How we build, deploy, and govern AI.

1. Scope

This policy applies to all AI systems designed, trained, deployed, or operated by ALAT Labs. The term "AI systems" covers model-driven workflows, classifiers, autonomous and semi-autonomous agents, language interfaces, recommendation systems, and any decision-support tooling that relies on statistical or learned components.

The policy covers two operational modes: AI systems hosted by ALAT Labs on its own infrastructure, and AI systems deployed by ALAT Labs onto customer infrastructure. In both cases, the principles and controls described below apply. Where a customer contract imposes stricter terms, those terms prevail.

2. Our principles

Six principles guide every AI system ALAT Labs ships. They are not aspirational — they are conditions of release.

3. Data

ALAT Labs collects only the data required to operate a workflow: identity and contact information sufficient to authenticate users, business records the customer chooses to integrate, and operational telemetry needed for reliability and audit.

All customer data resides in Kenya or the wider East Africa region by default. The standard retention window is 90 days, after which data is purged unless the customer contract specifies a longer or shorter period. Customers may request earlier deletion at any time.

Access to customer data is granted on a least-privilege basis. Every access event is logged, attributable, and reviewable. Customer datasets are isolated at the tenant boundary; one customer's data is never used to train, fine-tune, or evaluate models serving another customer.

4. Models

ALAT Labs operates three classes of model. Foundation models are sourced from established providers and accessed under commercial terms that prohibit training on customer prompts. Fine-tuned models are produced in-house, adapted for African languages, names, and business contexts. Hosted lightweight models are deployed on-premises for customers who require full air-gapped operation.

Each production model is evaluated against a documented intent suite — the current internal benchmark is the 58/58 intent test — alongside ongoing live evaluation. Retraining is scheduled at fixed intervals and is also triggered automatically when drift indicators cross defined thresholds.

Model selection for any given workflow is documented in a model card and made available to the customer on request.

5. Human oversight

Every customer-facing AI decision is recoverable. Operators can override, reverse, or pause any automated action through the relevant ALAT control surface. Override events are logged and surfaced in the customer audit trail.

Critical-path decisions — those affecting lending, hiring, healthcare, or other regulated outcomes — require explicit human sign-off before they take effect. ALAT Labs does not ship systems that issue these decisions autonomously, regardless of model confidence.

Escalation paths are defined per deployment. When a system encounters input outside its competence or detects a harm signal, it routes to a named human reviewer rather than degrading silently.

6. Security

Data in transit is protected with TLS 1.2 or higher. Data at rest is encrypted with AES-256. Access to production systems is governed by role-based access control, multi-factor authentication, and short-lived credentials.

Audit logs covering authentication, data access, and administrative actions are retained for twelve months. Incident-response runbooks are maintained for each production system and exercised on a recurring schedule.

In the event of a confirmed data breach, ALAT Labs commits to notifying affected customers and the Office of the Data Protection Commissioner within 72 hours of confirmation, in line with the Kenya Data Protection Act 2019.

7. Customer rights

Customers and the end-users of customer-deployed systems hold the following rights with respect to data processed by ALAT Labs:

• Access — request a copy of personal data held about them.
• Correction — request that inaccurate or incomplete data be amended.
• Deletion — request erasure of personal data, subject to legal retention obligations.
• Portability — receive their data in a structured, machine-readable format.
• Withdrawal of consent — withdraw consent for processing that relies on consent as its legal basis.
• Complaint — raise a concern with ALAT Labs or with the Office of the Data Protection Commissioner of Kenya.

To exercise any of these rights, contact legal@alatlabs.com. ALAT Labs responds to verified requests within 30 days.

8. Compliance

ALAT Labs designs its AI systems against an evolving compliance baseline. The current frame includes:

• Kenya Data Protection Act 2019 — primary statutory regime for personal data.
• GDPR — alignment maintained for customers operating in or serving the European Economic Area.
• EU AI Act — risk-classification practices tracked against the Act as implementing acts mature.
• Central Bank of Kenya Prudential Guidelines — applied to AI deployments in banking and lending contexts.
• Ministry of Health digital-health guidance — applied to AI deployments in clinical and patient-facing contexts.

Where ALAT Labs holds formal certifications, they are listed on the corporate website. Where work is in progress, it is described as such — ALAT Labs does not claim certifications it does not hold.

9. Updates

This policy may be updated as ALAT Labs grows and as the regulatory landscape evolves. Material changes are communicated to active customers at least 30 days in advance of taking effect. The version number and last-updated date at the top of this page reflect the current edition.

Contact legal@alatlabs.com for inquiries about this policy.

Questions?

Contact legal@alatlabs.com or visit our contact page for partnership or compliance inquiries.