Effective Date: August 08, 2025
Last Updated on: August 08, 2025
1. Overview
Spendflo uses Artificial Intelligence (AI) and Machine Learning (ML) technologies to deliver smarter, faster, and more efficient spend management experiences. This policy outlines how customer data is handled in AI-powered features, with a clear focus on privacy, isolation, and security-first principles.
2. AI Technologies in Use
Spendflo leverages the following AI technologies:
• Optical Character Recognition (OCR): Tesseract OCR for document parsing (e.g., contracts, invoices).
• Generative AI Services: AI models for text summarization, classification, enrichment, and language understanding powered by:
🟆 OpenAI 🟆 Google AI
Your data is never used to train or fine-tune any AI models.
3. How Your Data Is Used
3.1 Input to AI Systems
Your data may be processed as input for real-time analysis or enrichment by Spendflo’s AI-powered features, including:
• Uploaded contracts and invoices
• Procurement requests and forms
• Comments, notes, and metadata
• Vendor and agreement information
Where applicable (e.g., OCR contract extraction), you can review and edit results before adding them to your system.
3.2 Data Isolation & Multi-Tenant Controls
• Your data is isolated within your organization's workspace.
• No data sharing or mixing occurs across customers.
• AI features operate strictly within your environment.
3.3 Data Residency
• All data is processed and stored in AWS US-East-2 (Ohio).
• Spendflo does not support customer-specific data residency zones at this time.
4. AI Processing & Retention
4.1 Real-Time Processing
All AI features are designed to process data in real-time during feature execution.
4.2 Third-Party AI Services
Spendflo uses leading AI providers to power certain capabilities. Your data is never used by these providers for model training.
OpenAI
• Purpose: Summarization, classification, enrichment
• Training: Your data is NOT used to train OpenAI models
• Zero Data Retention Setting: Always enabled
• Vendor Policy: OpenAI may retain data for up to 30 days for abuse monitoring
• Reference: OpenAI API Data Usage Policy
Google AI
• Purpose: OCR, document parsing, language intelligence
• Training: Your data is NOT used to train Google models
• Zero Data Retention: Enabled and enforced via Google Enterprise policies
• Reference: Google Generative AI Data Policy
Spendflo always enables zero data retention configurations with third-party AI providers. However, minimal short-term retention (e.g., 30 days) may still occur for abuse and misuse monitoring under vendor terms.
5. Security & Access Controls
Spendflo adheres to a strict security-first design:
• Encryption: TLS 1.3 in transit, AES-256 at rest
• Access Controls: Role-based access and multi-factor authentication (MFA)
• Audit Logging: Internal access to data is logged and restricted to authorized personnel
• Monitoring: 24/7 infrastructure security monitoring and incident response
• Compliance: SOC 2 Type II, GDPR, and CCPA compliant
6. Your Rights & AI Controls
You remain fully in control of AI features in your environment:
• Granular Opt-Out: Disable specific AI features (e.g., generative summaries, but keep OCR)
• Data Access: Request access to AI-processed data associated with your account
• Data Deletion: Request deletion of data from AI pipelines or logs
• Correction Requests: Request corrections or clarifications to AI-generated content
7. Human Access to AI Data
• All AI processing is fully automated and conducted by software systems.
• Spendflo staff do not manually review your data during AI operations.
• Internal access to data is permitted only under strict, logged access control policies when required for platform support or incident handling.
8. Policy Updates
This policy is subject to revision as our platform evolves. Any material changes will be communicated proactively to customers via admin alerts or your designated account contact.
Contact Us
Spendflo Security & Compliance Team
security@spendflo.com
.avif)
.avif)
