waivz.ai
AI Governance Statement
v1.0

Waivz AI Governance Statement

Version 1.0 · Effective May 1, 2026 · waivz-ai-governance.pages.dev

AI Governance Statement

Version 1.0 · Effective May 1, 2026 · Next review May 1, 2027

Our Position

Waivz is an AI-first retirement plan technology company. The (k) Suite was designed from the foundation around generative AI, not retrofitted with AI features after the fact.

This distinction shapes how we think about governance. When AI is the foundation of the platform, governance is the discipline that makes the foundation trustworthy. We treat it accordingly.

This statement explains how we think about AI in retirement plan work — what we do, what we don't do, and what advisors and their plan sponsor clients can expect from us. It is reviewed and reissued annually.

Our Principles

Principle 1
Augment, not replace
AI in the (k) Suite assists the advisor. It does not replace the advisor. Every output is a draft, an analysis, or a surfacing of information — never a decision. The advisor is the fiduciary. AI is a tool the fiduciary uses. This distinction is foundational and non-negotiable.
Principle 2
Enterprise-grade AI only
The (k) Suite uses Anthropic's Claude through commercial API access. We do not route advisor or plan data through consumer chatbots, free tiers, or platforms that train on customer data. Under Anthropic's API Terms of Service, customer inputs are not used to train models. The line between professional AI infrastructure and consumer AI products is real, and we are firmly on the professional side.
Principle 3
Data minimization
We send to AI only what is needed for the task. Plan design parameters, fund data, plan structure — yes. Participant Social Security numbers, individual account credentials, banking information — no. This is enforced architecturally, not just by policy: applications that process uploaded documents parse files client-side in the browser, detect and exclude PII columns (such as SSNs) before field mapping, and run a de-identification function that strips remaining personal identifiers before any data reaches the AI provider. The minimum necessary, never more.
Principle 4
Transparency by default
Advisors using the (k) Suite know which AI provider processes their data, what data is sent, and what is not. This statement is part of that transparency. So is the Security & Trust Center embedded in every (k) Suite application.
Principle 5
Human-in-the-loop on every output
No AI output in the (k) Suite reaches a plan sponsor or plan participant without advisor review. There is no autonomous AI action against client data.
Principle 6
Continuous improvement, not set-and-forget
This statement is reviewed and reissued annually. AI capabilities, threats, and best practices evolve. Our governance evolves with them. Significant changes between annual reviews are logged publicly.

Our AI Provider

The (k) Suite uses Claude, developed by Anthropic. We chose Anthropic for three reasons:

Safety-first design. Anthropic was founded specifically to advance safe AI. Their published research and product practices reflect a deep institutional commitment to safety that aligns with the fiduciary mindset of retirement plan work.

Data protection by contract. Our commercial API access is governed by Anthropic's API Terms of Service, which prohibit the use of customer inputs for model training. API logs are retained for seven days and then automatically deleted. These terms are published and independently verifiable at Anthropic's Trust Center (trust.anthropic.com).

Capability. In our assessment, Claude's reasoning quality and handling of nuanced retirement plan analysis meets our requirements for accuracy, depth, and compliance awareness.

We document our AI provider explicitly because advisors and their CCOs deserve to know — and because diligent fiduciaries should expect their technology vendors to disclose this information.

What AI Does in the (k) Suite

Across the (k) Suite, AI is used to:

  • Draft plan design analyses and compliance commentary (Design(k) Pro, Tax(k))
  • Generate marketing and educational materials from plan data (Dream(k))
  • Power conversational queries of the advisor's book of business (Vault(k))
  • Extract and structure data from uploaded documents (Census(k) Pro, Eligibility(k), Intent(k))
  • Score and tier investment options (Fund(k))
  • Produce reports and disclosure documents (Report(k))
In every case, the output is reviewed by the advisor before it reaches a client.

What AI Does Not Do

  • AI does not make fiduciary decisions on behalf of advisors or plan sponsors.
  • AI does not communicate directly with plan participants.
  • AI does not access banking systems, custodian platforms, or move money.
  • AI does not act autonomously on data — every workflow has an advisor in the loop.
  • Under Anthropic's API Terms of Service, customer inputs are not used to train models and are not accessible to other customers.

Model Management

The (k) Suite uses specific Claude model versions per application, selected for task fitness and stability. Different applications may use different models within the Claude family based on the complexity and nature of the task. Model versions are updated deliberately, not automatically, and are documented in the Security & Trust Center of each application.

Data Minimization in Practice

The data minimization principle is enforced through application architecture, not just policy. The following describes how this works in (k) Suite applications that process uploaded census and plan data:

Client-side file parsing. Uploaded files (XLSX, CSV) are parsed entirely in the advisor's browser using SheetJS, a JavaScript spreadsheet library. The raw file never leaves the browser and is never transmitted to a server.

