Skip to content

    AI Data Protection Statement

    AI Data Protection Statement

     

    ComplianceMetrix, Inc. ("CMX") provides the CMX1 platform, a cloud-based software-as-a-service offering for quality, food safety, and operational compliance programs. This AI & Data Protection Statement ("Statement") describes how CMX builds, operates, and governs the AI-assisted features of CMX1 and how we treat Customer Content in connection with those features. This Statement is a public commitment by CMX to our customers, prospects, and partners. Capitalized terms used but not defined here have the meaning given to them in the CMX1 Master Software and Services Terms (https://www.cmx1.com/standard-terms-and-conditions) (the “Agreement”) (as updated in connection with this Statement, the "Agreement") or the CMX1 Data Processing Addendum (the "DPA").

    On and after its effective date, this Statement is incorporated by reference into the Agreement and the DPA, and the Agreement and the DPA will be updated in parallel to reflect the commitments described herein. In the event of a conflict between this Statement and the Agreement or the DPA with respect to the AI Services, AI-Assisted Features, Customer Content processed by or in connection with the AI Services or AI-Assisted Features, Aggregated Data used in connection with AI-Assisted Features, or CMX’s AI-related data protection commitments, this Statement will apply unless the Agreement and/or the DPA expressly provides otherwise, in which case the Agreement and/or DPA will control.

    1. Scope

    This Statement applies to features of the CMX1 platform that use artificial intelligence or machine learning to generate, summarize, classify, extract, translate, transcribe, or otherwise process Customer Content (collectively, "AI-Assisted Features"). AI-Assisted Features are part of the “AI Services” under the Agreement. It does not apply to non-AI features of CMX1 or to any third-party product used outside CMX1. For clarity, this Statement applies only to CMX’s operation and provision of the AI Services and AI-Assisted Features, and does not apply to your independent use of third-party products or systems outside the CMX1 Platform.

    2. Definitions

    For purposes of this Statement:

    "Aggregated Data" means aggregated, anonymized, or de-identified data, metrics, telemetry, statistics, analyses, or other information derived from use or operation of the CMX1 Platform, Services, AI Services, or AI-Assisted Features, in each case in a form that does not identify Customer, any Authorized User, any site or facility, or any natural person.

    "Authorized User" means a “User” as defined in the Agreement.

    "Customer Content" means Your Data, Inputs, Outputs to the extent owned by Customer under the Agreement, and all other data, text, files, images, audio, video, and other content that Customer or its Authorized Users submit to, generate within, or direct the CMX1 Platform, Services, AI Services, or AI-Assisted Features to process. Customer Content does not include the CMX1 Platform, Services, AI Services, Software, Modules, Documentation, CMX Prompts, CMX Output Materials, CMX Property, Aggregated Data, or other CMX technology, materials, formats, methods, templates, prompts, models, orchestration logic, or intellectual property.

    "De-Identified Data" means data that has been processed so that it cannot reasonably be used, alone or in combination with other reasonably available information, to identify, relate to, describe, or be linked to you, any User, any site or facility, or any natural person. De-Identified Data excludes direct identifiers and persistent pseudonymous identifiers that could reasonably be used to re-identify you, any User, any site or facility, or any natural person.

    "Enterprise Cloud AI Service" means an enterprise-grade hosted AI service offered by a cloud service provider under contractual terms that prohibit use of customer prompts, completions, or fine-tuning data to train the provider's or any third party's models. As of the effective date of this Statement, CMX's Enterprise Cloud AI Services are Amazon Bedrock (AWS) and Azure OpenAI Service (Microsoft). Enterprise Cloud AI Services are Third-Party Data dependencies used by CMX to provide the AI Services, as described in the Agreement.

    "Foundation Model" means a large, general-purpose machine-learning model trained on broad data at scale and intended to be adapted to many downstream tasks (for example, large language models and large multimodal models).

    "Model Developer" means an organization that researches, trains, or publishes a Foundation Model. Model Developers (for example, Anthropic, PBC and OpenAI, L.L.C.) are not CMX Subprocessors and do not receive Customer Content from CMX. CMX accesses their models only through Enterprise Cloud AI Services. A Model Developer is not a Subprocessor solely because its Foundation Model is made available to CMX through an Enterprise Cloud AI Service.

    "Subprocessor" has the meaning given to it in the DPA. CMX maintains a current list of Subprocessors at https://trust.cmx1.com/. Enterprise Cloud AI Service providers that process Personal Data on behalf of CMX are included on CMX’s Subprocessor list as required by the DPA.

