AI Governance and Risk Management Policy

Last updated: 25 Febrary 2025

1. Introduction

Aspose Pty Ltd (Aspose) is a market-leading software development company that offers award-winning APIs for creating, editing, converting, and rendering various file formats such as Office, OpenOffice, PDF, Images, ZIP, CAD, XPS, EPS, and PSD. Our APIs support multiple platforms, including .NET, Java, C++, Python, PHP, Xamarin, and Android, along with reporting solutions for Microsoft SharePoint and rendering extensions for SQL Server Reporting Services and JasperReports.

While Aspose does not natively incorporate artificial intelligence (AI) or Large Language Models (LLMs) into its products, certain self-hosted solutions enable customers to connect their own AI models via API. Aspose is committed to ensuring that these integrations are secure, transparent, and compliant with regulations and industry best practices, including California STD 1000 AI disclosure requirements, GDPR, and other applicable standards.

2. Purpose

The purpose of this AI Governance and Risk Management Policy is to:

Establish a structured framework for managing AI-related risks and ensuring transparency.
Define Aspose’s stance on AI usage, emphasizing full customer control over any AI integrations.
Protect Aspose’s and its customers’ data, operations, and reputation by adhering to relevant laws, regulations, and industry best practices.
Outline clear roles and responsibilities, processes, and promises to customers regarding AI integrations.

3. Scope

This policy applies to:

All Aspose self-hosted products that allow AI or LLM integration via APIs.
Any third-party AI models integrated by customers through Aspose-provided interfaces.
Internal Aspose policies and processes ensuring compliance with AI-related legal, ethical, and regulatory considerations.
This policy does not govern AI implementations entirely controlled by the customer in their own environment, where Aspose has no operational or administrative role.

4. Roles and Responsibilities

Aspose assigns the following roles and responsibilities to ensure proper governance and risk management for AI integrations:

4.1 Board of Directors / Executive Management

Provide overall strategic direction and oversight for AI governance.
Approve and periodically review this policy.

4.2 AI Governance Committee (or Equivalent Group)

Oversee and maintain the AI governance framework, ensuring alignment with applicable regulations.
Review and approve major AI integration strategies or significant changes in policy.

4.3 IT Security & Risk Management Team

Identify, assess, and monitor AI-related security risks and compliance concerns.
Coordinate with customers and relevant stakeholders on guidelines for secure AI model integrations.
Evaluate potential vulnerabilities or threats arising from AI integrations.

4.4 Legal & Compliance Team

Track and interpret emerging AI regulations and standards (e.g., California STD 1000, GDPR).
Advise on legal and regulatory obligations related to AI usage.
Ensure contract terms and customer agreements reflect the AI governance stance.

4.5 Product Management & Development Teams

Ensure self-hosted products that offer AI integrations comply with Aspose policies and technical guidelines.
Document requirements for secure API connections and disclaimers for customer-driven AI use.
Work with IT Security & Risk Management Team to address identified risks and implement mitigation strategies.

4.6 Audit & Review Team

Conduct periodic audits to verify AI governance adherence and evaluate the effectiveness of this policy.
Report findings to executive management and recommend improvements.

4.7 Customers (AI Model Integrators)

Assume full responsibility for selecting and securing any AI or LLM integrated into Aspose self-hosted products.
Adhere to all relevant data privacy, ethical, and regulatory requirements for their chosen AI solutions.
Promptly notify Aspose of any AI-related incidents that could affect Aspose’s infrastructure or compliance posture.

5. AI Governance & Oversight

5.1 Policy Oversight

The AI Governance Committee ensures this policy remains current with regulatory changes.
Annual reviews are conducted to incorporate emerging AI standards or customer-driven requirements.

5.2 Risk Assessment

Aspose periodically evaluates AI-related risks for self-hosted product integrations.
Risk metrics include data privacy considerations, potential biases, and security vulnerabilities.

5.3 Customer Communication

Aspose maintains a public-facing FAQ or knowledge base addressing AI integration best practices.
Changes in regulations or policy updates are communicated proactively to customers via Aspose’s trust center or direct notifications.