Automatic PII detection and exclusion. During field mapping, the system identifies columns containing Social Security numbers and excludes them before any data is mapped or transmitted. SSN columns are flagged in the interface with a shield indicator: "Skipped — SSNs are never mapped or transmitted."

De-identification before AI processing. Before any data is sent to the AI provider for analysis, a client-side de-identification function strips first names and any remaining personal identifiers. Only financial and employment data required for compliance analysis — compensation, deferrals, dates of hire, hours of service, ownership percentages, and derived eligibility flags — is transmitted.

Advisor-visible privacy disclosure. Before initiating AI analysis, the advisor sees a privacy summary confirming what is and is not transmitted (e.g., "No SSNs transmitted · No first names · Zero Data Retention").

No persistent storage of uploaded files. Uploaded census data exists only in the browser session. When the browser tab is closed, the data is gone. There is no server-side copy of the original uploaded file.

Regulatory Context

The (k) Suite is designed for use by retirement plan advisors operating under ERISA fiduciary obligations. Our governance principles are informed by:

ERISA §404(a)(1) — The prudent expert standard. AI outputs are tools for the advisor's analysis, not replacements for fiduciary judgment.

DOL Fiduciary Rule — Advisors using the (k) Suite retain full decision-making authority. AI assists but does not direct.

DOL Cybersecurity Best Practices (2021) — Our infrastructure choices, encryption standards, and vendor selection reflect the Department of Labor's guidance on cybersecurity for plan fiduciaries and service providers.

This governance statement is intended to support advisors in documenting their own prudent process when using AI-assisted tools in plan management.

Subprocessors

The following third parties process or store data in connection with the (k) Suite:

SubprocessorRoleData HandledCertifications
Anthropic, Inc. AI processing (Claude API) Plan design parameters, fund data, plan metadata SOC 2 II · ISO 27001 · ISO 42001
Cloudflare, Inc. Application hosting (Workers, Pages) Application code, static assets, transient request data SOC 2 II · ISO 27001
Airtable (Formagrid) Structured data storage Advisor and plan configuration data SOC 2 II · ISO 27001 · ISO 27701
Box, Inc. File and document storage Uploaded documents, generated reports SOC 2 II · ISO 27001 · FedRAMP · FIPS 140-2
Softr GmbH Application portal and authentication User credentials, session data SOC 2 II

This list is reviewed when vendors are added or changed.

Vendor Due Diligence Summary

For advisors who need to share vendor diligence detail with their CCO, plan sponsor clients, or in response to a regulatory examination:

AI providerAnthropic, Inc.
Model familyClaude (Opus 4, Sonnet 4 class)
Access typeCommercial API under Anthropic's standard API Terms of Service
Customer data used to train modelsNo (prohibited under API Terms of Service)
AI provider data retention7 days (API logs auto-deleted; inputs not stored long-term)
Data residency — AI processingUnited States (data at rest); inference configurable to US
Data residency — Application hostingUnited States (Cloudflare)
Data residency — Structured dataUnited States (Airtable)
Data residency — File storageUnited States (Box)
Data residency — Application portalEuropean Union / Germany (Softr, AWS Frankfurt)
Encryption in transitTLS 1.2 or higher (all vendors)
Encryption at restAES-256 (all vendors)
PII handlingFiles parsed client-side (SheetJS); SSN columns auto-detected and excluded at field mapping; de-identification function strips remaining personal identifiers before AI processing
AuthenticationSoftr-managed authentication with JWT tokens scoped to individual advisors; Cloudflare Workers validate JWT on every API call. Standalone analysis tools are publicly accessible and do not persist user data
Customer data retentionTransient processing; AI inputs and outputs are not stored long-term
Audit logsAdvisor-level activity tracking via Airtable. Infrastructure-level request logs via Cloudflare. Application-level audit trail planned for future release
This summary is intentionally factual and ready to paste into compliance documentation.

Incident Response

We are developing a formal incident response process. In the event of a confirmed security incident affecting advisor or plan data, we will notify affected parties promptly. As our incident response framework matures, the specific notification timeline and procedures will be documented here and in our operational policies.

This section will be expanded in the next annual review.

Annual Review

This statement is reviewed every twelve months. Material changes between annual reviews are logged on this page.

The next scheduled review is May 1, 2027.

Questions

For governance, security, or compliance inquiries: governance@waivz.ai

For technical or product questions: support@waivz.ai

Issued May 1, 2026 · Version 1.0 · Waivz, Inc.