Responsible AI Charter

1. How we pick AI providers

We weigh six things for every provider and model that handles production traffic. None of them wins on its own.

• Capability for the task. We do not use a weak model for important work to save a few cents.
• Where the inference happens. The EU residency tier runs all AI inference inside the European Union. Customers pick it during onboarding. See the Trust page for what changes when it is on.
• Training-data policy. Providers must contractually commit, under their commercial terms, not to train on the data we send them. We only sign with providers that do.
• Published safety framework. We prefer providers that publish a versioned safety position. Anthropic publishes a Responsible Scaling Policy. Google DeepMind publishes a Frontier Safety Framework. Mistral publishes its safety stance.
• Independent transparency assessment. Stanford runs the Foundation Model Transparency Index. MLCommons runs the AILuminate safety benchmark. We cite their scores rather than invent our own.
• Cost and latency. We will not pretend these do not matter. They decide whether the product stays affordable for our customers. They get weighed against the other five, not above them.

2. What we will not do

These are rules. Not preferences.

• We do not let any AI provider train on customer data. Ever.
• We do not deploy Corial for military, surveillance, weapons-related, or political-influence use cases.
• We do not route production traffic to a provider that refuses to disclose its training data sources or safety practices.
• We do not send messages on a customer's behalf to their contacts without the customer reading and approving the draft first. Corial drafts. Customers send.
• We do not hide our routing. If we say we use a particular provider, we use it. If we change a provider, we update the public sub-processor list and notify customers 30 days in advance.

3. Where we lean

Where capability allows, we prefer:

• EU-headquartered providers. Mistral AI, based in Paris, is among the providers we route to.
• EU-region inference. The residency tier covers this for every AI call (text generation, voice transcription, document analysis, web lookups).
• Providers with a published safety framework over those without.

The honest truth is that the strongest AI capability today still sits with US-based providers. We have not made "EU providers only" a hard rule because that would force us to ship a noticeably worse product for our customers. The residency tier handles the data flow question. This charter handles the provider choice question. When European capability closes the gap on the workloads our customers care about, the default may move.

4. What we will disclose

• A public sub-processor list covering every third party that processes customer data, updated 30 days before any addition or replacement.
• A public Trust page covering our security, data-handling, and standards-alignment posture.
• A public Model Card naming the AI providers and model families in production, the region of inference per tier, and links to the providers' safety frameworks and third-party assessments.
• An internal Incident Response plan with a 72-hour breach-notification commitment under Article 33 of the GDPR. Security disclosures go to security@corial.app.
• A concerns reporting mechanism at concerns@corial.app. Open to anyone — customers, sub-processor employees, members of the public — and protected by a written non-retaliation commitment. Concerns reach the AI Lead directly.
• This charter. Re-signed at least once a year. Material changes posted 30 days in advance.

5. Why a charter rather than a certification

ISO/IEC 42001 is the first AI management standard. It was published in 2023. SOC 2 has been around for years. Both can be audited. Both cost money and take months. We have done the conformance work internally first and published this charter alongside. When a customer relationship calls for a formal audit, we will pay for one.

A public charter and a third-party audit serve different functions. An audit verifies that we do what we claim. A charter states what we claim, in plain language, with a name on it. Both have value. Charters move faster, can be specific to the company that signs them, and put the founder publicly on the line. We are starting with the one we can sign today.

6. What this charter does not claim

• I do not claim to have solved AI ethics. I have made choices and written them down.
• I do not claim that every AI provider we use is uncomplicated. All of them have investors, customers, or commercial relationships I would not personally endorse. The criteria in section 1 are how we navigate that, not how we deny it.
• I do not claim certifications we do not hold. "Designed in alignment with" a standard means we have walked its controls and fixed what we could. It does not mean an auditor has signed off.