Table of contents
Table of contents
SUPPLIER AI POLICY
This Supplier AI Policy (“AI Policy”) applies to Miro suppliers and vendors (“Provider”) who provide services, products, or any combination thereof (“Services”) to Miro, including its affiliates and subsidiaries, which incorporate an AI System, as defined herein. This AI Policy is issued under, and forms part of, the agreement, addendum, or amendment which references this AI Policy (“Agreement”). The Provider and Miro agree to be legally bound by the terms of this AI Policy, and Miro will consider material violations to be a material breach of the Agreement.
Notwithstanding any terms to the contrary, if there are any inconsistencies or conflicts between the terms of this AI Policy, the Agreement, or any other agreement or terms governing the Services, the terms of this AI Policy shall supersede and control.
1. Definitions.
a. “AI System” means the machine-based system provided by Provider to Miro as part of Provider’s Services that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input received, how to generate outputs such as predictions, content, recommendations or decisions that can influence physical or virtual environments.
b. “Data Sets” means all data sets used in the development of the AI System.
c. “Intended Purpose” means the use for which an AI System is intended by Miro, including the specific context and conditions of use, as specified in the Agreement, the information supplied by the Provider, including through instructions for use, promotional or sales materials and statements, as well as in the technical documentation.
d. “Miro Data Sets” means the Data Sets (or parts thereof) (i) provided by Miro to the Provider under the Agreement or (ii) to be created or collected as part of the Services performed under the Agreement, including any modified or extended versions of the Data Sets referred to in this AI Policy (for example due to annotation, labelling, cleaning, enrichment or aggregation).
e. “Reasonably Foreseeable Misuse” means the use of the AI System in a way that is not in accordance with its Intended Purpose, but which may result from reasonably foreseeable human behavior or interaction with other systems, including other AI systems.
f. “Substantial Modification” means a change to the AI System which is not foreseen or planned by the Provider and as a result of which the compliance of the AI System with the requirements set out in this AI Policy is affected or results in a modification to the Intended Purpose for which the AI system has been assessed.
2. AI System Risk Management.
a. The Provider shall implement, document and maintain a risk management system in relation to the AI System appropriate to its risk, which shall at least comprise:
i. identification, estimation and evaluation of the known and reasonably foreseeable risks that the AI System can pose to health, safety or fundamental rights when the AI System is used in accordance with the Intended Purpose;
ii. the estimation and evaluation of the risks that may emerge when the AI System is used in accordance with the Intended Purpose, and under conditions of Reasonably Foreseeable Misuse;
iii. evaluation of other possibly arising risks, based on the analysis of data gathered from post-market monitoring or feedback;
iv. adoption of appropriate and targeted risk management measures designed to address the risks identified.
b. Residual risks associated with the risk management measures shall be acceptable to Miro, provided that the AI System is used in accordance with the Intended Purpose or under conditions of Reasonably Foreseeable Misuse.
c. In identifying the most appropriate risk management measures, the Provider ensures:
i. elimination or reduction of risks identified and evaluated as far as technically feasible through adequate design and development of the AI System;
ii. where appropriate, implementation of adequate mitigation and control measures addressing risks that cannot be eliminated;
iii. provision of adequate information to Miro and if applicable, training to deployers.
d. The Provider ensures that, prior to providing Miro access, the AI System is tested with regard to the effectiveness of the risk management measures in light of the Intended Purpose and Reasonably Foreseeable Misuse. Testing shall be carried out against prior defined metrics and probabilistic thresholds that are appropriate to the Intended Purpose of the AI System.
e. All risks identified, risk management measures taken and tests performed in the context of compliance with this section must be documented by the Provider. The Provider will make this documentation available to Miro upon request, as necessary to fulfill its legal obligations and to perform proper due diligence on the AI System. This documentation can be part of the relevant technical documentation and/or instructions for use, which shall include concise, complete, correct and clear information that is relevant, accessible and comprehensible to Miro.
f. The Provider shall:
i. regularly review and update the risk management process to ensure its continuing effectiveness;
ii. keep the documentation up to date; and
iii. make every new version of the documentation available to Miro upon request.
3. Data Governance.
a. The Supplier ensures that the Data Sets used in the development of the AI System, including training, validation and testing, are subject to data governance and management practices appropriate for the Intended Purpose. Those practices concern:
i. the relevant design choices;
ii. data collection processes and the origin of data, and in the case of personal data, the original purpose of the data collection;
iii. relevant data preparation for processing operations, such as annotation, labelling, cleaning, updating, enrichment and aggregation;
iv. the formulation of assumptions, with respect to the information that the data are supposed to measure and represent;
v. an assessment of the availability, quantity and suitability of the data sets that are needed;
vi. examination in view of possible biases that are likely to affect the health and safety of persons, have a negative impact on fundamental rights or lead to discrimination prohibited under applicable law, especially where AI System outputs influence inputs for future operations;
vii. appropriate measures to detect, prevent and mitigate possible biases identified.
b. The Provider ensures that the Data Sets used in the development of the AI System are relevant, sufficiently representative and, to the extent possible, free of errors and complete in view of the Intended Purpose. The Provider ensures that Data Sets have the appropriate statistical properties, including, where applicable, as regards the persons or groups of persons in relation to whom the AI System is intended to be used.
c. The Provider ensures that the Data Sets used in the development of the AI System considered, to the extent required by the Intended Purpose or Reasonably Foreseeable Misuse, the characteristics or elements that are particular to the specific geographical, contextual, behavioural or functional setting within which the AI System is intended to be used.
