Co- Accounting Artificial Intelligence (AI) Usage Policy

1. Introduction and Purpose

This policy outlines the guidelines and procedures for the acceptable and secure use of Artificial Intelligence (AI) tools and services by team members of Co- Accounting. The purpose is to enable the responsible use of AI to enhance productivity and innovation while safeguarding company data, client information, intellectual property, and personal data.

2. Scope

This policy applies to all team members, contractors, and third parties who use AI tools in connection with their work for Co- Accounting, whether on company-owned or personal devices, and on or off company premises.

3. Approved AI Services

As Co- Accounting subscribes to Google Workspace, Gemini is an approved AI tool. Its use is governed by Google's Workspace terms of service, which provide enterprise-grade security and data privacy. Data inputted into Gemini within our Google Workspace environment is not used to train public models.

The Directors of Co-Accounting in collaboration with IT Support will maintain and communicate a list of other specifically approved AI tools (if any).  Currently in addition to Gemini the approved list is:

  • Xero

  • Dext

  • FathomHQ

Any AI tool not on the approved list must go through the approval process in Section 5 before being used for company work.

4. Prohibited AI Services

  • The use of free, publicly available AI tools and services that have not been explicitly approved by Co- Accounting is strictly prohibited for any work-related tasks. This is due to the high risk of company data being used for model training, a lack of data security guarantees, and potential breaches of confidentiality.

  • Any AI tool not on the approved list is considered prohibited unless it has been approved through the process outlined in Section 5.

  • Personal accounts for AI tools (including free tiers of otherwise approved tools) must not be used for company work, as these typically do not offer the same data protection guarantees as enterprise accounts.

5. Requesting Approval for New AI Tools

Team members who wish to use an AI tool not currently on the approved list must submit a request to The Directors of Co-Accounting in collaboration with IT Support. The request should include:

  • Name of the AI tool and its provider.

  • Intended business use case.

  • Details on the tool's data privacy and security policies (link to terms of service).

  • Whether the tool will process client data, personal data, or other sensitive information.

  • Any associated costs.

The Directors of Co-Accounting in collaboration with IT Support will review the request based on security, data privacy, business need, and cost-effectiveness. A decision will be communicated to the team member within a reasonable timeframe.

6. Client Data and Third-Party Obligations

Many client contracts, supplier agreements, and Non-Disclosure Agreements (NDAs) were signed before AI tools were in common use and may not explicitly address them. Team members must not assume that permission to handle client data extends to processing that data through AI tools.

Team members may use approved AI tools when working with client or third-party data, unless the relevant client contract, NDA, or data processing agreement specifically prohibits the use of AI or restricts where data may be processed. If a team member is unsure whether a contract permits AI use, they must check with The Directors of Co-Accounting in collaboration with IT Support before proceeding.

7. Data Handling and Confidentiality

  • Team members must never input confidential company data, client data, personally identifiable information (PII), or any other sensitive information into unapproved AI tools.

  • While Gemini within Google Workspace is approved, team members should still exercise discretion and adhere to all existing data protection and confidentiality policies when using it. Avoid inputting highly sensitive information if an alternative, more secure method exists for the task.

  • Always critically review and verify any information or content generated by AI tools before relying on it for decision-making or distributing it externally. AI-generated content can sometimes be inaccurate, biased, or incomplete.

8. Personal Data and UK GDPR

Processing personal data through an AI tool is a processing activity under UK GDPR and requires a lawful basis. Personal data includes any information relating to an identified or identifiable individual — including names, email addresses, phone numbers, photographs, CVs, customer records, and staff records.

Team members may process personal data through approved AI tools where there is a clear business need and a lawful basis exists. Team members must not input personal data into unapproved AI tools under any circumstances. If a team member is unsure whether a use of personal data is lawful, they must check with The Directors of Co-Accounting in collaboration with IT Support before proceeding.

