Our AI Policy

Last updated: May 2026

1. Purpose

This policy establishes the framework for the responsible development, deployment, operation, and use of artificial intelligence (AI) tools at Clema, ensuring compliance with applicable data protection laws, security standards, and ethical principles. It applies to all AI systems used within Clema's platform, including those used for institutional data analysis, natural language query processing, and insight generation, and covers the processing of all input and output data.

2. Scope

This policy applies to all employees, contractors, vendors, and third parties involved in the development, deployment, operation, or use of AI tools within the Clema platform. It encompasses all AI systems, including large language models (LLMs) and machine learning (ML) models, and the handling of institutional, personal, and non-personal data processed through Clema's platform.

3. Definitions

  • AI System: A system that uses machine learning, large language models, or other AI technologies to perform tasks such as query interpretation, data retrieval, and insight generation.
  • Institutional Data: Data owned or managed by a higher education institution, including student records, enrollment data, financial aid data, and operational data, governed by FERPA and institutional data governance policies.
  • Personal Information: Any data relating to an identified or identifiable individual, as per applicable data protection laws (e.g., FERPA, CCPA).
  • Education Records: Records, files, documents, and other materials that contain information directly related to a student and are maintained by an educational institution, as defined under FERPA (20 U.S.C. § 1232g).
  • Stateless Processing: AI processing in which no data from a prior interaction is retained, stored, or used to influence future responses.
  • RBAC: Role-Based Access Control — a method of restricting data access based on the roles of individual users within an organization.

4. AI Development and Maintenance Practices

Clema adheres to industry best practices and recognized standards for the secure and responsible development of AI systems, as outlined below.

4.1 Development Standards

  • NIST AI Risk Management Framework: AI development aligns with NIST's framework, focusing on explainability, robustness, fairness, and accountability across the AI lifecycle (Map, Measure, Manage, Govern).
  • NCSC/CISA Guidelines: Clema follows the Guidelines for Secure AI System Development, including secure design, threat modeling, and protection against adversarial attacks.
  • SOC 2 Type II: AI systems and associated data pipelines are developed and operated in alignment with SOC 2 security, availability, processing integrity, confidentiality, and privacy trust service criteria.

4.2 Secure Development Practices

  • Threat Modeling: Regular threat modeling using the OWASP framework to identify vulnerabilities such as prompt injection, adversarial attacks, and data leakage.
  • Adversarial Testing: AI models and integrations are tested for resilience against prompt injection, data extraction, and model manipulation attacks.
  • Secure Coding: Developers adhere to secure coding practices, minimizing superfluous functionality to reduce attack surfaces.
  • Model Validation: AI outputs are validated for accuracy, factual grounding, and citation integrity before deployment.
  • Version Control and Documentation: All AI system changes are documented and version-controlled to ensure full traceability and auditability.

4.3 Maintenance and Monitoring

  • Continuous Monitoring: AI systems are monitored for performance, security, and ethical outcomes on an ongoing basis.
  • Output Quality Audits: Regular internal audits review AI output quality, validate data retrieval accuracy, assess no-hallucination protocol effectiveness, and verify that all AI interactions remain within authorized institutional data boundaries.
  • Regular Updates: AI integrations are updated based on performance evaluations, emerging threats, and regulatory changes to ensure ongoing compliance and security.

5. Data Protection and Privacy

Clema is committed to protecting institutional and personal data in compliance with FERPA, SOC 2, and other applicable data protection standards.

5.1 Collection, Use, Processing, and Disclosure

  • Data Minimization: Clema accesses institutional data exclusively through read-only API integrations and processes only the data necessary to respond to a specific user query.
  • Purpose Limitation: Institutional data is used solely to respond to authorized user queries and generate insights within the authorized institutional scope. It is never used for model training, shared with other institutions, modified, or repurposed beyond the explicit request of an authorized user.
  • FERPA Compliance: Clema treats all student and education records in accordance with FERPA requirements. Access is restricted to authorized institutional personnel with a legitimate educational interest. Clema does not disclose education records to third parties without proper consent or a recognized FERPA exception.
  • Data Disclosure: Institutional data is not shared with third parties beyond what is required to fulfill an authorized query (e.g., transmission to OpenAI's API over encrypted channels solely for query interpretation). All such transmissions are governed by contractual data protection agreements.
  • Data Retention: Clema does not retain or log data processed through AI beyond what is stored in its encrypted database. AI interactions are stateless and non-persistent.

5.2 AI-Specific Data Handling and Privacy

Clema's AI systems do not train on customer or institutional data. AI processing operates in a stateless, non-learning mode — institutional data is processed in real time to generate responses but is never stored, logged, or reused for model training or improvement. Clema does not contribute any customer data to OpenAI's or any other third-party provider's training pipeline, ensuring complete separation between client data and AI model development.

Clema integrates with OpenAI as its primary third-party AI provider for natural language query processing and insight generation. Institutional data relevant to a specific query is transmitted to OpenAI's API exclusively over encrypted channels (TLS 1.3) for the sole purpose of fulfilling that query. OpenAI does not retain or use Clema's customer data for model training purposes, in accordance with OpenAI's API data usage policies. Clema does not send data to any other external AI provider.

