Artificial Intelligence Usage Policy

How NovaLexi applies AI across the intellectual property lifecycle — what it does, what data it uses, where that data lives, the human oversight that governs it, and the rights you keep over it.

Version 1.2 Effective 3 July 2026 Data residency Kingdom of Saudi Arabia Aligned with PDPL · NCA ECC-2:2024 · SDAIA AI Ethics
01

Purpose & scope

NovaLexi is an AI-native platform for managing intellectual property and innovation. This policy explains, in plain terms, how we use artificial intelligence in our products and services, and the safeguards that surround that use.

It applies to all AI-assisted features of the NovaLexi platform and to the websites and services operated by NovaLexi — NovaLexi Company, a one-person limited liability company registered in the Kingdom of Saudi Arabia (CR No. 7053584103, Riyadh) ("NovaLexi", "we", "us"). It is written for our customers and their authorised users, for the data subjects whose information may be processed, and for regulators, partners, and the public who want to understand how we govern AI.

This policy sits alongside, and should be read with, our Privacy Policy and our Terms & Conditions. For platform customers, your written agreement with NovaLexi (including any data-processing terms agreed with your organisation) applies to platform use; where that agreement addresses a topic covered here in more specific terms, that agreement governs for that customer.

02

Definitions

  • AI system — software that uses machine-learning models to generate text, score or rank content, detect similarity, summarise, classify, or take assisted actions on a user's behalf.
  • Foundation model — a large general-purpose model that NovaLexi calls through a hosted, in-Kingdom service to power generative and reasoning features.
  • Customer data — the content a customer and its users put into NovaLexi: IP portfolios, research notebooks, documents, workflows, and related records, including any personal data they contain.
  • Personal data — any information relating to an identified or identifiable natural person, as defined under the Saudi Personal Data Protection Law (PDPL) and, where applicable, the EU/UK General Data Protection Regulation (GDPR).
  • Sub-processor — a third party we engage to process data on our behalf, such as our cloud and AI infrastructure provider.
  • Human-in-the-loop — a design in which an AI output is reviewed, approved, or overridden by a person before it has any consequential effect.
03

Our responsible-AI principles

Our use of AI is designed to align with the AI Ethics Principles of the Saudi Data and Artificial Intelligence Authority (SDAIA) and SDAIA’s Generative AI Guidelines, and reflects the expectations of the Saudi Personal Data Protection Law (PDPL) and the National Cybersecurity Authority’s Essential Cybersecurity Controls (ECC-2:2024). Where we serve customers or process personal data in scope of the GDPR or the EU Artificial Intelligence Act, we apply the specific transparency and oversight practices described in this policy.

01
Fairness

We test models across Arabic and English and across regions to reduce unjustified bias in ranking, classification, and detection.

02
Privacy & security

AI runs on data minimisation, tenant isolation, encryption, and access control by design.

03
Humanity

AI assists professionals; it does not replace the human judgement that IP and legal decisions require.

04
Reliability & safety

Generative features are grounded in retrieved sources and constrained by approval gates and safety filters.

05
Transparency & explainability

AI involvement is disclosed, and outputs cite the sources they rely on wherever feasible.

06
Accountability

Every AI-assisted action is logged and attributable to the model and the person who approved it.

07
Social & environmental benefit

We size AI workloads for the task and prefer efficient models over capacity for its own sake.

04

Where we use AI in the platform

AI is used to assist specific, defined workflows. In each case the system surfaces a signal, applies the customer's configuration, drafts or scores an artifact, and presents it for human review.

05

Human oversight & decision-making

NovaLexi does not make autonomous decisions that produce legal or similarly significant effects without human involvement. AI features are assistive by design.

  • Approval gates. Any AI action that creates, changes, or deletes a record, sends a communication, or triggers a workflow is presented as a proposed draft and requires explicit human approval before it takes effect.
  • Permission-bound. The assistant and agents can only call functions the signed-in user is already authorised to perform; AI does not expand a user's permissions.
  • Override. Users can edit, reject, or ignore any AI output. The final professional judgement always rests with the user.
  • Configurable. AI features can be enabled or disabled per tenant, and individual users can opt in or out where the feature allows it.
06

Data used by AI

AI features process the data needed to perform the requested task and no more. The categories are:

  • Customer content you and your users provide — IP records, documents, notebook entries, and the prompts you submit.
  • Reference corpora — publicly available patent and IP data we ingest to support search and comparison.
  • Operational metadata — logs of AI inferences kept for security, traceability, and audit.
Data residency Customer data and the AI processing that acts on it are hosted within the Kingdom of Saudi Arabia (Google Cloud, Dammam region, accessed through CNTXT). Data residency is configurable to meet a customer's regulatory posture, and tenant data is logically isolated from every other tenant.

Data is encrypted in transit (TLS 1.3) and at rest (AES-256), with access controlled by role-based permissions, multi-factor authentication, and audit logging. Confidential content is redacted from assistant conversation memory where applicable, and we apply purpose limitation and field-level classification to personal data.

07

Training & model improvement

We do not train foundation models on your data. Customer content is not used to train the third-party foundation models that power our generative features, and is not shared with the model provider for that purpose.

Any future use of customer-derived data to improve NovaLexi's own models will be opt-in only, governed by a separate consent and, where relevant, conducted using aggregated or synthetic data. We will not change this position for an existing customer without notice and a clear choice.

08

Model providers & sub-processors

Our generative and reasoning features are currently powered by Google's Vertex AI, called through a hosted, in-Kingdom service. We use this provider where its capability is the best tool for the workflow, under contractual terms that prohibit the use of our data to train the provider's models.

