AI & Data Governance
How EpicMind governs AI, handles your data, and protects your privacy. Every AI feature follows our shared governance framework rooted in transparency, privacy, and human authority.
Governance Framework v1.1 — Last updated March 2026
EpicMind is part of the Epic Growth ecosystem. Our governance framework is shared across all three products. For the ecosystem overview, see the Epic Growth Governance page.
Universal Principles
These 8 principles apply to every AI feature in EpicMind.
Transparency
Every AI interaction is clearly labelled. Users always know when they are communicating with an AI system. AI-generated content is marked as such.
Accuracy & Honesty
Our AI systems never fabricate data or statistics. When uncertain, they state confidence levels explicitly and distinguish facts from recommendations.
Privacy & Data Protection
GDPR-compliant by design. We minimise data collection, never transmit data to third parties without consent, and respect the right to erasure.
Human Authority
No AI system takes irreversible actions without human confirmation. Strategic recommendations are advisory — final decisions always rest with humans.
Fairness & Non-Discrimination
Automated assessments are objective and criteria-based. Our systems never produce outputs that discriminate based on any protected characteristic.
Auditability
Every automated output is traceable to its data sources. Decision logs are maintained and audit trails preserved for a minimum of 12 months.
Safety & Harm Prevention
Our systems refuse requests that conflict with our governance framework, applicable law, or ethical standards. Potential harms are flagged before proceeding.
AI Literacy
Our AI systems explain their reasoning, methodologies, and limitations when asked. We promote informed decision-making, not dependency.
AI Features & Risk Classification
Each AI-powered feature in EpicMind is classified under the EU AI Act. None of our features are classified as High Risk.
AI Chat Assistant
Limited RiskConversational AI powered by Anthropic Claude for business queries, note-taking, and knowledge retrieval.
Data Access
User messages, Knowledge Base knowledge base, notes, proposals
AI Disclosure
Chat interface clearly states the user is communicating with an AI assistant.
Email Classification
Minimal RiskAutomatic categorisation and priority scoring of incoming emails.
Data Access
Email subject lines and body content (processed, not stored by AI provider)
AI Disclosure
Classification labels are marked as AI-generated.
Content Generation
Limited RiskMulti-model AI content creation using Anthropic Claude, OpenAI, and Google Gemini.
Data Access
User prompts and optional Knowledge Base context
AI Disclosure
Generated content is clearly labelled as AI-produced.
Knowledge Base (RAG)
Minimal RiskKnowledge base with vector embeddings for contextual retrieval-augmented generation.
Data Access
Uploaded documents, chunked and embedded for semantic search
AI Disclosure
Search results indicate source documents and relevance scores.
Proposal AI Tools
Limited RiskAI-assisted proposal writing with compliance checking, content suggestions, and brain search.
Data Access
Proposal sections, compliance checklists, Knowledge Base documents
AI Disclosure
AI suggestions are clearly separated from user-written content.
Data Handling
How EpicMind stores, processes, and protects your data.
Storage & Hosting
All data is stored in Google Cloud SQL (PostgreSQL) with application-layer access control. The application is hosted on Google Cloud Run in the europe-west1 (Belgium) region. No data leaves the EU.
AI Provider Data
When you use AI features, your prompts are sent to the selected AI provider (Anthropic, OpenAI, or Google) for processing. We do not store AI conversations on third-party servers beyond the request lifecycle. No training is performed on your data.
Authentication
Authentication uses magic link email verification — no passwords are stored. Session tokens are signed JWTs stored in HTTP-only cookies with 7-day expiry.
Email Integration
Gmail connects via the Google API with OAuth 2.0. Email data is accessed in real-time and cached locally for performance. You can revoke access at any time through your Google account settings.
EU AI Act Compliance
! Article 50 — Transparency Obligations
The EU AI Act requires that users interacting with conversational AI systems are informed they are communicating with an AI, not a human. This obligation takes effect on 2 August 2026. EpicMind already implements proactive AI disclosure across all conversational features, exceeding the minimum requirement.
Risk Classification
All EpicMind AI features are classified as Limited Risk or Minimal Risk under the EU AI Act. We do not perform recruitment screening, credit scoring, biometric identification, or any other high-risk AI activity.
MDIA — Malta's National Competent Authority
The Malta Digital Innovation Authority (MDIA) is Malta's designated national competent authority under the EU AI Act. As EpicMind matures, we intend to explore MDIA's regulatory sandbox programme and ITAS voluntary certification.
Governance Review
| Review Type | Frequency | Scope |
|---|---|---|
| Regulatory | Within 30 days of any EU AI Act or MDIA update | Compliance framework |
| Operational | Quarterly | AI feature performance & governance rules |
| Foundational | Annually | Full governance framework review |
| Incident-triggered | As needed | Any part relevant to the incident |
| Architecture | Within 7 days of data handling or AI changes | Data handling claims, governance pages |
Questions or Concerns?
If you have questions about our governance, want to report a concern, or need to exercise your data rights, please contact us via our contact form. For the ecosystem-wide governance framework, see the Epic Growth Governance page.