Legal

Terms of website use
Privacy notice
Cookies policy
Platform security overview
Reseller program terms
MSP partners terms
Anti-bribery and corruption policy
Service specific terms – CybSafe AI
End User License Agreement
Trust center
AI governance

AI governance


This document is intended for customers and prospective customers who need to understand how CybSafe Signal works, how it uses AI, and how CybSafe approaches AI governance. It supplements the CybSafe AI Transparency and EU AI Act Position Statement and is written to support due diligence by AI committees, security and compliance teams, and procurement reviewers.

What CybSafe Signal is

CybSafe Signal is an AI assistant built into the CybSafe platform. It helps administrators of security awareness programmes by answering human-risk questions, summarising report data, improving nudge content, translating phishing simulation templates, and guiding administrators through the platform. CybSafe Signal is grounded in CybSafe's behavioural science research and the SebDB security behaviour database.

CybSafe Signal is available exclusively to platform administrators. End users, your wider workforce, do not have access to CybSafe Signal and never see CybSafe Signal directly. CybSafe Signal advises administrators; administrators decide what to do.

How CybSafe Signal works, at a glance
Figure 1. An administrator asks CybSafe Signal a question through the chat interface. CybSafe Signal selects the right specialist agent, retrieves grounding from CybSafe's curated knowledge bases created by the Science and Research team, and calls OpenAI's foundation model to generate a response. The administrator reads the response and decides what to do.

EU AI Act position

CybSafe Signal is a limited-risk AI system under the EU Artificial Intelligence Act (Regulation (EU) 2024/1689). The principal obligation that applies at this risk tier is Article 50 transparency, which CybSafe Signal meets.

Why CybSafe Signal is limited-risk

CybSafe Signal does not fall within any of the high-risk use cases defined in Annex III of the Act:

  • CybSafe Signal is not used for biometric identification, emotion recognition, or biometric categorisation.
  • CybSafe Signal is not a safety component of critical infrastructure.
  • CybSafe Signal is not used to evaluate students or determine access to educational institutions.
  • CybSafe Signal is not used to make decisions about hiring, promotion, termination, task allocation, or performance evaluation in employment contexts.
  • CybSafe Signal is not used to determine eligibility for credit, insurance, public benefits, or other essential services.
  • CybSafe Signal is not used by law enforcement, migration, or judicial authorities.

CybSafe Signal is an advisory assistant: it generates content for administrators to read and consider. It does not make automated decisions about individuals. CybSafe's contractual terms additionally prohibit the use of Signal outputs to make automated decisions affecting employment relationships.

CybSafe's role

CybSafe is the provider of the AI system CybSafe Signal under the Act. CybSafe is also a deployer of OpenAI's general-purpose foundation model, which powers Signal's reasoning.

Article 50 transparency

CybSafe Signal meets Article 50(1) transparency requirements:

  • CybSafe Signal is identified as an AI assistant in the user interface.
  • A persistent disclaimer is shown alongside the chat input: “AI can make mistakes. Please verify important information.”
  • Administrators always know they are interacting with AI, never with a human agent.

CybSafe Signal does not generate audio, or video content, and is not used to publish text on matters of public interest. Article 50(2) machine-readable marking and Article 50(4) deepfake/news-text labelling obligations do not apply to Signal's text outputs in the contexts in which Signal is used.

Prohibited practices

CybSafe Signal does not engage any practice prohibited under Article 5 of the Act. CybSafe formally commits in its AI Governance Statement to avoid social scoring, exploitation of vulnerabilities, manipulative techniques, and prohibited biometric uses.

Data, privacy, and processing

Where your data goes

When an administrator asks CybSafe Signal a question, the question is processed inside CybSafe's primary infrastructure, sent to OpenAI to generate a response, and the response is returned to the administrator. The diagram below shows the data flow.

Figure 2. CybSafe Signal data flow. Administrator questions and CybSafe Signal responses are stored within CybSafe-controlled infrastructure, scoped to your tenant. OpenAI processes prompts to generate responses. An internally hosted observability platform monitors service quality. CybSafe's curated knowledge bases provide grounding context.

What is sent to OpenAI

When CybSafe Signal calls OpenAI, the prompt sent contains: a system prompt that instructs the model how to respond, the recent conversation history (the administrator's questions and CybSafe Signal's previous responses in the same chat), relevant grounding documents retrieved from CybSafe's curated knowledge bases, and the administrator's current question. CybSafe does not deliberately include identifying tenant or user metadata in the prompt. Administrators should treat Signal as they would any third-party AI service when handling sensitive details: information typed into CybSafe Signal will be transmitted to OpenAI to generate a response. CybSafe has appropriate legal contractual mechanisms in place for the transfer of data to OpenAI LLC.

