DPWAT-ISMS-POL-015 v1.0

AI Acceptable Use Policy

Document ID: DPWAT-ISMS-POL-015
Version: 1.0
Owner: ISMS Manager / CISO (RMSI) — Timo Andreas Bejan
Approved by: Administrator (ADM) — Anna Boros
Effective date: 2025-10-15
Next review: 2027-02-01 (or on major change)

1. Purpose and scope

This policy defines how DP WAT uses AI tools (including LLMs) in day-to-day work in a way that protects customer confidentiality and DP WAT information.

It applies to all personnel and all AI tools used for DP WAT work (DP WAT subscriptions and customer-provided subscriptions).

2. Approved usage model (baseline)

Use business/enterprise accounts configured for no training and no retention where available and applicable.
Follow customer contractual requirements and instructions when using customer AI subscriptions.
Use AI as an assistive tool; humans remain responsible for outputs and for security decisions.

3. Prohibited inputs (unless explicitly approved by customer and risk-assessed)

Credentials, secrets, API keys, tokens, recovery codes.
Customer production data exports and sensitive customer datasets.
Security-sensitive internal incident details that increase exploitability.

4. Allowed inputs (risk-based)

Subject to customer permission and least disclosure:

Source code and architecture descriptions for the purpose of development assistance.
Non-sensitive technical documentation.
Synthetic or anonymized examples that do not reveal customer secrets.

5. Records

AI tooling used must be recorded in the supplier register (supplier-register).
Where a customer requires their own AI subscription, record this requirement in project documentation and supplier review evidence.