4. Record-keeping.
a. The Provider ensures that the AI System technically allows for the automatic recording of events ('logs') over the lifetime of the AI System.
b. The logging capabilities shall ensure a level of traceability of the AI System that is appropriate to the Intended Purpose of the system and Reasonably Foreseeable Misuse. In particular, they shall enable the recording of events relevant for the identification of situations that may:
i. result in the AI System presenting a risk to the health or safety or to the protection of fundamental rights of persons; or
ii. lead to a Substantial Modification.
c. The Provider will allow Miro to access the logs automatically generated by the AI System on a real time basis, to the extent part of Provider’s Service delivery.
5. AI System Transparency.
The Provider ensures that the AI System is designed and developed in such a way that its operation is sufficiently transparent to enable Miro to interpret the system’s output and use it appropriately, as required under applicable law.
6. Human Oversight.
a. The Supplier ensures that the AI System is designed and developed in such a way, including with appropriate human-machine interface tools, that it can be effectively overseen by natural persons during its use.
b. Human oversight shall aim to prevent or minimise the risks to health, safety or fundamental rights that may emerge when an AI system is used in accordance with its intended purpose or under conditions of reasonably foreseeable misuse, where such risks persist.
c. The Provider ensures, commensurate with the risks, level of autonomy and context of use of the AI system, that appropriate measures are embedded in the AI System that enable natural persons, to whom human oversight is assigned, as appropriate:
i. to properly understand the relevant capacities and limitations of the AI System and to be able to duly monitor its operation, including in view of detecting and addressing anomalies, dysfunctions and unexpected performance;
ii. to remain aware of the possible tendency of automatically relying or over-relying on the output produced by the AI System ('automation bias'), in particular, if the AI System is used to provide information or recommendations for decisions to be taken by natural persons;
iii. to correctly interpret the AI System's output, taking into account, for example, in particular the characteristics of the system and the interpretation tools and methods available;
iv. to decide, in any particular situation, not to use the AI System or otherwise disregard, override or reverse the output of the AI System;
v. to intervene in the operation of the AI System or interrupt the system through a ‘stop’ button or a similar procedure that allows the system to come to a halt in a safe state.
7. Accuracy, Robustness and Cybersecurity.
The Supplier ensures that the AI System is designed and developed in such a way that it achieves an appropriate level of accuracy, robustness, safety and cybersecurity, and performs consistently in those respects, as required by applicable law.
8. Rights to Use the Data Sets.
a. All rights, including any intellectual property right, relating to Miro Data Sets will accrue to Miro or a third party designated as such by Miro. The Provider is not entitled to use Miro Data Sets for any purpose other than the performance of the Agreement, except as otherwise agreed between the parties in writing.
b. On first request of Miro, the Provider must destroy Miro Data Sets, unless prohibited by applicable law. The Provider will provide feasible evidence of the destruction of Miro Data Sets upon request.
c. All rights, including any intellectual property right, relating to Provider Data Sets and third-party Data Sets will accrue to the Provider or a third party. The Provider grants Miro a non-exclusive right to use Provider Data Sets and Third-Party Data Sets that is sufficient for the performance of the Agreement or necessary for the further development of the AI System, including any new versions thereof, by Miro or a third party.
d. The Provider shall indemnify Miro from all claims brought by third parties, including supervisors, arising out of any infringement of intellectual property rights, data protection rights or equivalent rights resulting from the use of the AI System, the Provider Data Sets and/or third party Data Sets by Miro.
e. Miro shall indemnify the Provider from all claims brought by third parties, including supervisors, arising out of any infringement of their intellectual property rights, privacy rights or equivalent rights resulting from the use of the Miro Data Sets.
9. Audit.
a. Upon reasonable request, not more than once per calendar year or in relation to any Substantial Modification, the Provider must make available to Miro, or an independent third party auditor engaged by Miro, all information necessary to demonstrate compliance with this AI Policy.
b. The Provider will cooperate in an audit or inspection to be carried out by or on behalf of Miro to assess whether the Provider complies with its obligations laid down in this AI Policy. Such cooperation will include providing all information required by Miro, providing relevant insight into the risk management system implemented.
c. If Miro establishes that the Provider does not comply with the obligations under this AI Policy, the Supplier will remedy the defects identified within the reasonable period. If the Provider fails to remedy the defects identified within a reasonable period of time, the Provider will be in default by operation of law.