Artificial Intelligence and Generative AI Policy

Policy Owner: Daniel Peixoto
Effective Date: Apr 19, 2026

Purpose

To define how Straloo Tecnologia LTDA uses artificial intelligence (AI) and generative AI (GenAI) in a secure, lawful, and responsible manner while protecting confidential information, intellectual property, and stakeholder trust.

This policy establishes governance, data protection, and technical safeguards for AI and GenAI use across business and engineering activities.

Scope

This policy applies to all Straloo Tecnologia LTDA employees, contractors, consultants, and third-party entities who access, process, store, or transmit Straloo Tecnologia LTDA or customer data and who use AI-enabled tools, systems, or services in connection with Straloo Tecnologia LTDA business.

This policy applies to internally hosted AI capabilities, third-party AI services, and AI features embedded in software or platforms used by Straloo Tecnologia LTDA.

General requirements

AI compliance and acceptable use

All use of AI and GenAI shall comply with applicable laws, regulations, contractual commitments, and company policies, including the Information Security Policy (AUP), Data Management Policy, Risk Management Policy, and Third-Party Management Policy.

Personnel shall only use AI tools for legitimate business purposes and must not use AI systems to process, generate, or disclose information in a manner that violates confidentiality, privacy, or intellectual property obligations.

Use of public or commercial GenAI tools with confidential, restricted, customer, or proprietary information is prohibited unless explicitly approved by management and protected by contractual and technical safeguards aligned with company requirements.

AI-enabled recording, meeting transcription, or note-generation features shall not be used for confidential or sensitive discussions unless explicitly authorized and managed in accordance with company security and data handling requirements.

AI training and awareness

Personnel who use AI tools as part of their role shall complete security and privacy awareness training at onboarding and periodically thereafter, including guidance on secure prompting, data handling, confidentiality, and validation of AI-generated output.

Engineering and technical personnel shall receive role-appropriate training on AI-related risks, including prompt injection, hallucination, model drift, bias, data leakage, and insecure tool integration.

AI data protection

Data used with AI systems shall be classified and handled according to the Data Management Policy. Confidential and restricted information must remain protected by least-privilege access controls, encryption in transit and at rest, and approved retention and disposal practices.

Data minimization principles shall be applied to AI workflows. Only the minimum data required for the intended business purpose may be shared with AI systems.

AI usage shall not be used to bypass existing restrictions on data transfer, storage, export, or disclosure to third parties.

Where available, preference shall be given to enterprise-hosted or enterprise-governed AI services that provide stronger administrative control over data processing and retention.

AI governance

Management is responsible for oversight of AI usage and for ensuring this policy remains aligned with business, legal, and security requirements.

Proposed new AI use cases, integrations, or material changes to AI-enabled processes shall be reviewed through existing governance mechanisms, including change management and risk review procedures where applicable.

Exceptions to this policy shall be formally approved and documented.

AI delivery and supply chain

Third-party AI vendors, model providers, and AI-enabled subprocessors shall be assessed in accordance with the Third-Party Management Policy before use with company or customer data.

Contracts and agreements for AI-enabled services shall include confidentiality, security, privacy, and data-use obligations appropriate to the sensitivity of information involved.

Material supplier changes that may impact data protection, model behavior, or service security shall be reviewed and managed through existing supplier review and risk management processes.

AI risk management

AI-related risks shall be identified, evaluated, and treated within the company risk management framework, including risks related to confidentiality, integrity, availability, privacy, compliance, model behavior, and operational resilience.

Risk responses may include mitigation, acceptance, transfer, or avoidance in accordance with the Risk Management Policy.

AI-related incidents, suspected misuse, and security concerns shall be reported and handled in accordance with the Incident Response Plan.

AI technical guardrails

AI-enabled systems and workflows shall implement appropriate technical and operational safeguards based on risk, including access controls, logging and monitoring, and secure configuration practices.

AI outputs that may impact customers, legal obligations, safety, clinical interpretation, or material business decisions shall be reviewed by qualified personnel before reliance.

Where feasible and appropriate, testing and monitoring practices shall be used to detect and reduce reliability and safety issues, including hallucination, bias, and drift that could materially affect outcomes.

Exceptions

Requests for an exception to this policy must be submitted to the IT Manager for approval.

Violations & enforcement

Any known violations of this policy should be reported to the IT Manager.

Violations of this policy can result in immediate withdrawal or suspension of system and network privileges and/or disciplinary action in accordance with company procedures up to and including termination of employment.

Version history