Ai Use, Access, and Oversight.

This policy describes how Pathwerks uses artificial intelligence and Ai-driven access to client systems. It is a companion to our Privacy, Non-disclosure, and Data Retention policy. Ai introduces realities the privacy policy alone doesn't fully cover — most importantly, that connecting Ai to a client system necessarily exposes ordinary business data to a third-party tool. This page describes how we handle that.

How we use Ai

Pathwerks uses general-purpose Ai assistants from providers such as Anthropic (Claude), OpenAI (ChatGPT), and others, alongside Ai features built into client products such as Zoho Zia, for drafting, summarization, research, and code generation in support of client work. The set of tools we use changes frequently as the industry evolves. Ai is a tool we use; it is not the consultant. Every Ai output is reviewed before it is applied to a client system, sent to a client, or relied on as fact.

What Ai sees in our work

We treat what we put in front of Ai with care, and we recognize that linking Ai directly to a client system exposes data automatically.

  • We only paste material into Ai chat windows that is necessary to do the work. We use sample data, anonymized scenarios, or schema-only descriptions where they are sufficient.
  • When we link Ai to a client system, the Ai necessarily sees ordinary business data — names, emails, phone numbers, addresses, account information. This is unavoidable for the work to be useful.
  • We do not put credentials (passwords, API keys, OAuth tokens), full credit card or bank account numbers, full SSNs, or Protected Health Information into Ai tools. However, Ai may have access to such information if it is stored unencrypted on the client system.

Vendor selection and retention

  • We use Ai services on plans whose terms exclude customer inputs and outputs from being used to train the underlying models.
  • We prefer providers operating in the United States.
  • Where the vendor offers it, conversation history retention in our accounts is set to the shortest duration practical, and any client-related Ai conversation logs in our control are deleted on the same 90-day schedule as other client data.
  • Ai providers may retain their own copies of conversation data on their systems per their published terms.
  • If a client requires a specific provider, prohibits a specific provider, or wants Ai excluded from their engagement entirely, we honor that in writing.
  • A current list of Ai services in use on a given engagement is available on request.

How we connect Ai to client systems

Modern Ai assistants can be linked directly to business systems — a CRM, an inbox, an accounting platform — so the Ai can read records during a working session. When we use one of these links in a client environment:

  • The link uses our own login to the client system. The Ai cannot reach anything we couldn't already reach ourselves.
  • For all client systems, we use Zoho's external connector rather than the Ai platform's built-in connector. This means access control lives in Zoho — outside the Ai platform entirely — and can be revoked independently, even if the AI account were inaccessible.
  • We use these links for reading data and for creating test records. We do not use Ai to edit data or to run bulk operations, mass deletes, batch sends, scheduled jobs, or anything that would touch a large portion of client data at once.
  • Every access request must be manually approved before the Ai can act. This is enforced at the connection level in Zoho and cannot be bypassed by the Ai.
  • Where a test environment or "sandbox" is available, we use that rather than the production account.
  • Sessions are interactive. Nothing runs unattended.
  • Every action taken through the link is logged in the client system under our account, so a normal audit trail exists.
  • Links are disconnected when not in active use and revoked at engagement end, consistent with our 90-day data deletion commitment.

Generated code and client-facing content

  • Code that Ai helps us write is read, tested, and understood before deployment. We do not ship code we cannot explain.
  • Ai-assisted emails, proposals, and client communications are reviewed and edited before they are sent.
  • Ai is woven into how we work day to day. We do not claim our deliverables are Ai-free, and we will not misrepresent them as such.

Regulated data

We do not represent that the Ai tools we use meet the requirements of HIPAA, CQC, PCI-DSS, or similar regulatory frameworks. The general-purpose Ai assistants we work with are not under Business Associate Agreements with us, and we do not put Protected Health Information or other regulated data into them.

If a client operates in a regulated environment, we work with them to define which parts of the engagement can be supported with Ai and which cannot. Regulated workflows will be configured to run without AI upon request.

Accountability

Ai is a tool. Errors in our work caused by Ai are our responsibility, not the tool's. If something we built or sent on a client's behalf is wrong, we own the fix.

Changes to this policy

This policy is reviewed at least annually and updated when our tooling changes materially. Clients with concerns about a specific Ai tool, system link, or workflow are welcome to raise them at any point in an engagement.

Last updated: April 28, 2026

For questions,

>Contact Us
Formula for success? Double your rate of failure.
— Thomas J. Watson (IBM)