9.  Environmental Impact 

AI usage has a number of significant environmental impacts.  Usage of AI is left to users discretion but all users must remain mindful of environmental impact.  As a general rule, users should not use AI unless three criteria are fulfilled:

  • There is a clear reason for its use

  • The output will be actually used

  • The benefit is proportionate to the AI usage

10. Disclosure and Transparency

AI is increasingly used to assist with client-facing work, including proposals, reports, code, designs, and marketing content. This section sets out the company's position on when and how AI use should be disclosed.

Team members are not required to proactively disclose the use of AI tools in client-facing work, but must answer honestly and accurately if a client asks. Team members must always ensure they have reviewed and take responsibility for any AI-assisted output.

11. Output Ownership and Intellectual Property

AI-generated content has an uncertain copyright status in the UK. This section sets out the company's position on ownership of AI-assisted work and the use of third-party content with AI tools.

  • Any AI-assisted work product created by a team member in the course of their work for Co- Accounting belongs to the company in the same way as any other work product.

  • Team members must not input third-party copyrighted material (including client materials, licensed content, books, articles, source code, or images) into AI tools unless the company has the rights to do so.

  • Team members must not pass off AI-generated content as their own original work in contexts where originality is required (for example, certifications, training, or qualifications).

12. Accountability for AI Output

Team members are personally responsible for any output they produce using AI tools. The use of an AI tool does not transfer responsibility for the accuracy, appropriateness, or consequences of the output away from the team member.

  • "The AI got it wrong" is not an acceptable justification for errors in client-facing work, internal decisions, or any other output produced by a team member.

  • Team members must review and verify all AI-generated content before relying on it, sharing it, or acting on it.

  • Where AI is used to inform a decision, the team member making the decision remains accountable for that decision.

13. Incident Reporting

AI-related incidents include (but are not limited to): accidental disclosure of confidential or personal data to an unapproved AI tool; receiving AI output that appears to contain another organisation's confidential information; suspected misuse of AI tools by a team member; or any AI output that has caused or risks causing harm to the company, a client, or an individual.

  • Team members must report any AI-related incident to The Directors of Co-Accounting in collaboration with IT Support as soon as they become aware of it.

  • Prompt reporting allows the company to assess the impact, notify affected parties if necessary, and meet any regulatory obligations (including UK GDPR breach notification, which has a 72-hour deadline for qualifying personal data breaches).

  • The company operates a no-blame approach to honest reporting of accidental incidents. Team members who report an incident promptly and in good faith will not be subject to disciplinary action solely for the incident itself.

  • Deliberate misuse, repeated negligence, or failure to report an incident promptly may result in disciplinary action under Section 16.

14. Security, Compliance, and Monitoring

  • Team members are responsible for adhering to this policy and all other company security and data protection policies when using AI.

  • Co- Accounting may implement technical measures to monitor and/or block access to unapproved AI services on company networks and devices. Any such monitoring will be conducted in accordance with the company's privacy notice and applicable employment law, and team members will be informed of the nature of any monitoring in place.

  • Where AI tools are integrated with company systems (for example, via Single Sign-On), access will be reviewed periodically and revoked promptly when a team member leaves the company or changes role.

15. Training and Awareness

Co- Accounting will provide training and resources to educate team members on the responsible and secure use of AI tools and the risks associated with unapproved services. Team members are expected to complete any required training within a reasonable timeframe of being asked to do so.

16. Policy Violations

Failure to comply with this AI Usage Policy may result in disciplinary action, up to and including termination of employment or contract, in accordance with Co- Accounting's disciplinary procedures. Serious breaches (such as deliberate disclosure of client data, deliberate misuse of AI to harm the company or a client, or repeated failure to follow this policy after warning) may be treated as gross misconduct.

17. Policy Review

This policy will be reviewed and updated periodically by The Directors of Co-Accounting in collaboration with IT Support to reflect changes in technology, risks, regulation, and business needs. The current version and date of this policy are shown in the acknowledgement section below.

18.  Version

Policy version: 1.0   Effective date: 30th June 2026