelines.
  • Accountability: Decision-making processes in AI systems are traceable, with logs maintained for auditing purposes.
  • Stakeholder Engagement: BlockSurvey engages with users, regulators, and industry groups to align AI practices with stakeholder expectations.
  • Continuous Improvement: AI governance practices are regularly reviewed and refined based on feedback, technological advancements, and regulatory changes.

9. Training and Awareness

  • Staff Training: All employees receive regular training on AI security, data protection, and ethical AI use, tailored to their roles.
  • Threat Awareness: Employees are updated on emerging AI-specific threats (e.g., adversarial ML techniques) through bulletins and internal platforms.

10. Certification and Compliance

BlockSurvey maintains certifications for GDPR, SOC 2, ISO/IEC 27001:2022, and HIPAA

  • Audits: Third-party audits to verify AIMS compliance with the above mentioned standards.
  • Documentation: Comprehensive records of AI system development, risk assessments, and governance actions
  • Continuous Review: Annual supervision audits to maintain certifications and ensure ongoing compliance.

11. Contact Information

For questions or concerns about this policy, contact BlockSurvey’s Data Protection Officer at [email protected]

12. Policy Review

This policy is reviewed annually or as needed to reflect changes in technology, regulations, or business practices.