Data Security and Privacy Lifecycle Management
CSA AI Controls Matrix v1.1 domain
Govern data collection, use, retention, disclosure, and deletion across the AI lifecycle.
What this domain means for procurement
AI data flows can span training, retrieval, inference, telemetry, review, and improvement. Procurement must establish purpose, boundaries, rights, location, and deletion at every stage.
How TrustAtlas dimensions support it
Data handling is the direct lifecycle measure; jurisdiction and regulatory compliance cover location and legal obligations; IP exposure covers ownership and reuse boundaries.
Data handlingJurisdictionRegulatory complianceIP exposure
This is an interpretive TrustAtlas cross-walk, not an official CSA mapping or evidence of AICM conformity.
Questions to ask vendors
Use these procurement prompts alongside the official CSA AICM v1.1 materials. They name the domain but do not invent or paraphrase control identifiers.
- Map prompts, outputs, files, embeddings, training data, and logs from collection through deletion, including subprocessors.
- Is customer content excluded from training and human review by default, and is that commitment contractual?
- Which residency, retention, deletion, and data-subject-rights controls can customers configure and verify?
- Who owns customer inputs, fine-tunes, embeddings, and outputs, and what licenses survive termination?
Related
- Back to all 18 CSA AICM v1.1 domains
- Official CSA AICM v1.1 artifact
- NIST AI RMF cross-walk
- TrustAtlas methodology — how the nine risk dimensions are scored