Over time we may introduce NovaLexi's own domain-specialised models for selected IP workflows, hosted under the same residency and governance posture described in this policy. A current list of sub-processors is available on request, and material changes are communicated to platform customers in line with their agreements with us.

09

Accuracy, limitations & no professional advice

AI outputs can be incomplete, out of date, or wrong. Similarity scores, prior-art rankings, novelty indicators, and infringement flags are decision-support signals, not determinations.

Not legal or professional advice Nothing the platform generates constitutes legal, patent, trademark, financial, or other professional advice. AI-assisted drafts and assessments must be reviewed and validated by a qualified person before they are relied upon, filed, or acted on.

To reduce error, generative answers are grounded in retrieved sources and cite those sources where feasible, and our pipelines include checks intended to limit unsupported ("hallucinated") output. These reduce risk; they do not remove the need for human verification.

10

Transparency & explainability

  • AI-assisted features are clearly indicated in the interface, so you know when you are interacting with an AI system.
  • Generative outputs cite the sources they draw on so a reviewer can trace a claim to its origin.
  • We maintain explainability documentation describing how each AI feature works, and we log AI inferences to support traceability and audit.
  • On a substantiated request, and subject to confidentiality and security limits, we can explain the role AI played in producing a specific output.
11

Fairness & bias

Our customers and their data span Arabic and English and multiple jurisdictions. Generic models can underperform on Arabic IP material and regional context. We test AI features for fairness across language and region, monitor for skew in ranking and classification, and treat Arabic-language coverage as a first-class requirement rather than an afterthought. Where we identify material bias that affects outcomes, we remediate it and record the change.

12

Security of AI processing

  • Isolation & encryption. Tenant data is segregated; data is encrypted in transit and at rest, with keys managed in a hardware-backed key service.
  • Access control. Role-based access, least privilege, and multi-factor authentication govern who and what can reach AI features and the data behind them.
  • Abuse resistance. AI surfaces include prompt-injection defences, output filtering, and refusal patterns for risky actions.
  • Auditability. AI-assisted actions are recorded in an audit log attributing each action to the model and the approving user, retained to support investigation and compliance.
  • Incident response. AI-specific incidents are handled under our incident response procedure, with notification consistent with PDPL and, where applicable, GDPR timelines.
13

Your rights & choices

Where NovaLexi processes personal data, data subjects have the rights granted under the PDPL — including the rights to be informed, to access personal data, to obtain a copy of it, to request correction, completion, or updating, to request destruction, and to withdraw consent — and, where the GDPR applies, its additional rights including restriction of and objection to processing and data portability.

  • AI opt-out. Customers can disable AI features at the tenant level, and users can opt out of optional AI assistance where a feature permits it.
  • Requests about automated processing. You may ask about the logic involved in an AI-assisted output and request human review of any decision you believe was made without adequate human involvement.
  • Exercising rights. For data held on behalf of a customer, requests are routed through that customer (the data controller). For data NovaLexi controls directly, contact us using the details below; we verify identity before fulfilling a request and respond within the periods required by law.
14

Acceptable use of AI features

When using NovaLexi's AI features, you agree not to:

  • Input data you are not authorised to process, or that you are contractually or legally barred from disclosing.
  • Use outputs as a substitute for qualified legal or professional advice, or present them as such to others.
  • Attempt to extract, reverse-engineer, or circumvent the models or safety controls, or to access another tenant's data.
  • Use the platform to generate unlawful, infringing, deceptive, or harmful content, or to make consequential decisions about a person solely on an unreviewed AI output.

We may suspend AI features where use breaches this policy, our Terms & Conditions, or applicable law.

15

Regulatory alignment

NovaLexi's AI governance is built to align with:

  • Saudi PDPL and its implementing regulations, including data subject rights, purpose limitation, and breach notification.
  • SDAIA AI Ethics Principles and SDAIA Generative AI Guidelines, mapped to the responsible-AI principles in section 3.
  • NCA Essential Cybersecurity Controls (ECC-2:2024) for the protection of the systems and data behind our AI features.
  • GDPR and the EU Artificial Intelligence Act, where we process data or serve users within their scope: we disclose clearly when you are interacting with an AI system, we apply the human-oversight and logging practices described in this policy, and we do not offer AI systems in categories the EU AI Act treats as prohibited or high-risk.

We pursue independent assessment and certification of our information security and AI governance on a defined roadmap, and we describe our current status honestly rather than claiming controls we have not yet implemented. Where a customer requires evidence, we share our current control mapping and assessment status under NDA.

16

Changes to this policy

As our AI capabilities, providers, and the regulatory landscape evolve, we will update this policy. The effective date and version at the top reflect the current edition. For material changes that affect how we use AI on customer data, we provide advance notice through the platform or to the customer's administrator. Continued use of AI features after an update constitutes acceptance of the revised policy, subject to any rights to object set out above.

This policy is published in Arabic and English. In case of any conflict or discrepancy between the two versions, the Arabic version prevails.

17

Contact & governance

Questions about this policy, requests relating to AI-assisted processing, or requests to exercise data rights can be sent to our governance team. For platform customers, the data controller is your organisation; NovaLexi acts as processor and will support your administrator in handling any request.

Privacy, security & AI governance: info@novalexi.com

NovaLexi Company — CR No. 7053584103 — 6809 Safwan Ibn Saleem Street, Al Arid District, Riyadh 13342 (Additional No. 3456), Kingdom of Saudi Arabia