Waivz AI Governance Statement
Version 1.1 · Effective June 25, 2026 · waivz-ai-governance.pages.dev
AI Governance Statement
Our Position
Waivz is an AI-first retirement plan technology company. The (k) Suite was designed from the foundation around generative AI, not retrofitted with AI features after the fact.
This distinction shapes how we think about governance. When AI is the foundation of the platform, governance is the discipline that makes the foundation trustworthy. We treat it accordingly.
This statement explains how we think about AI in retirement plan work — what we do, what we don't do, and what advisors and their plan sponsor clients can expect from us. It is reviewed and reissued annually.
Our Principles
Our AI Providers
The (k) Suite uses enterprise AI APIs from three providers — Anthropic (Claude), OpenAI (GPT), and Google (Gemini) — selected per task. Claude is the default and most-used; in some tools advisors may select an alternative model. All three are accessed under commercial API terms that prohibit training on customer inputs. We chose Anthropic as our primary provider for three reasons:
Safety-first design. Anthropic was founded specifically to advance safe AI. Their published research and product practices reflect a deep institutional commitment to safety that aligns with the fiduciary mindset of retirement plan work.
Data protection by contract. Our commercial API access is governed by Anthropic's API Terms of Service, which prohibit the use of customer inputs for model training. API logs are retained for a short period (Anthropic: seven days) and then automatically deleted. These terms are published and independently verifiable at Anthropic's Trust Center (trust.anthropic.com).
Capability. In our assessment, Claude's reasoning quality and handling of nuanced retirement plan analysis meets our requirements for accuracy, depth, and compliance awareness.
Additional providers. Where a task benefits from a different model, the (k) Suite also uses OpenAI's GPT and Google's Gemini through their commercial APIs. Both prohibit training on customer inputs under their API terms, apply enterprise-grade security, and are subject to the same data-minimization handling described below. Each provider's trust documentation is linked in the footer.
We document our AI providers explicitly because advisors and their CCOs deserve to know — and because diligent fiduciaries should expect their technology vendors to disclose this information.
What AI Does in the (k) Suite
Across the (k) Suite, AI is used to:
- Draft plan design analyses and compliance commentary (Design(k) Pro, Tax(k))
- Generate marketing and educational materials from plan data (Dream(k))
- Power conversational queries of the advisor's book of business (Vault(k))
- Extract and structure data from uploaded documents (Census(k) Pro, Adopt(k), Summary(k), Eligibility(k), Intent(k))
- Score and tier investment options (Fund(k))
- Produce reports and disclosure documents (Report(k))
What AI Does Not Do
- AI does not make fiduciary decisions on behalf of advisors or plan sponsors.
- AI does not communicate directly with plan participants.
- AI does not access banking systems, custodian platforms, or move money.
- AI does not act autonomously on data — every workflow has an advisor in the loop.
- Under each AI provider's commercial API terms, customer inputs are not used to train models and are not accessible to other customers.
Model Management
The (k) Suite uses specific model versions per application, selected for task fitness and stability. Applications may use different models across our providers (Claude, GPT, and Gemini families) based on the complexity and nature of the task. Model versions are updated deliberately, not automatically, and are documented in the Security & Trust Center of each application.
Data Minimization in Practice
The data minimization principle is enforced through application architecture, not just policy. The following describes how this works in the (k) Suite tools that process uploaded census and spreadsheet data. (Document-extraction tools such as Adopt(k) and Summary(k) work differently — see the note at the end of this section.)
Client-side file parsing. Uploaded files (XLSX, CSV) are parsed entirely in the advisor's browser using SheetJS, a JavaScript spreadsheet library. The raw file never leaves the browser and is never transmitted to a server.
Automatic PII detection and exclusion. During field mapping, the system identifies columns containing Social Security numbers and excludes their values before any data is mapped or transmitted, including the field-detection step.
De-identification before AI processing. Before any data is sent to the AI provider for analysis, a client-side de-identification function strips Social Security numbers and first names. What is transmitted is a last-name-plus-dates key (last name, date of birth, date of hire — used for family-group and HCE/attribution logic) together with the financial and employment data required for compliance analysis: compensation, deferrals, hours of service, ownership percentages, and derived eligibility flags. This is de-identified of direct identifiers, not fully anonymized.
Advisor-visible privacy disclosure. Before initiating AI analysis, the advisor sees a privacy summary confirming what is and is not transmitted (for example, that no Social Security numbers and no first names are sent, and that uploaded data is not stored by Waivz after the session).
No persistent storage of uploaded files. Uploaded census data exists only in the browser session. When the browser tab is closed, the data is gone. There is no server-side copy of the original uploaded file.
Document-extraction tools. Adopt(k) and Summary(k) process uploaded PDFs (such as adoption agreements and plan documents). These are read in the browser and sent to the AI provider in full for extraction — they are not field-level de-identified the way census data is, because the task requires the whole document. That material is plan- and employer-level (company information, plan provisions, and where present owner or trustee names and signatures), not participant Social Security numbers. It is processed under the same no-training commercial API terms, the processing service stores nothing, and no copy is retained by Waivz after the request.
