AI Policy
Last updated:
Tuesday 5 August 2025
Read time: 10 min
This policy governs the design, development, deployment, and governance of AI systems to ensure they are safe, ethical, secure, and compliant with the EU AI Act and other relevant legislation.If you have any questions regarding our AI policy, please contact us.
Definitions
AI (Artificial Intelligence): Machine-based systems that perform tasks typically requiring human intelligence, including natural language processing, data summarisation, insight generation, or predictive modelling.
Inference: The processing of data using a pre-trained AI model to generate outputs without modifying the model.
RAG (Retrieval-Augmented Generation): An architecture that combines pre-trained AI with retrieval of external data sources to inform responses.
Customer Data: Any data submitted, uploaded, or processed by the customer or participants within the Ballpark platform.
Scope
This policy applies to:
All AI features developed or integrated into Ballpark products and internal systems.
All staff involved in the lifecycle of AI models, including design, testing, deployment, and monitoring.
Third-party AI systems integrated with Ballpark services.
Core Restrictions
Inference-Only Operations
Ballpark restricts all AI system usage to inference operations only. This means:
AI systems may only be used for inference: processing data and generating outputs from pre-trained models
Prohibited: Using any customer data, user-generated content, or customer-specific business data for training, fine-tuning, retraining, model evaluation, or performance testing
Retrieval-Augmented Generation (RAG) Systems
Ballpark may use RAG systems to enhance AI capabilities with internal knowledge and expertise.
Permitted content:
Ballpark's internal documentation and procedures
Team member professional knowledge and expertise
Industry best practices and publicly available technical documentation
Ballpark's proprietary methodologies and frameworks
Prohibited content:
Customer data
Customer-generated content
Customer-specific business information
All RAG knowledge bases must be reviewed and approved by the CTO before implementation.
Data Protection
Customer Data Isolation
Customer data must remain completely isolated from AI training pipelines and RAG systems
Technical controls required to prevent inadvertent customer data usage
All customer data processing must be transient with no storage for improvement purposes
Consent Requirements
Explicit, granular opt-in consent required for any AI processing of customer data
Clear specification of AI processing being performed
Confirmation that data will not be used for training
Accessible opt-out mechanisms
Compliance Framework
Risk classification
All AI systems must be assessed and classified according to the EU AI Act’s risk-based framework:
High-risk systems: Require pre-deployment assessments, documentation, and registration (e.g. recruitment tools, critical infrastructure decisions)
Limited/minimal-risk systems: Implement proportionate safeguards with transparency and user control
Ballpark will maintain documentation of all AI use cases, classification outcomes, and applicable controls.
Human Oversight
All high-risk AI systems must include documented human-in-the-loop or human-on-the-loop mechanisms to allow for oversight, correction, or override of automated decisions. Responsibility for each AI system must be assigned to an accountable individual or team.
Transparency Requirements
Users must be notified when interacting with AI systems
Clear communication that data is used for inference only, never for training
Explanation of AI decision-making logic and limitations, especially for high-risk cases
Third-Party AI Services
Contracts must explicitly prohibit using Ballpark/customer data for training or improvement
Service agreements must guarantee inference-only usage
Regular compliance audits required
Quality Assurance
Fairness and Security
Regular bias testing for discriminatory impacts
Pre-deployment security testing and ongoing performance evaluation
Protection against adversarial attacks and model drift
Fallback mechanisms for service degradation
Ethical Impact Assessments
Required for high-risk systems, including:
Societal and human rights impact assessment
Potential harm identification and mitigation strategies
Confirmation of customer data protection compliance
Annual review and registration in AI systems register
Incident Management and Redress
Users must have access to a channel to report:
Negative effects or harms from AI usage
Errors or inappropriate decisions made by AI systems
Reports will be reviewed under Ballpark’s incident response framework, and affected parties will be informed of outcomes and potential redress options.
Sustainability and Social Benefit
Teams are encouraged to evaluate the environmental impact (e.g. energy consumption of model training) and consider more efficient alternatives.
Priority will be given to projects where AI applications contribute to social good, accessibility, or public benefit.
Monitoring and Policy Review
AI systems must be regularly audited to ensure:
Accuracy and reliability
Ongoing compliance with evolving legal standards
Annual policy review or upon significant legislative changes
Ethical performance
This policy will be reviewed annually or upon significant changes in legislation or AI practices.
Roles and Responsibilities
Role | Responsibility |
---|---|
CTO | Policy owner and final authority on AI governance decisions |
Engineering Team Leads | Classification, documentation, and testing of AI systems |
Security & Compliance | Legal risk assessment, GDPR/Data Privacy alignment, and ethical impact review |
Support & Customer Ops. | Communicating AI usage and managing incident reporting and redress |
Exceptions
Any deviations from this policy must be approved by the CTO in writing, with a supporting risk justification and mitigation plan.