6. AI Risk Management

6.1 Security and Compliance

Data Privacy Regulations: AI integrations must comply with GDPR, CCPA, and other relevant frameworks, where applicable.
Customer Responsibility: Customers are solely responsible for selecting, configuring, and maintaining third-party AI models. If sensitive or confidential data is involved, customers must ensure they have appropriate measures in place to protect that data. Aspose does not provide or enforce data handling guidelines for externally integrated AI.

6.2 Third-Party Risk Management

Customer Due Diligence: Customers must vet and secure any AI model they choose to integrate, including assessing the model’s security posture, risk of bias, and data-handling policies.
Hands-Off Integration: Aspose’s role is strictly limited to providing API interfaces. Customers retain full control and responsibility for their AI model’s operational behavior and compliance with applicable regulations.

6.3 Adverse Impact Prevention

Regulated Decisions: Aspose core products are generic file-processing tools and do not control or direct AI’s decision-making in high-stakes or regulated environments.
User Responsibilities: Customers must ensure their AI usage complies with all legal and ethical standards, particularly where sensitive applications (e.g., healthcare, finance) are concerned.

7. AI Disclosure & Compliance with STD 1000

Aspose aligns with California’s STD 1000 AI disclosure requirements by:

GenAI Model Usage: Aspose does not natively host or use AI models within its self-hosted products; customers may integrate their own.
Model Name & Version: Customers are responsible for maintaining details of any AI models they connect.
Product Ownership: Aspose offers self-hosted solutions that customers can customize; AI integrations remain under the customer’s control.
Use Cases & Information Domain: Customers define the use cases and data domains for AI usage. Aspose neither prescribes nor restricts them, beyond requiring adherence to relevant laws.
Impact on Decisions: Aspose’s core products are tools; any critical or regulated decisions driven by AI integrations are managed solely by the customer.

8. Monitoring & Incident Response

8.1 Monitoring

Regulatory Tracking: The AI Governance Committee, in collaboration with Legal & Compliance, monitors regulatory developments relevant to AI governance.
Customer Feedback: Aspose tracks support tickets and user feedback for potential AI-related security or compliance issues.

8.2 Incident Response

Incident Reporting: Customers or Aspose employees who discover AI-related security or compliance issues must notify Aspose’s IT Security Team.
Containment & Notification: If an AI-related incident poses a threat to Aspose’s infrastructure or brand, the IT Security Team will coordinate containment measures and notify relevant stakeholders.
Root Cause Analysis: Aspose will investigate to identify any Aspose-side vulnerabilities. If issues are entirely within the customer’s environment, Aspose will provide support as requested or contractually agreed.
Escalation: Critical incidents are escalated to Executive Management in accordance with Aspose’s Incident Response Policy.

9. Legal and Regulatory Compliance

Aspose is committed to complying with all applicable legal, regulatory, and industry requirements related to this policy. Where specific regulations or standards apply, Aspose will ensure alignment to protect customer data, meet business obligations, and maintain operational integrity.

9.1 Compliance Principles

Adherence: Aspose follows all relevant legal and regulatory requirements applicable to its operations and systems.
Alignment with Standards: While Aspose may not hold formal certifications, it aligns its practices with recognized industry frameworks and best practices to ensure compliance.

9.2 Ongoing Compliance Monitoring

Aspose regularly reviews its internal processes, policies, and product offerings to ensure ongoing compliance with relevant laws and industry standards.

Compliance audits and reviews are conducted periodically to ensure the effectiveness of security and privacy controls.

10. Employee Training and Awareness

Aspose emphasizes equipping all employees with the knowledge and tools required to understand, implement, and maintain effective AI governance practices. Training initiatives ensure employees can contribute to the company’s AI governance and risk management objectives.

10.1 AI Governance Training Programs

Onboarding Training: New employees undergo training on fundamental AI governance concepts, including Aspose’s approach to AI integrations, regulatory considerations (e.g., GDPR, STD 1000), and risk mitigation strategies.
Ongoing Awareness: Regular training sessions and updates ensure employees remain informed about AI governance policies, best practices, and evolving risks in the AI landscape (e.g., new regulations or emerging technologies).

10.2 Role-Specific Training

Employees in specific roles receive tailored training to enhance their understanding of AI governance practices:

AI Governance Committee and Technical Teams: Training on designing, evaluating, and maintaining secure AI integration processes, including risk assessments, compliance checks, and documentation standards.
Team Leads and Managers: Training on overseeing AI-related work within their teams, reviewing risk mitigation measures, and ensuring compliance with Aspose’s AI governance objectives.
Support and Development Teams: Awareness of secure handling, testing, and monitoring of AI integrations to minimize risks and ensure alignment with business goals and regulatory requirements.

