# AI acceptable use policy for customer data

Last reviewed: 2026-05-21

AI Vendor Packet organizes review evidence and workflow support. This template is not legal advice.

## Who this is for

Founders, security teams, and privacy owners who need a practical employee policy for AI use with customer data.

## What this template is for

Use this template to set clear internal rules for when employees may use AI tools with customer data. It is written for everyday behavior: approved tools, prohibited data, review steps, and evidence.

## When to use it

- Before employees start using AI tools with customer data.
- After security questionnaires ask for an internal AI-use policy.
- When unmanaged AI use has become common and needs guardrails.

## Acceptable use policy sections

| Rule | Allowed use | Not allowed | Approval or evidence |
| --- | --- | --- | --- |
| Approved tools | Use company-approved AI vendors and managed workspaces. | Use personal accounts for customer data or confidential company records. | Approved vendor list and workspace owner. |
| Customer data | Use the minimum customer data needed for the approved workflow. | Paste secrets, credentials, payment data, PHI, or full exports unless approved. | Workflow approval and data category note. |
| Model training | Use tools whose model training posture has been reviewed for the workflow. | Assume all AI tools have the same training settings. | Vendor source link and settings record. |
| Outputs | Review AI output before sending to customers or using in production. | Treat AI output as approved legal, security, or support guidance. | Human review note where needed. |
| New tools | Request review before sending customer data to a new AI tool. | Start a trial with real customer data before review. | Security or privacy review ticket. |

## How to fill it out

- Adapt the allowed tools list to your actual vendor approvals.
- Keep prohibited data categories clear and easy to remember.
- Connect exceptions to a named approval path.

## Common mistakes

- Writing a policy that bans everything and is then ignored.
- Allowing approved tools without defining approved workflows.
- Forgetting to cover customer support transcripts, recordings, and screenshots.

## Example policy note

Employees may use approved AI tools for summarizing support tickets only in managed company workspaces. Personal accounts and full customer exports are not approved for customer data.

## Generate this automatically

Use the AI Vendor Packet scanner to generate this template from selected vendors, customer data categories, and customer-facing commitments.