> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getsmartalex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Responsible AI

> How SmartAlex uses AI in voice and chat agents, the wall that keeps your data out of shared model training, disclosure and voice-consent duties, human oversight, and prohibited uses.

<Note>
  This page is a plain-language summary for evaluators. The authoritative document is the [SmartAlex AI Usage Policy](https://getsmartalex.com/legal/smartalex-ai-usage-policy). If anything here differs from that document, the full policy prevails. This summary reflects version 1.1, effective 1 June 2026.
</Note>

SmartAlex provides the AI infrastructure. You decide how to use it. This page explains, in evaluator terms, how AI runs inside our voice and chat agents, the commitments we make about your data, and the responsibilities that sit with you as the customer who configures and deploys the agents.

<CardGroup cols={3}>
  <Card title="AI Usage Policy" href="https://getsmartalex.com/legal/smartalex-ai-usage-policy">
    The authoritative, controlling document. Read this for the binding text.
  </Card>

  <Card title="Acceptable Use Policy" href="https://getsmartalex.com/legal/smartalex-acceptable-use-policy-aup">
    The wider rules of the road for the platform, cross-referenced throughout.
  </Card>

  <Card title="Telephony and Call Recording Notice" href="https://getsmartalex.com/legal/smartalex-telephony-notice">
    Consent and notice duties for recording and transcribing calls.
  </Card>
</CardGroup>

## How AI is used

The platform uses machine learning across a few capabilities:

* **AI voice agents** that place and receive calls on your behalf.
* **Conversational chat agents** embedded on websites and messaging surfaces.
* **AI-assisted analysis** of call transcripts, including contact enrichment, sentiment and outcome classification, and reporting.
* **AI-assisted content generation** for prompts, scripts, summaries, and templates used by your administrators.

A live voice call runs a real-time pipeline. The caller's speech is captured and transcribed to text by a speech-to-text engine. That transcript, together with the agent's instructions and your knowledge base, is processed by a large language model that decides what to say next and whether to invoke a tool, such as booking an appointment or transferring the call. The response is converted back to audio by a text-to-speech engine and played to the caller. The same general-purpose models also summarize transcripts, enrich contacts, and draft content outside live calls.

<Info>
  The general-purpose models behind these features are operated by our third-party AI and voice-infrastructure providers under contractual terms we negotiate to protect your data. We describe those providers by category. Their identities, the data categories each receives, and the transfer safeguards that apply are listed in our published subprocessor list, which is the authoritative source, and you receive prior notice of any change with a right to object as set out in our Data Processing Addendum. We do not train our own foundation models.
</Info>

## The model-training wall

This is the commitment procurement teams ask about first.

<Warning>
  Data you send through the AI features is **not used to train, retrain, fine-tune, or otherwise improve** any provider's public or general-purpose models. We do not sell your data, and we do not use the content of one customer's calls, transcripts, or contacts to train models that benefit other customers.
</Warning>

Where a provider offers contractual terms that prevent such use, for example a zero data-retention configuration or enterprise terms that exclude training on submitted data, we contract on those terms. The specific safeguard for each provider is recorded in our subprocessor list and Data Processing Addendum.

Two narrow, opt-in exceptions exist, and both stay inside your tenant:

* **Operational analytics.** As an independent controller of service-operations data, we may use aggregated and de-identified metrics about how the agents perform, such as latency, error rates, and transfer rates, to monitor, secure, and improve the platform. This does not reconstruct the content of any caller's conversation and is never used to train foundation models.
* **Customer-elected fine-tuning and custom voices.** You may choose to fine-tune a model or train a custom synthetic voice on your own data. This is off by default, runs only on your instructions, and the resulting model artifacts are scoped to your tenant and never made available to other customers. If the custom voice clones an identifiable person, the voice-consent rules below apply in full.

## Transparency and disclosure

Where an AI agent, voice or chat, interacts with a person, the AI nature of the agent is disclosed:

<Steps>
  <Step title="Where the law requires it">
    Including the EU AI Act transparency obligation for systems that interact directly with people, the California bot-disclosure law, and similar statutes elsewhere.
  </Step>

  <Step title="By default in the standard configuration">
    We ship default disclosure language designed to meet the strictest applicable transparency standard.
  </Step>

  <Step title="Always, on request">
    Whenever a person asks whether they are speaking with a human or an AI, the agent answers truthfully and without qualification.
  </Step>
</Steps>

The synthetic voice a voice agent uses is artificially generated, and its artificial nature is disclosed where the law requires. You enable and configure the disclosure in your tenant settings, and **you must permit it**. Disabling, suppressing, or weakening the disclosure below the applicable standard is a breach of the policy and of the law for which you, as deployer, are responsible.

Consent and notice for recording or transcribing a call are handled separately in the [Telephony and Call Recording Notice](https://getsmartalex.com/legal/smartalex-telephony-notice).

