Trust & compliance

Thinkproject embeds AI capabilities into products and the platform to help teams find information faster, reduce repetitive work, prioritise what matters and support better decision-making across the built asset lifecycle.

For each AI capability we define what data is used and for what purpose. As a default position for our customers, the aim is that your project data is used to deliver the feature for your tenant, not to train models for other customers. Where any improvement or training use is offered, it will be clearly described and governed through contractual terms, under clear contractual governance and customer control.

AI features will respect the same permissions and governed access controls that apply across the Thinkproject pPlatform. If a user cannot access a document or dataset in the platform, the AI capability will not expose it in results.

We provide clear statements for each AI feature about where processing takes place and which sub processors are involved, including regional hosting commitments where offered. This is typically documented in the AI feature Trust Note and in the relevant contractual schedules.

Personal data may exist in file content and metadata depending on how a project or asset is managed. We support compliant data processing by applying access controls, security measures, and transparency on what each AI capability uses. The customer remains in control of what is stored in the platform and who can access it.

Thinkproject acts as a provider under the EU AI Act 2024 as has developed an AI system and functionality which is has put into service and offered for sale in the EU and other markets.

AI outputs are probabilistic and may be incomplete or wrong. We position AI based functionality in Thinkproject products as assistive and design features to support verification, for example by linking results back to source documents where possible, and by encouraging human review before decisions are made.

We test AI capabilities prior to release and monitor them after deployment. We also plan for regression testing and controlled change management when underlying models, providers and AI capabilities rapidly evolve, so performance remains reliable and changes are assessed before broad rollout.

AI features are covered by the same security management approach used across Thinkproject, including governance over suppliers and sub processors, access controls, and security monitoring. Thinkproject has an ISO/IEC 27001-certified ISMS, which provides a structured framework for information security management.

We can provide a packaged set of information to support due diligence, such as ISO 27001 certification information, an AI feature description, an AI data use statement and security and data protection summaries, with deeper materials available under NDA where appropriate.

Where improvement programmes are offered, we support clear choices. The contract should distinguish between using data to provide the feature to your organisation and using data to improve models beyond your tenant, with opt-in or opt-out mechanisms defined.

We align retention and deletion with contractual commitments and provide deletion upon termination in line with agreed terms, including defined windows for backups where applicable. For AI features, we aim to keep any derived artefacts and logs within defined retention policies that are documented for customers.

AI services are covered by our incident management process. Where an incident affects customer data or service availability, customers are notified in line with contractual and regulatory requirements and we provide appropriate remediation and reporting.

Effective AI depends on connected, governed and trustworthy data. In infrastructure environments information is often spread across systems, workflows and lifecycle stages. Thinkproject’s platform helps connect and structure that information so AI capabilities can provide more reliable, contextual, and actionable support.