Information Security Program (WISP) Overview

---

Queen City AI is committed to the responsible, secure, and ethical use of artificial intelligence. This policy establishes the principles, controls, and operating standards that govern how AI systems are designed, built, deployed, and managed across all Queen City AI engagements.

Our intent is simple and explicit:

• Protect client data and intellectual property
• Ensure AI systems are safe, explainable, and governed
• Meet enterprise-grade security and compliance expectations
• Align AI deployment with measurable business outcomes

This policy applies to all Queen City AI employees, contractors, partners, and any AI systems or workflows developed, deployed, or operated by Queen City AI.

Queen City AI operates under the following non-negotiable principles:

2.1 Business Accountability

AI systems must be accountable to defined business owners, metrics, and outcomes. No system is deployed without:

1. A named business owner
2. Defined KPIs and success criteria
3. Clear post–go-live ownership and escalation paths

2.2 Human-in-the-Loop by Design

AI augments human decision-making; it does not operate without oversight unless explicitly approved.

1. Critical decisions require human review
2. Escalation thresholds are defined and enforced
3. Override and audit mechanisms are always available

2.3 Transparency and Explainability

• We do not deploy “black box” AI.
• Model behavior must be explainable to operators and leadership
• System logic, assumptions, and limitations are documented
• Outputs must be traceable to inputs and decision rules

2.4 Ownership Over Dependency

• Clients retain ownership of their data, models, and intelligence layers.
• Client data is never used to train public or shared models
• Proprietary workflows are not reused without explicit authorization
• Queen City AI avoids vendor lock-in by design

3.1 Data Minimization

We collect and process only the data required to achieve defined business objectives.

3.2 Data Segregation

• Client data is logically and contractually isolated.
• No commingling of client datasets
• Environment-level isolation for enterprise clients

3.3 Confidentiality

• All personnel are bound by confidentiality agreements.
• Access is role-based and least-privileged
• Sensitive data is restricted to authorized personnel only

3.4 Data Residency and Retention

• Data residency requirements are honored per client and regulatory needs
• Retention schedules are defined, documented, and enforced
• Secure deletion is performed upon contract termination or client request

Queen City AI aligns with enterprise security best practices, including principles commonly found in SOC 2, ISO 27001, and NIST-aligned frameworks.

4.1 Access Control

• Role-based access control (RBAC)
• Multi-factor authentication (MFA)
• Regular access reviews and revocation procedures

4.2 Encryption

• Encryption in transit (TLS 1.2+)
• Encryption at rest using industry-standard protocols

4.3 Secure Architecture

• API-first, private integration patterns
• No direct exposure of core systems without a security review
• Segmented environments (development, staging, production)

4.4 Monitoring and Logging

• Continuous monitoring of AI workflows
• Logging of system actions and decision events
• Alerting for anomalies, misuse, or policy violations

4.5 Incident Response

• Defined incident response procedures
• Prompt notification to affected clients
• Root cause analysis and corrective actions

5.1 Pre-Deployment Review

All AI systems undergo review before deployment:

1. Data quality and bias assessment
2. Security and access validation
3. Business logic and guardrail validation

5.2 Ongoing Monitoring

• Performance drift monitoring
• Accuracy and error rate tracking
• Periodic revalidation against KPIs

5.3 Change Management

• Model updates follow controlled release processes
• Changes are documented and approved
• Rollback procedures are defined

5.4 Decommissioning

• Safe shutdown procedures
• Secure data handling upon retirement
• Documentation handoff to the client

Queen City AI will not design or deploy AI systems that:

1. Violate applicable laws or regulations
2. Enable discrimination, bias, or unfair treatment
3. Deceive users or misrepresent system capabilities
4. Operate autonomously in high-risk domains without human oversight

We reserve the right to decline or terminate engagements that conflict with this policy.

Queen City AI supports compliance with applicable regulations, including but not limited to:

• Data privacy laws (e.g., GDPR, CCPA, applicable state regulations)
• Industry-specific compliance requirements (finance, healthcare, logistics)

Compliance responsibilities are jointly managed with clients and clearly defined during engagement onboarding.

We commit to:

• Clear communication about AI capabilities and limitations
• Honest reporting of risks and tradeoffs
• Full documentation of systems delivered

AI systems must be defensible in a boardroom, auditable by compliance teams, and trusted by operators.

Violations of this policy may result in:

• Suspension of system access
• Remediation actions
• Contractual remedies
• Termination of employment or partnership

Concerns or suspected violations should be reported immediately to Queen City AI leadership.

This policy is reviewed regularly and updated as technology, regulations, and best practices evolve.

Queen City AI reserves the right to amend this policy to maintain alignment with enterprise standards and responsible AI practices.

Queen City AI Commitment

We will not deploy AI that cannot be governed, secured, explained, or justified. Our responsibility does not end at deployment. It extends through operation, ownership transfer, and measurable impact.