Reporting a concern

1. Where to send it

Email concerns@corial.app. The alias goes directly to Matthias Förster, the founder of OpenCream SAS and the AI Lead for Corial. It is monitored every business day. No ticketing system sits between you and the inbox.

If your concern is a security disclosure (vulnerability, leaked credentials, suspected breach), use security@corial.app instead. Both inboxes reach the same person today. The split is there so we can route them differently once the company grows.

If your concern is about data subject rights under GDPR (access, correction, deletion), use privacy@corial.app and reference the data-retention policy.

2. What you can report

• An AI behaviour that looks wrong: biased output, hallucinated facts in a customer-facing artifact, an outbound communication that was not approved.
• A public claim of ours that does not match what you have observed.
• A data-handling concern: your data ending up somewhere it should not, or being retained past what we said.
• A sub-processor concern: a provider we use that you believe should not be on the list.
• A standards-alignment concern: a control we claim to operate that you have reason to think we do not.
• An ethics concern: something Corial is doing or being asked to do that crosses one of the lines we set in our Responsible AI Charter §2.

You do not have to be sure. If you are wrong, we will tell you why we think so. If you are right, we will fix it and credit your report in the next quarterly review.

3. What we commit to

• Acknowledge within two business days. A human reply from the AI Lead, not an autoresponder.
• Substantive response within ten business days. Either an explanation of what we found and what we changed, or a timeline for when we will get back to you with more.
• No retaliation. If you are reporting from inside a customer organisation or a sub-processor, we will not use your identity or your report against you, your employer, or your relationship with us. We will not name you to your employer or your client unless you ask us to.
• Confidentiality where requested. Tell us if you want your identity kept confidential. We will only break confidentiality if we are legally compelled to, and we will tell you first if that happens.
• Anonymity if you prefer. Use a throwaway email if you would rather. We will lose the ability to follow up with questions, but we will still investigate.
• Closure you can verify. If your concern leads to a material change, we will write up what changed and the date in our internal improvement log, and tell you when it is done. We will not name you unless you ask us to be named.

4. What this does not cover

• Product support questions. Contact your account rep at Corial, or write to support@corial.app.
• Sales questions. Use hello@corial.app.
• Legal disputes between you and your employer, customer, or sub-processor. We cannot mediate those. If your concern names something Corial actually did, we will handle that part. The rest is between you and your counsel.

5. Why we publish this

ISO/IEC 42001 Annex A.3.3 asks any company that runs AI on customer data to give people an easy way to raise concerns, and to promise publicly not to retaliate against them. That is the shape of this page. The honest reason it is here is that we would rather hear when we are wrong than find out from a procurement reviewer or a journalist.