Backpack Works logo
All policies
Version: 1.0Last updated: February 2026Owner: Security Lead

AI Usage Policy

1. Purpose

To define how Backpack Works uses artificial intelligence and machine-learning tools — including AI coding assistants, chat assistants, and generative tools — in a way that protects client data, source code, intellectual property, and confidentiality.

2. Scope

All personnel and contractors who use AI tools in the course of work for Backpack Works or its clients, and all company and client data that might be entered into such tools.

3. Principles

  • Protect confidential data. Confidential client data, personal data, secrets, and credentials must not be entered into AI tools that may use submitted data to train their models. Use enterprise or privacy-respecting configurations where available, and prefer tools that contractually exclude inputs from training.
  • Human accountability. AI output is assistive, not authoritative. A qualified person reviews AI-generated code, content, and recommendations before it is shipped, published, or relied upon. Personnel remain responsible for the quality and security of their work.
  • No automated decisions about people. AI tools are not used to make decisions that produce legal or similarly significant effects on individuals without human review.
  • Respect client instructions. Where a client restricts or prohibits the use of AI tools on their engagement, those instructions take precedence.
  • Intellectual property. Personnel must not submit third-party or client IP to AI tools in a way that would violate licensing or confidentiality obligations, and must review AI-generated output for IP and licensing concerns before use.

4. Approved use

  • Drafting, refactoring, and reviewing code with AI coding assistants, subject to peer review under our Secure Software Development Policy.
  • Generating and editing non-confidential content, documentation, and research.
  • Summarizing or analyzing data that has been appropriately de-identified or that is not confidential.

5. Prohibited use

  • Entering secrets, credentials, or access tokens into any AI tool.
  • Pasting confidential client data or personal data into consumer AI tools that may train on inputs.
  • Using AI output without review where it affects security, privacy, or client deliverables.
  • Circumventing a client's stated restrictions on AI use.

6. Vendors & sub-processors

AI tools that process client or personal data are evaluated under our Vendor & Third-Party Risk Management Policy and, where applicable, listed as sub-processors.

7. Enforcement & review

Violations may result in disciplinary action consistent with our Acceptable Use and Information Security policies. This policy is reviewed at least annually and as AI tooling and regulation evolve.