Clema applies data minimization principles prior to AI processing. Only data strictly necessary to respond to a specific query is retrieved and transmitted. No personally identifiable information (PII) is sent to external AI providers beyond what is required for the query context within the authorized institutional scope. All data remains logically isolated per institution and protected through encryption and RBAC at all times.

5.3 Accuracy and Bias in AI

Clema is purpose-built for higher education data analysis, optimizing for structured data retrieval and insight generation from institutional and federal higher education data sources. Responses are grounded in verified data sources with full citation, methodology, and query transparency — ensuring accuracy and an audit trail for governance purposes that general-purpose AI tools do not provide.

Where data is unavailable or insufficient, Clema explicitly discloses this rather than approximating or inferring responses. As with any AI system, the underlying language models may carry inherent biases from their pre-training data. Clema mitigates this risk through citation-backed, data-grounded responses and a human-in-the-loop review process, ensuring users retain full control over AI-generated outputs.

5.4 Compliance with Data Protection Laws

  • FERPA: Clema implements controls to ensure all access to and processing of education records complies with FERPA, including maintaining records of disclosures and restricting access to authorized personnel.
  • SOC 2: Clema adheres to SOC 2 Type II standards, ensuring security, availability, processing integrity, confidentiality, and privacy of all customer and institutional data.
  • CCPA: Where applicable, users and institutions are provided with rights to access, delete, or limit the use of their personal information.
  • Audit Trail: All data access and AI processing activities are logged and auditable to demonstrate compliance with applicable regulatory requirements.

6. Privacy-Enhancing Technologies (PETs)

Clema employs the following technologies and practices to protect data privacy:

  • Encryption in Transit: All data transmitted to third-party AI providers is encrypted using TLS 1.3.
  • Encryption at Rest: All institutional data stored in Clema's database is protected using industry-standard encryption.
  • Role-Based Access Control (RBAC): All AI interactions are scoped to authorized institutional data within strict RBAC boundaries. Access is limited to what is necessary for each user's role.
  • Read-Only Data Access: Clema's integration with institutional data sources is strictly read-only, ensuring that raw datasets are never modified or broadly exposed through AI processing.
  • Data Isolation: All data remains logically isolated per institution and is never shared across institutional boundaries.

7. Regulatory Compliance and Monitoring

Clema maintains robust policies to monitor and comply with AI-related regulatory developments:

  • Regulatory Tracking: A dedicated compliance function monitors applicable AI and data protection regulations (e.g., FERPA, emerging state AI laws) and updates policies accordingly.
  • Compliance Audits: Regular audits are conducted to ensure adherence to SOC 2 Type II standards and applicable data protection requirements.
  • Vendor Management: Third-party AI vendors (including OpenAI) are assessed for compliance with Clema's data protection and security standards through contractual safeguards and periodic review.
  • Incident Response: A documented incident response plan addresses potential data breaches or AI system failures, with prompt notification to affected institutions and individuals as required by law.

8. AI Governance Policies

  • Ethical AI Use: AI systems are designed to avoid bias, ensure transparency, and respect user autonomy. Clema does not use AI to make autonomous decisions about individual students or staff members without human review.
  • Output Integrity and Anti-Hallucination Protocol: Clema is purpose-built to search, retrieve, and surface insights from federal higher education data sources, web search, and internal institutional data it has been granted access to. All outputs are grounded in retrieved, verifiable data. Clema does not generate speculative or inferred responses.
  • Federal and Public Data Sources: When data is unavailable from public or federal sources, Clema is programmed to explicitly return "No data available in the federal source" and, where possible, suggest and retrieve the closest match from other external sources, with full disclosure of the methodology, data definition, and the underlying query used.
  • Internal Institutional Data: For internal data that Clema has been granted access to under institutional governance policies, Clema retrieves and presents findings within the boundaries of those policies. If no data is found or the query is not applicable to available data, Clema explicitly reports this rather than approximating a response.
  • Accountability: All AI decision-making processes are traceable, with logs maintained for auditing purposes.
  • Stakeholder Engagement: Clema engages with institutional partners, regulators, and industry groups to align AI practices with stakeholder expectations.
  • Continuous Improvement: AI governance practices are regularly reviewed and refined based on feedback, audit findings, technological advancements, and regulatory changes.

9. Training and Awareness

  • Staff Training: All employees receive regular training on AI security, data protection (including FERPA requirements), and ethical AI use, tailored to their roles.
  • Threat Awareness: Employees are kept informed of emerging AI-specific threats (e.g., prompt injection, adversarial ML techniques) through internal communications and training updates.

10. Contact Information

For questions or concerns about this policy, contact Clema's Data Protection Officer at raja [at] clema.ai.

11. Policy Review

This policy is reviewed annually or as needed to reflect changes in technology, applicable regulations, or Clema's business practices. The most current version of this policy supersedes all prior versions.