AI Governance Policy

1. Introduction

3DEye commits to ethical AI deployment that prioritizes security, transparency, and fundamental rights. This policy ensures compliance with GDPR and global standards, embedding Privacy by Design (PbD) into all AI systems.

2. Scope

This policy applies to:

All AI/ML models (object detection, facial recognition, ALPR)
Data processing workflows
Third-party integrations
Development, testing, and production environments

3. Core Principles

3.1 Privacy by Design (privacy law compliance)

Data Minimisation: Collect only essential data (e.g., anonymize faces in non-security contexts).
Default Protections:
1. End-to-end encryption (AES-256) for data at rest/in transit.
2. Pseudonymization of biometric data (GDPR Art. 4(5)).
User Control:
1. Explicit opt-in for facial recognition processing (GDPR Art. 9).
2. Right to erasure without undue delay and as required by legal requirements in US, Canada, EU and elsewhere.

3.2 Fairness & Transparency

Bias mitigation: Regular audits of AI models for demographic/racial bias.
Explainability: Provide plain-language summaries of AI decisions (e.g., “Why was this flagged?”).

3.3 Security & Integrity

MFA mandatory for AI management system access.
Threat modelling for all new AI features.

4. Ethical AI Principles

Fairness. Ensure AI systems do not discriminate and are unbiased. Regular audits for bias in AI algorithms will be conducted across diverse demographic groups, with continuous monitoring of false positive/negative rates across protected categories.
Accountability. Establish clear responsibility for AI outcomes. Designated personnel will be responsible for the monitoring and outcomes of AI systems, with documented decision trails for all AI-generated actions.
Transparency. Maintain clear documentation and communication about AI capabilities and limitations. Users will be informed when AI is being used and how decisions are made, including disclosure of confidence levels for recognition systems.
Human Oversight. Require human intervention for critical decisions. AI systems will be designed to allow human override of automated decisions, especially in security-critical scenarios involving access restrictions or law enforcement alerts.

5. Roles & Responsibilities

Data Protection Officer (DPO) — GDPR/PIPEDA/CCPA compliance oversight, DPIA leadership
AI Ethics Committee — Review and approve high-risk AI use cases (e.g., facial recognition)
Developers — Implement Privacy By Design in code; document data flows

6. Data Management

Storage: Data processed as required by legal jurisdiction (for example EU data processed within the EEA to the extent and manner mandated by local law.)
Retention: Video data deleted after 30 days (configurable per camera customer).
Impact Assessments (DPIAs): Required for all AI systems processing biometric data.

7. AI Development Lifecycle

Design:
1. Conduct DPIA and bias assessment.
2. Document legal basis for processing (GDPR Art. 6).
Testing:
1. Validate models against diverse datasets (age, ethnicity, lighting conditions).
Deployment:
1. API-enabled user consent management.
2. Real-time monitoring for anomalous behaviour.

8. Monitoring & Auditing

Quarterly:
1. Bias audits using industry standard toolkits.
2. Penetration testing of AI APIs.
Annual:
1. GDPR/CCPA compliance review by external auditors.

9. Incident Response

72-Hour Breach Notification: To authorities and affected users (GDPR Art. 33).
AI-Specific Playbook to includes model rollback procedures and bias-correction protocols.

10. Training

Employee Training Courses:

Legal requirements for AI teams (annual).
Ethical AI development (biannual).

11. Policy Review

Updated every 6 months or after:
New AI regulations (e.g., EU AI Act).
Security incidents involving AI systems.

‍

Effective Date: May 27, 2026

Approved by: Viachaslau Hrytsevich, CEO

Compliance Reference: GDPR (Arts. 5, 9, 25, 33, 35), ISO/IEC 27001, NIST AI RMF

‍

3DEye AI Governance Policy

Table of contents