Customer Artificial Intelligence (AI) Trust and Safety Policy

1.1 FIFTH DOMAIN uses artificial intelligence (“AI”) to support selected features and functionality in its products, services and platform operations. This Customer AI Trust and Safety Policy explains the principles, controls, and governance measures we apply when using, designing, deploying, and operating AI-enabled functionality for our customers.

1.2 This policy is intended to provide customers, partners, and other stakeholders with assurance that AI is used responsibly, transparently, securely and in alignment with applicable legal and regulatory expectations.

2.1 This policy applies to AI-enabled functionality made available by FIFTH DOMAIN through its products, services, and platform operations, including:

2.2 This policy does not replace contractual, privacy, security, or data protection obligations owed by FIFTH DOMAIN to its customers. It should be read alongside our Privacy Policy, security documentation and applicable customer agreements.

3.1 FIFTH DOMAIN uses AI to improve products, services and platform operations capability, efficiency, insight generation and user experience where appropriate and beneficial.

3.2 Our approach is guided by the following practices:

3.3 Our approach is also based on three commitments:

3.4 AI is not treated as exempt from our broader product, risk, legal, security or compliance obligations.

3.5 FIFTH DOMAIN’s AI governance is underpinned by our certified ISO 9001 quality management system and ISO/IEC 27001 information security management system.

4.1 FIFTH DOMAIN applies the following AI principles across the design, development, deployment, use, and review of AI-enabled functionality:

4.2 These principles apply across all lifecycle stages and are informed by:

5.1 FIFTH DOMAIN may use a range of AI technologies, including machine learning, generative AI, language models, classification models, automation tools and other algorithmic systems, where appropriate for a specific use case.

5.2 Different AI models, deployment methods, integrations, and use cases present different levels of risk and are therefore subject to different governance and control requirements.

5.3 Depending on the feature and use case, FIFTH DOMAIN may use:

5.4 AI-enabled functionality may support content generation or summarisation, classification, analysis, decision support, workflow automation, search, recommendations and user assistance.

5.5 The use of any AI technology is assessed having regard to data sensitivity, the nature of the output, the degree of control available over the technology, and the operational, privacy, security and customer risks associated with the use case.

5.6 Where AI-generated outputs are made available directly to customers, integrated into customer workflows, or used to support downstream platform functionality, FIFTH DOMAIN applies additional assurance, testing, review, monitoring and governance controls proportionate to the relevant risk.

6.1 Where AI-enabled functionality involves data, FIFTH DOMAIN applies controls that reflect the source of the data, the form of the data, and the purpose for which it is used. This includes whether data is customer, supplier, or open data; whether it is used in raw, metadata, or synthetic form; and whether it is used to deliver customer services, support internal AI improvement, or interact with approved third-party technologies.

6.2 Customer data is subject to heightened controls. FIFTH DOMAIN applies measures intended to ensure that customer data is handled lawfully, securely, and only for defined and appropriate purposes consistent with applicable agreements, internal governance requirements, and relevant legal obligations, including the Privacy Act 1988 (Cth) and the Australian Privacy Principles. Our approach is also informed by OAIC guidance, including Guidance on privacy and the use of commercially available AI products and Guidance on privacy and developing and training generative AI models.

6.3 These measures may include need-to-access restrictions, controlled processing and storage environments, customer or role-based access controls, and retention and deletion processes, including in response to authorised customer requests.

6.4 FIFTH DOMAIN distinguishes between customer raw data and derived data, such as metadata and synthetic data. Customer raw data is subject to the highest level of restriction. As a general rule, customer raw data is used to provide services and functionality to that customer and is not used to develop third-party AI systems.

6.5 Derived data may be used in more limited and controlled ways to support analytics, service improvement, and the development of AI-enabled functionality, provided appropriate safeguards are applied. These safeguards may include abstraction, de-identification or transformation, traceability to source, review processes, and additional compliance or governance review before broader internal or third-party use.

6.6 Where third-party AI providers are used, FIFTH DOMAIN assesses their suitability and seeks to ensure appropriate contractual, privacy, security, confidentiality, and data handling protections are in place.

6.7 FIFTH DOMAIN does not use customer raw data to train shared third-party AI models and does not provide customer raw data for third-party AI development.

7.1 AI-enabled systems require controls beyond those typically applied to conventional software. AI systems may learn from data patterns, adapt to inputs, and generate outputs that can be probabilistic, context-dependent, or difficult to interpret. This creates opportunities for innovation, but also risks relating to accuracy, bias, robustness, explainability, and unexpected behaviour.

7.2 Before AI-enabled functionality is developed, deployed, or integrated into customer-facing products or services, FIFTH DOMAIN applies review and control processes appropriate to the nature of the use case and the level of risk involved.

7.3 When developing, training, tuning, or materially modifying AI systems, FIFTH DOMAIN applies controls intended to ensure that:

7.4 When AI-enabled functionality is embedded into products or services used by customers, FIFTH DOMAIN applies additional controls intended to support safe and transparent use. These may include clearly indicating where AI is used, providing plain-language guidance on intended use and limitations, enabling review or challenge pathways where relevant, monitoring for drift or unexpected behaviour, and applying controls to help ensure customer-facing outputs comply with applicable legal, regulatory, contractual, and national security requirements.