Regulatory Context
The (k) Suite is designed for use by retirement plan advisors operating under ERISA fiduciary obligations. Our governance principles are informed by:
ERISA §404(a)(1) — The prudent expert standard. AI outputs are tools for the advisor's analysis, not replacements for fiduciary judgment.
DOL Fiduciary Rule — Advisors using the (k) Suite retain full decision-making authority. AI assists but does not direct.
DOL Cybersecurity Best Practices (2021) — Our infrastructure choices, encryption standards, and vendor selection reflect the Department of Labor's guidance on cybersecurity for plan fiduciaries and service providers.
Subprocessors
The following third parties process or store data in connection with the (k) Suite:
| Subprocessor | Role | Data Handled | Certifications |
|---|---|---|---|
| Anthropic, Inc. | AI processing (Claude API) | Plan design parameters, fund data, de-identified census data, uploaded plan documents | SOC 2 II · ISO 27001 · ISO 42001 |
| OpenAI, L.L.C. | AI processing (GPT API) | Plan design parameters, de-identified census data, uploaded plan documents | SOC 2 II · ISO 27001 · ISO 42001 · CSA STAR |
| Google LLC | AI processing (Gemini API) | Plan design parameters, de-identified census data, uploaded plan documents | SOC 2 · ISO 27001 · ISO 42001 · FedRAMP High |
| Cloudflare, Inc. | Application hosting (Workers, Pages) | Application code, static assets, transient request data | SOC 2 II · ISO 27001 |
| Airtable (Formagrid) | Structured data storage | Advisor and plan configuration data | SOC 2 II · ISO 27001 · ISO 27701 |
| Box, Inc. | File and document storage | Application source code; generated reports and exports (where applicable) | SOC 2 II · ISO 27001 · FedRAMP · FIPS 140-2 |
| Softr GmbH | Application portal and authentication | User credentials, session data | SOC 2 II |
This list is reviewed when vendors are added or changed.
Vendor Due Diligence Summary
For advisors who need to share vendor diligence detail with their CCO, plan sponsor clients, or in response to a regulatory examination:
| AI providers | Anthropic (Claude), OpenAI (GPT), Google (Gemini) |
| Model families | Claude (Opus/Sonnet 4 class), OpenAI GPT (5 class), Google Gemini (2.x class) |
| Access type | Commercial APIs under each provider's standard API terms |
| Customer data used to train models | No (prohibited under each provider's commercial API terms) |
| AI provider data retention | Short abuse-monitoring window, then deletion (provider-dependent; Anthropic ~7 days). Inputs are not stored long-term and are not used for training. |
| Data residency — AI processing | United States (provider endpoints) |
| Data residency — Application hosting | United States (Cloudflare) |
| Data residency — Structured data | United States (Airtable) |
| Data residency — File storage | United States (Box) |
| Data residency — Application portal | European Union / Germany (Softr, AWS Frankfurt) |
| Encryption in transit | TLS 1.2 or higher (all vendors) |
| Encryption at rest | AES-256 (all vendors) |
| PII handling | Census/spreadsheet tools: files parsed client-side (SheetJS); SSN columns auto-detected and excluded; SSNs and first names stripped before AI processing (last name and dates transmitted for attribution logic — de-identified of direct identifiers, not fully anonymized). Document tools (Adopt(k)/Summary(k)): full plan document sent to AI for extraction; plan/employer-level material, no participant SSNs, nothing retained. |
| Authentication | Advisor portal apps use Softr-managed authentication (JWT scoped to the advisor), validated by Cloudflare Workers. Standalone analysis tools (including the census and document processors) are publicly accessible and persist no user data. |
| Customer data retention | Transient processing; AI inputs and outputs are not stored long-term |
| Monitoring | External availability monitoring on production services at one-minute intervals with email alerting; infrastructure request logs and error reporting via Cloudflare |
| Audit logs | Advisor-level activity tracking via Airtable. Infrastructure-level request logs via Cloudflare. Application-level audit trail planned for a future release. |
Incident Response
Because the (k) Suite does not retain participant data, the exposure surface is the transient processing path rather than a stored database. Production services are monitored by external availability checks at one-minute intervals with email alerting on failure, alongside infrastructure request logs and error reporting from our hosting provider.
In the event of a confirmed security incident affecting advisor or plan data, we will notify affected parties promptly. We continue to formalize and expand these procedures, and material changes are logged in the annual review below.
Annual Review
This statement is reviewed every twelve months. Material changes between annual reviews are logged on this page.
The next scheduled review is May 1, 2027.
Change log — v1.1 (June 25, 2026): disclosed OpenAI and Google as additional AI providers; clarified de-identification (Social Security numbers and first names removed; last name and dates transmitted for attribution and testing logic); described the document-extraction data flow; corrected file-storage handling; refined the authentication description; and updated incident-response monitoring.
Questions
For governance, security, or compliance inquiries: governance@waivz.ai
For technical or product questions: support@waivz.ai
Issued June 25, 2026 · Version 1.1 · Waivz, Inc.