    3. Training Limitations; Use of De-Identified and Aggregated Data

    CMX may use Aggregated Data and De-Identified Data derived from Customer Content to train, fine-tune, develop, improve, and evaluate CMX models and AI Services, provided that such data does not identify Customer, any Authorized User, any site or facility, or any natural person, and is processed and used in compliance with applicable law.

    CMX does not use identifiable Customer Content (including Personal Data) to train, fine-tune, develop, improve, or evaluate third-party Foundation Models or embedding models, except to the extent a Customer expressly agrees otherwise in writing.

    For clarity, the foregoing restriction does not prohibit CMX from using Aggregated Data to analyze, improve, support, secure, maintain, test, demonstrate, benchmark, and operate the CMX1 Platform, Services, AI Services, or AI-Assisted Features, provided that CMX does not use Customer Content or Aggregated Data to train, fine-tune, develop, evaluate, or otherwise improve any Foundation Model, embedding model, third-party model, or CMX-internal machine-learning model.

    CMX may derive De-Identified Data and Aggregated Data from Customer Content and use such De-Identified Data and Aggregated Data to train and improve CMX internal models and AI Services, provided that such data does not identify Customer, any Authorized User, any site or facility, or any natural person. Nothing in this Statement restricts CMX’s right to use Aggregated Data for benchmarking, analytics, testing, demonstration, system improvement, security monitoring, fraud prevention, support, service optimization, or similar internal business purposes, so long as such Aggregated Data does not identify you, any User, any site or facility, or any natural person and is not used for model training prohibited by this Section 3.

    CMX does not transmit Customer Content to any Model Developer outside of a Customer's authenticated use of CMX1. CMX's use of Foundation Models is limited to inference through contracted Enterprise Cloud AI Services under terms that prohibit the provider from training on identifiable Customer Content or Personal Data submitted for inference. CMX will not knowingly configure any Enterprise Cloud AI Service used for AI-Assisted Features in a manner that permits identifiable Customer Content to be used to train, fine-tune, develop, evaluate, or otherwise improve any Foundation Model, embedding model, third-party model, or CMX-internal machine-learning model.

    4. Customer Content Ownership and Use

    Customer owns its Customer Content. CMX's use of Customer Content is limited to what is necessary to provide and secure the CMX1 service for that Customer, to comply with law, and to carry out the other purposes expressly set forth in the Agreement and the DPA. CMX does not sell Customer Content, does not use Customer Content for advertising, and does not use Customer Content for the benefit of another customer.

    CMX may use Aggregated Data for benchmarking, analytics, testing, demonstration, system improvement, security monitoring, fraud prevention, support, service optimization, and related internal business purposes, provided that such Aggregated Data does not identify Customer, any Authorized User, any site or facility, or any natural person and is not used for model training prohibited by Section 3.

    CMX does not claim ownership of Customer Content solely because Customer Content is processed by AI Services or AI-Assisted Features. Ownership of Outputs, CMX Prompts, CMX Output Materials, CMX Property, and other CMX technology and materials is governed by the Agreement.

    5. Embeddings and Vector Storage

    Some AI-Assisted Features generate vector embeddings from Customer Content to support retrieval and search. Where CMX persists embeddings: (a) the embeddings are stored within the same tenant-isolation boundary as the underlying Customer Content; (b) the embeddings are treated as Customer Content for purposes of this Statement, the Agreement, and the DPA; (c) the embeddings are deleted on the same schedule as the underlying Customer Content following Customer deletion or end-of-contract deletion; and (d) the embeddings are not used to train, fine-tune, or otherwise improve any model.

    Aggregated Data derived from the operation or performance of embeddings or vector storage may be retained and used by CMX for system improvement, analytics, security, support, and service optimization, provided that such Aggregated Data does not identify you, any User, any site or facility, or any natural person and is not used for model training prohibited by Section 3.

    6. Tenant Isolation and Security

    Customer Content processed by AI-Assisted Features is handled under the same tenant-isolation, encryption-in-transit, encryption-at-rest, and access-control controls that apply to the rest of CMX1, as described in the DPA and documented in the CMX Trust Center at https://trust.cmx1.com/. Prompts submitted to, and completions returned from, Enterprise Cloud AI Services are not logged for training by CMX and are not used to improve any Foundation Model.

    CMX may use Aggregated Data relating to system performance, availability, security, support, error rates, latency, feature usage, or similar operational metrics to improve, secure, maintain, and support the CMX1 Platform, Services, AI Services, and AI-Assisted Features, subject to Section 3.

