Compliance & Evidence

Audit-grade

The proof you hand an insurer or auditor when they ask about employee-AI controls. Everything a non-technical admin needs to deploy lawfully — built for evidence, not screenshots.

Export an evidence pack, not screenshots.
Acknowledged
8/ 9
capture authorized
Pending ack
1/ 9
capture off (correct)
Re-ack due
0/ 9
notice version changed
Retention
90d
matches notices

What this answers

The three drivers behind the buy all ask the same question — “show us your employee-AI controls.” Here is which Zeflin artifact answers each.

GenAI insurance exclusions + AI underwriting

Insurers (ISO/Verisk) filed broad Generative AI exclusion endorsements CG 40 47, CG 40 48, and CG 35 08, effective Jan 2026; AI exclusions are spreading across liability lines, and cyber underwriting questionnaires now probe employee-AI controls.

Answered by

Notice + acknowledgment roster, shadow-AI discovery, and the append-only audit log

Carrier adoption varies policy-by-policy — ask your broker whether yours carries them.

SOC 2 (CC6–CC9)

Auditors now expect programmatic AI-control evidence under the existing Trust Services Criteria — not screenshots.

Answered by

Captured events, attestations, and policy configuration as exportable control evidence

ISO/IEC 42001 procurement screening

A large and growing share of enterprise buyers screen vendors for AI-management posture.

Answered by

The DPA, sub-processor disclosure, retention policy, and notice/consent workflow

Driven by cyber-insurance underwriting and your next SOC 2 / ISO 42001 review — not the EU AI Act, which does not mandate logging employee AI use. No fear, just the controls your insurer and auditor ask about today.

Evidence pack

One bundle, assembled on demand. Export an evidence pack, not screenshots.

SectionWhat question it answersInclude
Monitoring notices + acknowledgement roster
8/9 acknowledged
Who was notified and consented to monitoring, and when
Shadow-AI discovery
3 tools
Which AI tools and accounts are in use — including personal
To AI — sensitive-data controls
10 flagged
What sensitive data we stopped or flagged before it reached an AI tool
From AI — provenance & attestations
5 matches
Where AI-generated content landed in real work, and who attested it
Retention + hard-delete policy
90 days
How long content is kept and how it is permanently destroyed
DPA + sub-processor disclosure
US only
Who processes the data, under what terms, in which region
Append-only audit log
7 entries
A tamper-evident record of every privileged action (SOC 2 CC6–CC9)

7 of 7 sections · last 90 days · written to the append-only audit log on export.

Employee notice

One notice every employee acknowledges before capture begins — identical nationwide, with the California rights block always included so it meets the strictest state. New York's workplace posting is a separate physical artifact, not a notice variant.

Active version
2026-05-US-v4published May 2, 2026
Retention stated
90 days
Scope
Nationwide · CA rights built in

New York workplace posting. NY §52-c also requires a conspicuous physical posting — a separate printable artifact, not part of this notice.

Each new version triggers a re-acknowledgement requirement for every employee.

Consent acknowledgement

"No ack, no capture." Capture activates per-employee only after the monitoring notice is acknowledged. A pending acknowledgement is the correct, calm state — not an error.

Acknowledged authorizes capture Capture off Pending ack keeps capture off (correct) Annual re-ack on every version change

DSAR toolkit

Answer a data-subject access or deletion request without engineering. Export every prompt, response, copy, paste, and match for one employee — or perform a verified hard delete.

Request handling
Designate an owner and track the statutory clock.
45-day response clock

Each request opens a 45-day window. The clock starts when a request is logged here and is included in the evidence pack.

Per-employee data
Export bundles all captured records; hard delete is verified and irreversible.
EmployeeLast activityActions
ACalicia.chen@acme.com
Jun 21, 11:40 AM
BObianca.okafor@acme.com
Jun 18, 9:44 AM
DSderek.salaberry@acme.com
Jun 18, 4:02 PM
FIfarah.idris@acme.com
Jun 18, 3:21 PM
LHlee.harmon@acme.com
Jun 17, 9:00 AM
MRmorgan.reyes@acme.com
Jun 21, 1:12 PM
NBnadia.brooks@acme.com
Jun 19, 2:33 PM
POpat.olsen@acme.com
TVtomas.vega@acme.com
Jun 20, 10:05 AM

Retention

Captured content expires and is truly deleted on a TTL. Retention has a single source of truth — the org setting below — and notices must match it.

90days retentionorg setting

Prompts, responses, copy, and paste records are hard-deleted past this window.

Compliance audit log

Every privileged action — policy changes, content reveals, exports, deletions, ack events — is recorded append-only.

7 recorded entries

Append-only. Entries cannot be edited or removed — they are part of the evidence pack.

Open audit log

DPA & sub-processor disclosure

The processors that touch captured data, and the terms that govern them. No secondary use; return-or-delete on termination; US data region only.

Supabase
Postgres, Auth, Storage
RegionUnited States
Secondary useNone
On terminationReturn or delete
Vercel
Dashboard hosting
RegionUnited States
Secondary useNone
On terminationReturn or delete
GCP Cloud DLP
Classification & redaction
RegionUnited States
Secondary useNone
On terminationReturn or delete

Zeflin does not use captured content for any secondary purpose, including model training. All sub-processors operate under a data-processing agreement with return-or-delete terms. Data stays in the United States.

Deployment checklist

Walk this once before turning on capture for a new workforce. Each item is a lawful-deployment prerequisite.

Lawful-deployment prerequisites — Acme Corp
7/8 complete