## Voice cloning and voice consent

Whenever you clone, replicate, or imitate the voice of an identifiable person, all of the following apply:

* You must obtain and retain documented, informed, and explicit consent from that person before the voice is cloned or used, and be able to produce evidence of it on request.
* A voice print used to identify or authenticate a person is biometric data. Under the GDPR and equivalent laws it is special-category personal data that needs an explicit lawful basis, ordinarily the person's explicit consent.
* As controller of the underlying data, you establish that lawful basis, give the required notices, and honor any withdrawal of consent, including by stopping use of the cloned voice and instructing us to delete the related artifacts.
* You must not clone or imitate the voice of a public figure, a celebrity, or any other person for deception, fraud, or misrepresentation of identity.

On our side, we process voice and biometric data only on your documented instructions. We do not create voice prints for our own purposes, we never use one customer's cloned voice for another customer, and we apply technical controls to keep custom-voice artifacts scoped to your tenant.

## Human oversight and your configuration duties

The platform is built so significant decisions stay with people, not solely with a model.

* **Live human transfer** is available on voice calls where you have enabled it. A person can ask to be transferred to a human at any time, and the request is honored where you have staffed live transfer.
* **No solely automated significant decisions.** SmartAlex does not make decisions producing legal or similarly significant effects on a solely automated basis, and you cannot override this default for an in-scope decision. Where a decision could produce such effects, you are responsible for configuring human review. An affected person may, through you as controller, request human intervention, express their view, and contest the outcome.
* **Audit log.** Your tenant administrator can review AI decisions through the audit log, which records the agent configuration in force, the tools the agent invoked, and the outcome of each interaction.

You must ensure that anyone exercising human oversight has the authority, competence, and information needed to override or disregard an AI output where appropriate. AI here handles call routing, transcription, qualification, and analytics under your control, and you remain accountable for any decision you take on the basis of those outputs.

## Prohibited uses

You must not use the AI capabilities for any of the following.

| Area                        | Prohibited use                                                                                                                                                                                                                                                                                  |
| --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Manipulation and biometrics | Practices banned by the EU AI Act, including subliminal or manipulative techniques, exploitation of a person's or group's vulnerabilities, social scoring by public authorities, unlawful real-time remote biometric identification in public spaces, and untargeted scraping of facial images. |
| Impersonation               | Imitating a specific, identifiable person without their documented consent, including any voice clone made without consent.                                                                                                                                                                     |
| Voice prints                | Creating voice prints without a lawful basis.                                                                                                                                                                                                                                                   |
| Unsolicited outreach        | Automated calls or messages that breach consumer-protection and electronic-communications laws, or that ignore do-not-call registries or opt-outs. See the Telephony and Call Recording Notice.                                                                                                 |
| Significant decisions       | Decisions with legal or similarly significant effects, such as automated denial of credit, employment, housing, or insurance, without meaningful human oversight and the required lawful basis.                                                                                                 |
| Harmful content             | Generating unlawful, defamatory, harassing, hateful, or child-exploitative content, or content that infringes a third party's rights.                                                                                                                                                           |
| Provider terms              | Any use that would cause us to breach the terms or acceptable-use policies of our AI providers.                                                                                                                                                                                                 |

Using the AI capabilities for any of these is a material breach of our [Terms of Service](https://getsmartalex.com/legal/smartalex-terms-of-services) and [Acceptable Use Policy](https://getsmartalex.com/legal/smartalex-acceptable-use-policy-aup), and may lead to suspension of the affected feature or the account.

## Who is responsible for what

<AccordionGroup>
  <Accordion title="Roles at a glance">
    | Matter                              | SmartAlex                                                                                                                                     | You (the customer)                                                                                       |
    | ----------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------- |
    | Data-protection role                | Processor for call content, transcripts, and contact data. Independent controller for account, billing, security, and product-analytics data. | Controller for the personal data in your calls, contacts, and prompts, and for notices and lawful bases. |
    | Model selection and contracting     | Selects providers, negotiates no-training and retention terms, monitors model evaluations.                                                    | Selects which AI features to enable in your tenant.                                                      |
    | Agent design and prompts            | Provides the agent framework, default guardrails, and default disclosure language.                                                            | Authors prompts, knowledge bases, and scripts, and tests them before deployment.                         |
    | Disclosure to people                | Provides default disclosure language and the controls to deliver it.                                                                          | Enables it, must not suppress it, and configures it for your jurisdictions.                              |
    | Special-category and biometric data | Processes only on your documented instructions. Does not create voice prints for its own purposes.                                            | Establishes the lawful basis, ordinarily explicit consent, and gives notices.                            |
    | Human oversight                     | Routes significant decisions to human review and does not act solely automatically.                                                           | Staffs and configures human review, and is accountable for any decision it takes.                        |
  </Accordion>

  <Accordion title="Your obligations summary">
    When using the AI features, you must:

    * Enable and maintain AI disclosure to people at the standard required by the strictest applicable law.
    * Establish a lawful basis, give required notices, and obtain any consent needed to process personal data, including special-category data and voice prints.
    * Obtain all consents required for recording and transcribing calls, as described in the Telephony and Call Recording Notice.
    * Test and supervise your agents, provide accurate knowledge sources, and never deploy the features for a prohibited use case.
    * Comply with EU AI Act deployer obligations, and any equivalent law, that apply to your use case.
  </Accordion>

  <Accordion title="High-risk deployments under the EU AI Act">
    The platform is general-purpose voice and conversational AI infrastructure and is not, by default, a high-risk AI system. Your use case can bring your deployment into high-risk scope, for example in recruitment, credit assessment, education access, essential services, law enforcement, migration, or the administration of justice.