    7. Model Developers and Enterprise Cloud AI Services

    CMX accesses Foundation Models only through Enterprise Cloud AI Services. As of the effective date of this Statement, CMX uses Amazon Bedrock (Amazon Web Services, Inc.) and Azure OpenAI Service (Microsoft Corporation) as Enterprise Cloud AI Services. The Foundation Models made available through these services are published by Model Developers including Anthropic, PBC and OpenAI, L.L.C. Model Developers are not CMX Subprocessors and do not receive Customer Content from CMX; CMX's contractual relationship for inference is exclusively with the cloud service provider that operates the Enterprise Cloud AI Service.

    For clarity, Model Developers are not CMX Subprocessors solely because their Foundation Models are made available through an Enterprise Cloud AI Service. Enterprise Cloud AI Service providers are Subprocessors to the extent they process Personal Data on behalf of CMX under the DPA.

    CMX's current list of Subprocessors — including the Enterprise Cloud AI Service providers — is maintained at https://trust.cmx1.com/. CMX provides advance notice of material changes to its Subprocessor list as set forth in the DPA. CMX may update the Enterprise Cloud AI Services used to provide AI-Assisted Features in accordance with the Agreement, DPA, and applicable Subprocessor notice requirements.

    8. Human Oversight and Acceptable Use

    AI-Assisted Features are designed to assist Authorized Users, not to make final regulatory, legal, or safety decisions without human review. Outputs may be incomplete or incorrect and should be reviewed by a qualified Authorized User before being relied upon in a regulated decision. Customers are responsible for configuring AI-Assisted Features consistent with applicable law, their own policies, and the CMX1 acceptable-use provisions of the Agreement.

    AI-Assisted Features are not intended to replace human review, professional judgment, regulatory judgment, legal advice, safety judgment, or compliance oversight. You are responsible for determining whether your use of the AI Services or AI-Assisted Features is appropriate for your use case and complies with applicable laws, rules, regulations, and professional or industry standards.

    9. Data Subject Rights and Deletion

    CMX supports Customer responses to data-subject requests in accordance with the DPA. When a Customer deletes Customer Content or terminates its contract, CMX deletes or returns Customer Content — including any persisted embeddings and any other AI-related derived artifacts that fall within the definition of Customer Content — on the timelines specified in the DPA.

    CMX may retain Aggregated Data after deletion or return of Customer Content, provided that such Aggregated Data does not identify you, any User, any site or facility, or any natural person and is not used for model training prohibited by Section 3.

    10. Framework Alignment

    CMX's AI governance program is designed against the NIST AI Risk Management Framework (AI RMF 1.0). CMX continues to evaluate alignment with ISO/IEC 42001:2023 (AI Management System) and will publish a current framework-mapping summary in the CMX Trust Center at https://trust.cmx1.com/ as alignment assessments are completed.

    References to NIST AI RMF, ISO/IEC 42001:2023, or other AI governance frameworks describe CMX’s governance approach and do not state or imply that CMX is certified under, or fully compliant with, any framework unless CMX expressly identifies that certification or compliance status in writing.

    11. How to Verify

    The commitments in this Statement, including CMX’s restrictions on Customer Content training and CMX’s permitted use of Aggregated Data for system improvement, are implemented and evidenced through the following, which Customers and prospective Customers may review:

    CMX Trust Center (Drata): https://trust.cmx1.com/ — security certifications, control evidence, current Subprocessor list, and AI Framework mapping.

    Master Software and Services Terms: https://www.cmx1.com/standard-terms-and-conditions

    Data Processing Addendum: https://www.cmx1.com/data-processing-addendum, including its AI-specific provisions.

    Security and AI questionnaires: available on request via security@cmx1.com.

    This Statement: which prevails with respect to the AI Services, AI-Assisted Features, Customer Content processed by or in connection with the AI Services, Aggregated Data used in connection with AI-Assisted Features, and CMX’s AI-related data protection commitments.

    12. Changes to This Statement

    CMX may update this Statement from time to time. CMX will publish the current version on https://www.cmx1.com/ and in the CMX Trust Center at https://trust.cmx1.com/ and will indicate the effective date. Material changes that reduce CMX's commitments to Customer will be made in accordance with the change-control provisions of the DPA.

    No update to this Statement will authorize CMX to use Customer Content to train, fine-tune, develop, evaluate, or otherwise improve any Foundation Model, embedding model, third-party model, or CMX-internal machine-learning model unless expressly agreed by the affected customer in writing.

    13. Contact

    Questions about this Statement may be directed to privacy@cmx1.com or security@cmx1.com.