10.3 AI Governance Awareness Culture

Aspose fosters a compliance-first approach to AI governance by:

Reinforcing AI governance responsibilities through communications from leadership.
Encouraging employees to report any AI-related issues through secure and confidential reporting channels.
Sharing regular updates, internal communications, and alerts regarding best practices and emerging risks in AI governance.

10.4 Continuous Improvement

Employee feedback on AI governance training is actively encouraged to ensure it remains relevant and effective.

Post-Incident Debriefing: Following any AI-related incident, teams will review and update training processes to address gaps and strengthen AI governance measures.

11. Policy Compliance and Enforcement

To maintain the integrity of Aspose’s AI Governance and Risk Management framework, compliance with this policy is mandatory for all employees, contractors, and third-party partners.

11.1 AI Governance and Risk Management Policy Compliance

Mandatory Adherence: All personnel must adhere to the AI Governance and Risk Management Policy, including its principles, processes, and best practices.
Policy Acknowledgment: Employees formally acknowledge their responsibilities regarding AI governance upon onboarding and whenever significant policy updates occur.
Periodic Reviews and Updates: This policy will be reviewed regularly to ensure its relevance and alignment with evolving regulatory requirements, industry standards, and Aspose business needs. All stakeholders will be informed of updates, with re-training provided if necessary.

11.2 Monitoring and Auditing

AI Reviews: Periodic audits will review AI-related processes—such as customer integrations, compliance checks, and security measures—to ensure they align with organizational objectives and regulatory obligations.
Continuous Monitoring: Aspose may employ automated tools or processes to track AI-related activities, identify anomalies, and ensure that unintended risks are promptly addressed.
Self-Assessments: Employees are encouraged to verify their understanding of AI governance processes and report any discrepancies or concerns for immediate correction.

11.3 Non-Compliance Consequences

Violations of the AI Governance and Risk Management Policy may result in disciplinary actions, including but not limited to:

Corrective Actions: Retraining, formal warnings, or adjustments to responsibilities.
Access Restrictions: Revocation of access to AI-related systems or integrations in cases of unauthorized or improperly managed usage.
Termination: Repeated or severe policy violations may lead to termination of employment or contracts.
Legal Action: Serious violations—such as intentional misuse of AI capabilities that result in harm or legal exposure—may have legal consequences.

11.4 Accountability and Enforcement

Incident Management: AI-related incidents are handled in accordance with Aspose’s Incident Response Policy. Immediate containment and root cause analysis are prioritized to minimize potential harm or liability. Unintentional violations due to lack of understanding will typically result in retraining before disciplinary measures are considered.
Disciplinary Process: Investigations into suspected or confirmed policy breaches will be overseen by Human Resources and the relevant governance teams (e.g., AI Governance Committee, IT Security & Risk Management).
Escalation: Critical breaches or repeated non-compliance will be escalated to senior management for further review and action.

11.5 Continuous Improvement

Feedback Loop: Aspose encourages feedback from employees and other stakeholders to continuously improve the AI Governance and Risk Management Policy. This includes regular reviews of AI governance practices and the identification of potential policy gaps or inefficiencies.
Training and Awareness: Instances of non-compliance or misuse stemming from insufficient understanding will be addressed through enhanced training programs and updated communication channels. These initiatives ensure all employees, contractors, and stakeholders are aware of their responsibilities and best practices under the AI Governance and Risk Management Policy.

12. Periodic Review and Policy Updates

Periodic Review: This AI Governance and Risk Management Policy will be reviewed periodically or as required to address emerging threats, regulatory changes, or Aspose’s evolving operational needs. This ensures the policy remains aligned with current AI Governance and Risk Management best practices and business requirements.

Policy Updates: Updates to the policy will be communicated to all employees, contractors, and relevant stakeholders. Any significant changes will be accompanied by training or guidance to ensure continued adherence to AI Governance and Risk Management principles.

13. Approval

This AI Governance and Risk Management Policy was approved by the Board of Directors of Aspose Pty Ltd on 2024.12.01.