    Before deploying in any high-risk use case you must consult your own legal counsel, implement the deployer obligations the EU AI Act imposes, such as human oversight, monitoring, log retention, and any required impact assessment and registration, and inform us through your account contact. On reasonable request and subject to confidentiality, we provide the technical information you need to complete a data-protection or fundamental-rights impact assessment.
  </Accordion>
</AccordionGroup>

## Accuracy, security, and data location

<AccordionGroup>
  <Accordion title="Accuracy and limitations">
    General-purpose models can produce inaccurate, fabricated, or unsupported output. We ground agents in your knowledge, prompts, and tools, and apply default guardrails, but we do not warrant that outputs are error-free, complete, or fit for a particular purpose. Transcription can contain errors with strong accents, background noise, overlapping speakers, or specialized terms, and synthesized speech may mispronounce names or numbers.

    You should test agent flows before deployment and on material changes, keep knowledge sources accurate and current, avoid treating a transcript or summary as a verbatim or legally authoritative record without human verification, and not use agents to give regulated professional advice without the appropriate standing and human review. AI outputs are not professional advice. The services are not designed for use where failure could cause death, injury, or severe damage, and must not be relied on to reach emergency services.
  </Accordion>

  <Accordion title="Bias, fairness, and safety testing">
    We monitor the published evaluations and safety documentation of our providers, account for known fairness limitations when selecting and configuring models, build safety guardrails into our default configuration, and act on platform-level fairness issues, including by adjusting defaults or switching providers where a reasonable remediation exists. Because your prompts, knowledge bases, and decision logic materially affect outcomes, you are responsible for testing your custom agents for bias and fairness in your deployment context. If you identify a concern that appears to arise at the platform level, report it to us so we can investigate.
  </Accordion>

  <Accordion title="Security of the AI features">
    Measures specific to the AI features include encryption of your data in transit to and from our providers and at rest in our systems, tenant isolation so that one customer's prompts, knowledge bases, custom voices, and outputs are not accessible to another, contractual no-training and, where available, zero data-retention configurations, access controls and logging on the systems that orchestrate the features, and controls designed to mitigate prompt-injection and tool-abuse risks.

    We do not currently hold our own SOC 2 or ISO 27001 attestation and are working toward SOC 2 readiness. Our infrastructure subprocessors maintain SOC 2 or ISO 27001 attestations. If we become aware of a security incident affecting your data processed by an AI feature, we notify you in line with the Data Processing Addendum.
  </Accordion>

  <Accordion title="International transfers and intellectual property">
    The AI features are operated by providers located principally in the United States, and running a live call necessarily processes audio and transcript content wherever the relevant model is hosted. Where this transfers personal data out of the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards, principally the standard contractual clauses, the UK transfer agreement or addendum, and the Swiss addendum, together with supplementary measures such as encryption and access controls. The location of each provider and the safeguard that applies are set out in the subprocessor list.

    As between us and you, and subject to the rights of the AI providers and any third party in the underlying models, you own the outputs generated through your use of the features, on the same basis as the rest of your data. You are responsible for ensuring your use of an output does not infringe a third party's rights. Models can generate similar or identical outputs for different users, so an output is not warranted to be original or protectable.
  </Accordion>
</AccordionGroup>

## Data retention

| Category                                                | Retention approach                                                                                                                             |
| ------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- |
| Live AI request and response payloads at our providers  | Transient. Deleted after processing, or held under a zero data-retention configuration where the provider offers one.                          |
| Call audio and transcripts                              | Retained for your configured period, then deleted, and deleted sooner on your instruction.                                                     |
| AI-generated summaries, classifications, and enrichment | Retained with the related call or contact record and deleted with it.                                                                          |
| Custom voice and fine-tuned model artifacts             | Retained while the feature is in use, then deleted within the period stated in the Data Processing Addendum after you disable it or terminate. |
| Operational and evaluation logs, de-identified          | Retained for security, reliability, and improvement under our standard log-retention criteria.                                                 |

The authoritative periods and criteria live in the Data Processing Addendum and Privacy Policy.

## Questions

For questions about responsible AI, or to exercise a right described in the policy, contact [privacy@getsmartalex.com](mailto:privacy@getsmartalex.com). Remember that the [full AI Usage Policy](https://getsmartalex.com/legal/smartalex-ai-usage-policy) is the controlling document and prevails over this summary.
