AI Addendum

This AI Addendum applies to AI-assisted features in C4CI Arch when those features are enabled for Customer. It supplements the Enterprise Master Services Agreement, Terms of Service, Privacy Policy, Data Processing Addendum, and Security Exhibit.

1. AI-Assisted Features

AI-assisted features may support:

1. architecture summaries;
2. drift explanations;
3. evidence drafting;
4. remediation suggestions;
5. infrastructure-as-code draft snippets;
6. support triage;
7. admin AI chat;
8. agent-assisted operational workflows.

AI-assisted output is generated from prompts, selected product context, connected-system metadata, product settings, and model responses.

2. Human Review

AI-assisted output can be incomplete, outdated, or wrong. Customer must review outputs before relying on them, submitting them as evidence, sharing them, using them for compliance decisions, or using them to change systems.

Write, remediation, pull-request, or operational actions must be reviewed and approved by an authorised user through available product controls.

3. No Solely Automated High-Impact Decisions

C4CI does not use AI-assisted features to make solely automated decisions about users that produce legal or similarly significant effects.

Customer must not use AI-assisted outputs as the sole basis for safety-critical, legal, employment, financial, medical, regulatory, or similarly high-impact decisions.

4. Regulated AI Use

Unless an order form expressly states otherwise, AI-assisted features are not sold or configured as standalone high-risk AI systems, safety components, biometric identification systems, medical devices, employment decision systems, credit or insurance decision systems, law-enforcement tools, or other regulated systems requiring specialised conformity assessment.

Customer is responsible for determining whether its use of AI-assisted outputs is subject to sector-specific, high-impact, or high-risk AI obligations. Customer must complete its own legal, security, accuracy, human-oversight, and fundamental-rights review before using AI-assisted outputs in regulated or high-impact workflows.

5. Data Use

Unless an order form states otherwise, C4CI does not use Customer Content to train public foundation models.

AI prompts and outputs may be processed to provide, secure, debug, monitor, support, and improve the services. Provider-specific retention, logging, and training controls depend on the selected AI provider and customer configuration.

6. Provider Options

Arch supports provider routing patterns that may include Azure AI Foundry and C4CI self-hosted OpenAI-compatible LLM serving. The active provider depends on runtime configuration, customer settings, product tier, and order terms.

Provider-specific details should be documented in the order form, Subprocessor List, or trust-center response for the customer environment.

7. Customer Configuration

Customer is responsible for:

1. deciding whether AI-assisted features may be enabled;
2. configuring customer-provided AI keys or endpoints where applicable;
3. choosing what systems and data may be included in AI-assisted workflows;
4. reviewing prompts and outputs for confidentiality, accuracy, and compliance;
5. disabling or restricting AI-assisted features where required by Customer policy.

8. Prohibited AI Use

Customer must not use AI-assisted features to:

1. generate unlawful, deceptive, harmful, or abusive content;
2. bypass access controls, tenant isolation, or security controls;
3. create malware, credential theft, or unauthorised exploitation workflows;
4. infer, extract, or expose another tenant's data;
5. submit special-category data, secrets, or regulated data unless agreed in writing with appropriate safeguards;
6. conduct prohibited AI practices or use AI outputs in violation of applicable law, model-provider terms, or Customer policy;
7. make decisions prohibited by applicable law or Customer policy.

9. Output Rights

Subject to the agreement and third-party rights, Customer may use AI-assisted outputs generated for Customer through the services. C4CI does not guarantee that outputs are unique, protectable, non-infringing, complete, or fit for a particular purpose.

Customer is responsible for checking outputs before production use.

10. Security and Logging

AI-assisted workflows are subject to the Security Exhibit and Data Processing Addendum where they process Customer Personal Data. Logs, prompts, outputs, and diagnostics may be retained for security, debugging, abuse prevention, support, and auditability according to the Privacy Policy and applicable order terms.

11. Changes

C4CI may change AI models, providers, routing, prompts, guardrails, or feature availability to improve quality, security, cost, latency, compliance, or reliability, provided the change does not materially reduce purchased functionality during the order term.

12. Contact

AI governance questions should be sent to support@c4ci.io.