8.1 FIFTH DOMAIN may work with third-party providers, suppliers, subcontractors, research collaborators, and other partners in connection with AI-enabled functionality. Where we do so, we apply due diligence, governance, and contractual controls intended to protect customer trust, privacy, security, and responsible AI use.

8.2 Before adopting or integrating third-party AI tools, datasets, services, or related technologies, FIFTH DOMAIN assesses their suitability for the intended use case. This may include privacy, security, data handling, intellectual property, technical reliability, and alignment with responsible AI expectations.

8.3 Where third-party providers or partners are engaged, FIFTH DOMAIN seeks to ensure appropriate contractual and governance arrangements are in place, including requirements relating to data protection, confidentiality, security, intellectual property, permitted use of data, and responsible AI practices.

8.4 Where data is shared with partners or service providers, FIFTH DOMAIN applies controls appropriate to the sensitivity of the data and the nature of the engagement. Higher-risk AI use cases may be subject to enhanced due diligence, independent review, external assurance, or additional governance before deployment.

8.5 Where AI-enabled systems are developed, delivered, or operated jointly with partners, FIFTH DOMAIN seeks to establish clear accountability for data handling, model selection, deployment, monitoring, and incident management.

8.6 FIFTH DOMAIN remains accountable for AI-enabled functionality it delivers to customers, except to the extent responsibility is expressly allocated otherwise under contract.

9.1 FIFTH DOMAIN recognises that AI outputs may require review, verification, or contextual judgement depending on the use case.

9.2 Accordingly:

9.3 AI functionality is intended to support users and workflows, not remove the need for sound judgement where human expertise remains important.

10.1 FIFTH DOMAIN recognises that AI-enabled systems create different types of risk depending on how they are used, including in internal operations, product development, and customer-facing functionality. These risks may relate to accuracy, bias, fairness, explainability, privacy, security, misuse, reliability, legal compliance, and unintended system behaviour.

10.2 To manage these risks, FIFTH DOMAIN applies a repeatable, risk-based governance process across the AI lifecycle. This includes assessing intended use, identifying reasonably foreseeable misuse or failure modes, evaluating potential impacts, and applying controls proportionate to the level of risk involved.

10.3 Where appropriate, FIFTH DOMAIN undertakes AI risk assessments, impact assessments, and documented treatment planning before deployment. These processes are used to identify relevant controls, record key assumptions and limitations, support internal approvals, and provide a basis for periodic reassessment where the system, use case, or external environment changes.

10.4 FIFTH DOMAIN also applies controls intended to reduce risk, including human oversight, pre-release testing and validation, transparency to customers about the role and limitations of AI, monitoring for drift and unexpected behaviour, customer feedback pathways, and escalation and incident response processes for material issues or failures.

10.5 Where material AI-related issues are identified, FIFTH DOMAIN may investigate, apply corrective actions, restrict or suspend affected functionality, and update controls, governance measures, or deployment settings as appropriate.

11.1 AI-enabled functionality is subject to security and misuse-prevention controls consistent with the nature of the service and the risk involved. These may include authentication and access controls, logging and monitoring, environment and integration safeguards, change management controls, abuse detection, and security review of external providers and integrations.

11.2 FIFTH DOMAIN also seeks to reduce the risk of unauthorised use, adversarial misuse, unsafe prompts or instructions, malicious data manipulation, and exploitation of connected tools, workflows, or integrations.

12.1 FIFTH DOMAIN aims to communicate clearly where AI-enabled functionality forms part of our products or services.

12.2 Depending on the feature and context, we may provide information about:

12.3 AI-enabled systems can produce incomplete, inaccurate, or context-sensitive outputs. Customers should consider the intended use case and any guidance provided when relying on AI-supported functionality.

13.1 FIFTH DOMAIN maintains internal governance arrangements to support the responsible use, deployment, and oversight of AI technologies across the organisation.

13.2 This includes measures intended to ensure that personnel using, developing, deploying, or overseeing AI-enabled systems are appropriately trained and authorised for their roles. Training covers responsible AI use, relevant legal and ethical obligations, security and privacy considerations, and practical guidance on the safe and effective use of AI tools.

13.3 Additional training or role-specific requirements may apply where personnel work with higher-risk use cases, sensitive data, or customer-facing AI-enabled functionality.

13.4 Access to AI tools and technologies is subject to internal review and authorisation processes. FIFTH DOMAIN also supports ongoing learning and capability development through refresher training, updated guidance, role-specific support, and periodic review of skills and competencies.

14.1 FIFTH DOMAIN reviews this policy and related governance measures periodically and may update them to reflect changes in technology, legal or regulatory requirements, industry standards, customer expectations, and our products, services, or operating model.

14.2 Non-compliance with internal AI governance requirements is managed through FIFTH DOMAIN’s internal policies and procedures.

15.1 Customers with questions about FIFTH DOMAIN’s use of AI, AI-enabled functionality, or this policy may contact us using the details provided in their customer agreement, through their account representative, or via email to info@fifthdomain.pro.