Data Security and Privacy Lifecycle Management

CSA AI Controls Matrix v1.1 domain

Govern data collection, use, retention, disclosure, and deletion across the AI lifecycle.

What this domain means for procurement

AI data flows can span training, retrieval, inference, telemetry, review, and improvement. Procurement must establish purpose, boundaries, rights, location, and deletion at every stage.

How TrustAtlas dimensions support it

Data handling is the direct lifecycle measure; jurisdiction and regulatory compliance cover location and legal obligations; IP exposure covers ownership and reuse boundaries.

Data handlingJurisdictionRegulatory complianceIP exposure

This is an interpretive TrustAtlas cross-walk, not an official CSA mapping or evidence of AICM conformity.

Questions to ask vendors

Use these procurement prompts alongside the official CSA AICM v1.1 materials. They name the domain but do not invent or paraphrase control identifiers.

  1. Map prompts, outputs, files, embeddings, training data, and logs from collection through deletion, including subprocessors.
  2. Is customer content excluded from training and human review by default, and is that commitment contractual?
  3. Which residency, retention, deletion, and data-subject-rights controls can customers configure and verify?
  4. Who owns customer inputs, fine-tunes, embeddings, and outputs, and what licenses survive termination?
← Datacenter Security Governance, Risk and Compliance →

Related