Avetta's Approach to Responsible Use of Artificial Intelligence

At Avetta, we believe artificial intelligence (AI) should strengthen trust, improve safety, and support better decision‑making across global supply chains. We develop and deploy AI thoughtfully and responsibly to enhance our products, support our internal operations, and deliver value to our customers, while maintaining transparency, accountability, and strong safeguards.

How We Use AI

Avetta uses artificial intelligence to support its mission of improving safety, compliance, and efficiency across global supply chains. AI‑enabled capabilities may be embedded within certain Avetta products to help customers work more efficiently, identify potential risks earlier, and improve consistency and accuracy in data processing and insights. These capabilities are designed to support human judgment and decision‑making, not replace it.

The use and adoption of AI at Avetta are governed by company policies and controls that emphasize data protection, accuracy, transparency, and appropriate human oversight, consistent with Avetta’s broader governance, security, and compliance frameworks.

Our Core AI Principles

Avetta’s development, deployment, and use of AI are guided by the following principles:

Human Oversight andAccountability

AI serves as an assistive tool, not a decision-maker. We maintain human review and governance at multiple levels, particularly where AI outputs may influence compliance, safety, or risk-related outcomes. This includes internal oversight by our personnel and user control where customers can accept, modify, or reject AI-generated content. Ultimate responsibility for decisions always rests with people, not AI systems.

Transparency and Purpose‑Driven Use

We deploy AI for clearly defined, legitimate business purposes aligned with improving safety, efficiency, compliance, and supply chain resilience. Where AI‑enabled features generate user-facing outputs, they are clearly identified as AI-generated or AI-assisted so that users can make informed decisions about how to use or act on them.

Fairness, Reliability, and Risk Awareness

We recognize that AI systems can produce errors or unintended bias if not properly managed. Avetta evaluates AI use cases for relevance, reliability, and fairness before deployment, and monitors them over time to identify and mitigate risks such as unintended bias, model drift, and accuracy degradation.

Privacy and Data Protection

Protecting customer data is fundamental to Avetta’s use of AI. We design and operate AI‑enabled systems with safeguards intended to preserve the confidentiality, integrity, and appropriate use of customer data throughout its lifecycle.

Avetta applies data protection controls to AI‑enabled systems that are consistent with our broader information security and privacy program, including access controls, encryption, logging, and monitoring. Customer data is used only for legitimate, defined business purposes and in accordance with applicable contracts (including any data processing agreements), privacy notices, and data protection laws.

Governance, Policies, and Controls

Avetta maintains internal policies, guidelines, and review processes governing both AI‑enabled products and internal AI use. These include:

• Clear rules for how employees, contractors, and vendors may use AI for business purposes
• Review and approval processes for new AI tools and AI‑enabled features
• An inventory and risk‑based review of AI systems used across the organization
• Ongoing monitoring and updates as technology, regulations, and best practices evolve

Regulatory Compliance and EU AI Act Positioning

Avetta is committed to using AI in compliance with applicable laws and regulations, including AI‑specific regulatory frameworks such as the EU Artificial Intelligence Act (EU AI Act).

Under the EU AI Act’s role‑based framework, Avetta may act as an AI system provider, deployer (user), or both, depending on the specific AI use case and context. Avetta assesses its role on a case‑by‑case basis and applies governance measures proportionate to the applicable regulatory obligations.

Avetta takes a risk‑based approach to AI governance consistent with the EU AI Act, including evaluating AI systems based on their intended purpose and potential impact, implementing appropriate human oversight, applying transparency and documentation measures where required, and integrating AI considerations into existing privacy, security, and vendor‑risk processes.

As AI regulations continue to evolve globally, Avetta monitors legal developments and updates its policies, processes, and controls to remain aligned with applicable requirements and customer expectations.

Responsible Vendor and Third‑Party AI Management

Some of our AI features and capabilities rely on third‑party technologies from trusted providers. Avetta applies its existing vendor management, security, and legal review processes to AI providers, consistent with how we assess other critical service providers.

Third‑party AI providers are engaged as data processors under Avetta’s agreements and are contractually required to protect customer data, use it only to deliver the specific AI functionality we have engaged them for, and comply with applicable security, privacy, and legal obligations.

Avetta does not permit third‑party AI providers to use customer data to train or improve their AI models or for any independent purposes. We also evaluate how AI vendors handle, retain, and protect, and delete data, and enforce defined data retention limits to ensure that customer data is not retained by third-party AI providers beyond the period necessary to deliver the contracted functionality in alignment with Avetta’s data protection standards.

Security, Certifications, and Independent Audits

Avetta maintains enterprise‑wide information security and privacy programs that apply to our cloud‑based SaaS platform and related operational processes, including those that support AI‑enabled capabilities.

ISO Certifications

Avetta maintains an Information Security Management System (ISMS), Privacy Information Management System (PIMS), and Business Continuity Management System (BCMS) that are independently certified under internationally recognized ISO standards, including:

• ISO/IEC 27001:2022 - Information Security Management
• ISO/IEC 27017:2015 - Cloud Security Controls
• ISO/IEC 27018:2019 - Protection of Personal Data in Cloud Services
• ISO/IEC 27701:2019 - Privacy Information Management
• ISO/IEC 22301:2019 - Business Continuity Management

These certifications cover the systems, processes, and controls supporting Avetta’s cloud‑based SaaS platform and related operational functions.

SOC 2 Type II Audit

Avetta undergoes an annual SOC 2 Type II independent audit covering the Trust Services Criteria for Security and Confidentiality. The audit evaluates the design and operating effectiveness of Avetta’s controls over a defined audit period.

Customers can review Avetta’s ISO certifications and SOC 2 Type II report through Avetta’s Trust Center, a secure portal that provides access to Avetta’s security, compliance, and privacy documentation. Access to certain materials may require acceptance of a non‑disclosure agreement. The Trust Center is available at https://trust.avetta.com.

‍Further Inquiries:

For additional questions about our AI practices, compliance documentation requests, or general inquiries: compliance@avetta.com.

For privacy-related matters or to exercise data protection rights: privacy@avetta.com.