With regard to an organisation's reporting data, the data sent to OpenAI also includes aggregated analytics results retrieved from your tenant. This is how CybSafe Signal answers questions such as "how many users completed last month's phishing campaign?" or "what's our overall risk score trend." This capability is available only when the administrator explicitly asks a question about reporting data; it does not run on every CybSafe Signal query.

Customer data is not used to train AI models

CybSafe does not use customer data to train or fine-tune any AI model, neither CybSafe's models nor the foundation model provider's. CybSafe Signal uses OpenAI's foundation model as-is, augmented by CybSafe's own curated knowledge bases.

Tenant isolation

CybSafe Signal conversations, messages, and queries are scoped to your tenant. A query made by an administrator at one customer organisation cannot retrieve, see, or be influenced by data from another customer organisation. Tenant isolation is enforced at the database, application, and API layers.

CybSafe Signal's grounding knowledge bases (SebDB, CybSafe behavioural research, help content, and similar curated material) contain only CybSafe-owned or public reference content. They do not contain customer prompts, conversations, or any customer data. There is no path for one customer's data to enter another customer's grounding context.

Sub-processors

OpenAI is the primary sub-processor that supports CybSafe Signal's generative AI capability. OpenAI is listed in the CybSafe sub-processor register, which is maintained as new features or providers are introduced. Customers are notified of material changes to the sub-processor list in line with the CybSafe Data Processing Addendum.

CybSafe's other AI-enabled features, including content localisation and AI-assisted phishing template generation, are addressed in the separate “AI Governance, Third-Party Bolt-Ons” statement. Each third party is bound by its own governance commitments.

Service quality monitoring

CybSafe monitors CybSafe Signal's performance and response quality using an observability platform. This supports continuous improvement of CybSafe Signal's accuracy and reliability. Customers can opt out of contributing data to service quality monitoring; contact your CybSafe representative for details on enabling this opt-out for your tenant.

Access controls and human oversight

Administrator-only access

CybSafe Signal is exclusively available to platform administrators who hold admin roles within CybSafe. CybSafe Signal does not interact with end users in your workforce. CybSafe Signal enforces administrator-level role visibility and respects the same access controls as the rest of the CybSafe platform.

Opt-in by design

CybSafe Signal is never enabled by default. Each customer must deliberately enable Signal for their tenant. Customers can disable CybSafe Signal at any time.

We don’t send send your organisation’s reporting data to anyone by default. You may choose to opt into this feature in order to have CybSafe Signal provide further analysis or insight into your organisation’s data. Your organisation’s reporting data transfer is a separate opt in mechanism, which every customer must deliberately enable for CybSafe Signal. This can be disabled at any time.

Human in the loop

CybSafe Signal is advisory by design. It explains, suggests, and assists; it does not make changes to customer accounts. Administrators retain full decision authority over what to do with CybSafe Signal's suggestions.

Where CybSafe Signal generates content that an administrator may use elsewhere, for example, a suggested nudge for an awareness campaign, the administrator must read, evaluate, and manually take action on the suggestion. CybSafe Signal can create draft/unassigned content. But the admin is always required to assign it to users. CybSafe Signal does not automatically publish, send, or deploy any content.

Scope and behavioural boundaries

CybSafe Signal is designed to operate within human risk management and the CybSafe platform. When an administrator asks a question that falls outside CybSafe Signal's scope, CybSafe Signal explains that it cannot help rather than attempting an answer. When CybSafe Signal cannot find relevant information to answer a question, it acknowledges this rather than fabricating a response.

Safeguards and quality controls

Grounding

CybSafe Signal answers human-risk questions by retrieving relevant content from CybSafe's curated knowledge bases (including SebDB and CybSafe's behavioural research corpus) and using that content as grounding context for its responses. This reduces the likelihood of fabricated answers and ensures CybSafe Signal draws from CybSafe's authoritative content rather than relying solely on the foundation model's general knowledge.

Hallucination mitigation

CybSafe Signal applies several techniques to reduce the risk of fabricated content: retrieval-augmented grounding from CybSafe's curated knowledge bases, post-generation checks for factual support, and prompt-level instructions discouraging fabrication. When CybSafe Signal cannot confidently answer, it acknowledges what it can and cannot do rather than guessing. As with any large language model system, hallucination cannot be eliminated entirely; the persistent disclaimer in the CybSafe Signal interface reminds administrators to verify important information.

