- handbook
- Company
- Company
- Board & Investors
- Communications
- Decision making and project management
- Guides
- Organizational Structure
- principles
- Remote Work
- Security
- Business Continuity & Disaster Recovery Policy
- Information Security Roles and Responsibilities
- Operations Security Policy
- Risk Management Policy
- Third-Party Risk Management Policy
- Human Resources Security Policy
- Cryptography Policy
- Data Management Policy
- Hardware Security Policy
- Access Control Policy
- Asset Management Policy
- Incident Response Plan
- Information Security Policy and Acceptable Use Policy
- Secure Development Policy
- AI Development and Customer Data Policy
- strategy
- values
- Operations
- Engineering & Design Practices
- Design
- Engineering
- Contributing
- Front End
- Packaging Guidelines
- Platform Ops
- FlowFuse Dedicated
- Deployment
- Incident Response
- Observability
- Update Stacks on Production
- Production Environment
- Staging Environment
- Self Hosted Assistant
- Product
- Node-RED Dashboard
- Feedback
- Glossary
- Metrics
- Personas
- Pricing Principles
- Principles
- Strategy
- Product Growth
- Versioning
- Market Segments
- Blueprints
- Project Management
- Releases
- Security Policy
- Support
- tools
- Internal Operations
- People Ops
- Coaching Plans
- Code of Conduct
- Compensation
- Expenses
- Hiring
- Holiday & Leave
- Job Descriptions
- CEO
- CTO
- VP of Sales
- Chief of Staff
- Product Manager
- Job Descriptions
- Technical Product Manager
- Developer Relations Advocate
- Engineering Manager
- Account Executive
- Solutions Engineer
- Fullstack Engineer
- Fullstack Engineer (AI-Focused)
- Product Marketer
- PeopleOps Policies
- Performance review
- Summit
- Marketing department
- Marketing
- blog
- Brand Voice
- Community
- Company Messaging
- Customer Stories
- Events
- FlowFuse for Education
- How we work
- Lead Activation
- Lead Generation
- Marketing - Website
- Marketing Programs
- Social Media
- Webinars
- Sales department
- Sales
AI Development and Customer Data Policy
| Policy owner | Effective date |
|---|---|
| @knolleary | 2026-02-18 |
Purpose
This policy describes how AI-enabled functionality is designed, developed, and used within FlowFuse, both in the product and internally by FlowFuse team members.
Its purpose is to protect customer data, maintain trust, and ensure responsible, transparent, and secure use of AI technologies.
Scope
This policy applies to:
- AI functionality shipped as part of the FlowFuse product
- Internal use of AI tools by FlowFuse employees and contractors
- Integrations with third-party AI services
Guiding Principles
- AI is assistive, not autonomous.
- Humans remain accountable for decisions and outcomes.
- Customer trust and data protection take precedence over experimentation speed.
- AI usage must be intentional, scoped, and reversible.
- FlowFuse does not train AI models on customer data or company data.
Internal Use of AI by FlowFuse Team Members
FlowFuse supports and encourages responsible use of AI tools by team members to improve development velocity, quality, and operational effectiveness.
When using AI internally:
- Do not share customer data with AI tools except as explicitly permitted by this policy.
- Use internal, synthetic, or publicly available data for experimentation whenever possible.
- Review AI-generated output before relying on it or including it in the product.
- Do not use AI tools to bypass security controls, access restrictions, or approval processes.
Apply the same data protection, security, and review standards to internal AI usage as to AI functionality shipped within the product.
Customer Data Usage
Customer data may be used with AI systems only under the following conditions:
- Use customer data solely to provide the requested product functionality.
- Ensure all AI processing of customer data follows existing access controls, logging, and security policies.
Customer data is not used for the following purposes:
- Do not use customer data to train shared, public, or cross-customer AI models.
- FlowFuse does not train AI models on customer data.
- Do not use customer data for internal experimentation unrelated to a customer’s use case.
- Do not use customer data to improve general-purpose AI model behavior.
Customer data remains owned and controlled by the customer at all times.
Internal Data vs Customer Data
-
Internal, synthetic, or anonymized data may be used for:
- Prototyping and experimentation
- Prompt development
- Evaluation and testing of AI features
-
Do not repurpose customer data for internal AI development or testing, even if anonymized, without explicit approval.
Third-Party AI Services
Third-party AI providers may be used within the FlowFuse product only when:
- Appropriate contractual data protection terms are in place.
- The provider does not retain or reuse customer data for model training.
- Data shared is limited to the minimum required to provide the feature.
Review new AI provider integrations prior to use and assess them for:
- Data handling and retention practices.
- Security posture.
- Compliance and risk implications.
FlowFuse maintains a documented inventory of approved third-party AI services used within the product that may process customer data. This inventory includes references to each provider’s relevant data handling and security policies. The inventory is reviewed as part of the vendor risk management process and is available upon request.
Product Transparency
- Clearly identify AI-assisted functionality in the product and/or documentation.
- Do not present AI outputs as authoritative or decision-final.
- Inform users when AI is involved and ensure they understand that human judgment is required.
Prohibited AI Use Cases
Do not use AI for:
- Fully autonomous decision-making affecting customers.
- Safety-critical or high-risk operational decisions.
- Surveillance, behavioral profiling, or user scoring.
- Legal, medical, or employment decision-making.
Review and Oversight
-
Require new AI-enabled features to undergo review that considers:
- Data inputs and outputs
- Customer impact and potential failure modes
- Third-party dependencies
-
Restrict, modify, or disable AI functionality if risks or assumptions change.
Exceptions and Enforcement
- Require explicit review and approval for any exception to this policy.
- Violations may result in feature rollback or removal of integrations.