AI Usage and Risk Policy

Effective Date: June 22, 2026

1. Purpose and Scope

This policy describes how Docwright Software LLC ("DocWright") manages risk associated with the optional AI-assisted alt-text feature within the DocWright application. It applies specifically to DocWright's use of the Anthropic Claude API; DocWright does not develop, train, host, or operate any AI or machine learning model itself.

2. Two-Layer Risk Model

DocWright's AI risk posture rests on two distinct layers, and this policy is deliberate about not conflating them:

Layer 1 — Underlying infrastructure (Anthropic's responsibility)

Anthropic, the provider of the Claude API used for the AI alt-text feature, holds SOC 2 Type 2, ISO 27001, and HIPAA compliance certifications covering its own infrastructure, security program, and data handling. DocWright relies on this underlying certified infrastructure rather than duplicating it.

Layer 2 — DocWright's own integration risk (DocWright's responsibility)

Separately, DocWright is responsible for how it integrates and constrains its use of that API. This policy addresses that second layer specifically — it is not a restatement of Anthropic's certifications, but a description of DocWright's own design choices that limit risk in how the API is used.

3. DocWright's Risk-Limiting Design Choices

4. Human Oversight

AI-generated descriptions are inserted into the processed document automatically, without requiring approval prior to insertion. However, the user retains the original file alongside the processed file and a fix report listing all AI-generated content, allowing review and manual editing of any description before final use (e.g., before uploading to the institution's LMS). DocWright considers this post-hoc review workflow appropriate given the low-stakes, easily reversible nature of the output (descriptive alt text, not a decision affecting any individual).

5. Incident Response for the AI Feature

Because the AI feature depends entirely on an institution-supplied API key, it can be disabled immediately by removing or not renewing that key in the application's Settings panel — no DocWright-side action or reinstall is required. This is the primary control available in the event of an identified issue with the feature.

6. Current Limitations

DocWright does not yet have a formal, written AI risk-management framework modeled on a published standard (e.g., NIST AI RMF), nor a dedicated AI governance function, consistent with the company's current single-founder structure. This policy represents DocWright's current, good-faith documentation of its actual AI risk-limiting practices, and will be expanded as the company grows.

7. Related Documents

8. Contact

Gregory Buthusiem, Founder & Managing Member

Docwright Software LLC

contact@docwright.org

(856) 817-5100

docwright.org