Prompt injection and abuse

CybSafe Signal's system prompts instruct the model to treat user content, page metadata, and tool outputs as untrusted content and to ignore attempts to override its rules. CybSafe applies access controls (admin-only, feature-gated) to limit who can use Signal. Conversation history is bounded to prevent runaway prompt growth.

Feedback

Every CybSafe Signal response includes a thumbs-up and thumbs-down control. Administrator feedback is captured and used to improve response quality. CybSafe reviews feedback patterns as part of continuous improvement.

AI incident handling

CybSafe staff are required to report any suspected AI incident, including fabricated content acted on, prompt injection, data leak, bias, or material misbehaviour, under CybSafe's Acceptable Usage Policy. Incidents are triaged under CybSafe's Incident Response Policy with escalation to the Data Protection Officer and General Counsel as required. CybSafe will notify affected customers in line with contractual commitments in the Data Processing Addendum and the AI Service Specific Terms.

AI literacy and customer enablement

CybSafe takes appropriate measures to maintain AI literacy among staff who build, administer, sell, support, or advise on CybSafe Signal. These measures include onboarding training, annual refreshers, role-specific training for product, engineering, sales, and support teams, and an AI section in CybSafe's Acceptable Usage Policy.

Customers deploying CybSafe Signal in the EU are themselves deployers under the Act and so are subject to Article 4 AI literacy obligations. CybSafe supports customers by:

  • Publishing this transparency document and the AI Governance Statement.
  • Maintaining admin-facing help centre content explaining how to use Signal.
  • Providing release communications when CybSafe Signal capabilities change materially.
  • Responding to customer enablement and due diligence questions through the standard CybSafe customer success channels.

Governance framework

CybSafe Signal sits within CybSafe's AI Governance Statement, which is built on six pillars:

  • Commitment to Responsible AI. Leadership commitment to responsible AI is set by the CybSafe Executive. Ethical principles of fairness, accountability, and transparency are embedded in Signal's design.
  • AI Governance Framework. Roles, responsibilities, and decision rights are defined under CybSafe's Acceptable Usage Policy, with the General Counsel as governance lead. Risk assessment classifies Signal as limited risk.
  • AI Lifecycle Management. CybSafe Signal follows a defined lifecycle from requirements definition through design, testing, opt-in deployment, and continuous monitoring.
  • Human-Centric AI. CybSafe Signal is admin-only and advisory. Administrators retain full decision authority. The interface is designed for clarity, accessibility, and in-product transparency.
  • Transparency and Accountability. CybSafe Signal is clearly identified as an AI assistant. Responsibility for AI decisions sits with the administrator; responsibility for Signal's performance sits with CybSafe.
  • Continuous Improvement. This document and the AI Governance Statement are reviewed at least annually and on material change. Learnings from in-product feedback, incident reviews, and provider updates are fed back into Signal's roadmap.

Contractual position

CybSafe's contractual commitments on AI are published in the CybSafe AI Service Specific Terms, which sit alongside the master subscription agreement and the Data Processing Addendum. These terms govern customer inputs and outputs, intellectual property, sub-processor use, acceptable use, and termination rights in respect of AI features.

The CybSafe AI Service Specific Terms include a commitment that customers will not use CybSafe Signal outputs to make automated decisions affecting employment relationships, performance evaluation, or access to essential services. This contractual scope helps ensure CybSafe Signal is used in line with its limited-risk classification under the EU AI Act.

Summary

Topic Position
EU AI Act risk class Limited risk (Article 50 transparency tier)
CybSafe's role Provider of Signal; deployer of a third-party general-purpose AI model
Prohibited-practice exposure None
High-risk exposure None, Annex III does not apply
Article 50 transparency Met, Signal is identified as AI in the interface
Article 4 AI literacy In place via onboarding, AUP, and customer-facing content
Opt-in deployment Yes, off by default; customer must enable
Administrator-only access Yes
Human in the loop Yes, administrators make all decisions
Customer data used for training No
Tenant isolation Enforced at database, application, and API layers
Sub-processors OpenAI; listed in CybSafe sub-processor register
Foundation model provider OpenAI
Feedback mechanism Yes, thumbs up/down on every response
Service quality opt-out available Yes
Governance owner CybSafe General Counsel
Behavioral security,
AI-powered

CybSafe is the adaptive Human Risk Management platform that helps security teams reduce risky behaviors at scale.

About
About usCase studiesLatest releasesAbout Science & ResearchContact us
Other
Partner portalLegalTrust centerCareersSupportPressCybStore
ACCREDITATIONS
Copyright © 2026 CybSafe Ltd. All rights reserved.
Privacy notice
Cookies policy
Terms of website useAccessibility