AI acceptable use policy for customer data
Use this template to set clear internal rules for when employees may use AI tools with customer data. It is written for everyday behavior: approved tools, prohibited data, review steps, and evidence.
Who it is for
Founders, security teams, and privacy owners who need a practical employee policy for AI use with customer data.
Template
Acceptable use policy sections with 5 starter rows.
Download formats
Markdown for docs, CSV for spreadsheet review.
When to use it
- Before employees start using AI tools with customer data.
- After security questionnaires ask for an internal AI-use policy.
- When unmanaged AI use has become common and needs guardrails.
How to fill it out
- Adapt the allowed tools list to your actual vendor approvals.
- Keep prohibited data categories clear and easy to remember.
- Connect exceptions to a named approval path.
Acceptable use policy sections
Use these rows as a starting point, then replace the example language with your vendor, source, customer data, and owner details.
- Rule
- Approved tools
- Allowed use
- Use company-approved AI vendors and managed workspaces.
- Not allowed
- Use personal accounts for customer data or confidential company records.
- Approval or evidence
- Approved vendor list and workspace owner.
- Rule
- Customer data
- Allowed use
- Use the minimum customer data needed for the approved workflow.
- Not allowed
- Paste secrets, credentials, payment data, PHI, or full exports unless approved.
- Approval or evidence
- Workflow approval and data category note.
- Rule
- Model training
- Allowed use
- Use tools whose model training posture has been reviewed for the workflow.
- Not allowed
- Assume all AI tools have the same training settings.
- Approval or evidence
- Vendor source link and settings record.
- Rule
- Outputs
- Allowed use
- Review AI output before sending to customers or using in production.
- Not allowed
- Treat AI output as approved legal, security, or support guidance.
- Approval or evidence
- Human review note where needed.
- Rule
- New tools
- Allowed use
- Request review before sending customer data to a new AI tool.
- Not allowed
- Start a trial with real customer data before review.
- Approval or evidence
- Security or privacy review ticket.
| Rule | Allowed use | Not allowed | Approval or evidence |
|---|---|---|---|
| Approved tools | Use company-approved AI vendors and managed workspaces. | Use personal accounts for customer data or confidential company records. | Approved vendor list and workspace owner. |
| Customer data | Use the minimum customer data needed for the approved workflow. | Paste secrets, credentials, payment data, PHI, or full exports unless approved. | Workflow approval and data category note. |
| Model training | Use tools whose model training posture has been reviewed for the workflow. | Assume all AI tools have the same training settings. | Vendor source link and settings record. |
| Outputs | Review AI output before sending to customers or using in production. | Treat AI output as approved legal, security, or support guidance. | Human review note where needed. |
| New tools | Request review before sending customer data to a new AI tool. | Start a trial with real customer data before review. | Security or privacy review ticket. |
Common mistakes
- Writing a policy that bans everything and is then ignored.
- Allowing approved tools without defining approved workflows.
- Forgetting to cover customer support transcripts, recordings, and screenshots.
Example policy note
Employees may use approved AI tools for summarizing support tickets only in managed company workspaces. Personal accounts and full customer exports are not approved for customer data.
AI Vendor Packet organizes review packet evidence and review workflow support. This template is not legal advice.
Related vendor pages
Use these vendor pages to fill in vendor-specific rows before sharing the template with customers or auditors.
Related templates
These templates pair well when the review leads to a customer-facing update, evidence packet, or internal decision.
Turn this template into a review packet.
Select your vendors, customer commitments, and data categories. AI Vendor Packet turns official-source checks into a review packet your team can keep as evidence.