Purpose & scope
NovaLexi is an AI-native platform for managing intellectual property and innovation. This policy explains, in plain terms, how we use artificial intelligence in our products and services, and the safeguards that surround that use.
It applies to all AI-assisted features of the NovaLexi platform and to the websites and services operated by NovaLexi — NovaLexi Company, a one-person limited liability company registered in the Kingdom of Saudi Arabia (CR No. 7053584103, Riyadh) ("NovaLexi", "we", "us"). It is written for our customers and their authorised users, for the data subjects whose information may be processed, and for regulators, partners, and the public who want to understand how we govern AI.
This policy sits alongside, and should be read with, our Privacy Policy and our Terms & Conditions. For platform customers, your written agreement with NovaLexi (including any data-processing terms agreed with your organisation) applies to platform use; where that agreement addresses a topic covered here in more specific terms, that agreement governs for that customer.
Definitions
- AI system — software that uses machine-learning models to generate text, score or rank content, detect similarity, summarise, classify, or take assisted actions on a user's behalf.
- Foundation model — a large general-purpose model that NovaLexi calls through a hosted, in-Kingdom service to power generative and reasoning features.
- Customer data — the content a customer and its users put into NovaLexi: IP portfolios, research notebooks, documents, workflows, and related records, including any personal data they contain.
- Personal data — any information relating to an identified or identifiable natural person, as defined under the Saudi Personal Data Protection Law (PDPL) and, where applicable, the EU/UK General Data Protection Regulation (GDPR).
- Sub-processor — a third party we engage to process data on our behalf, such as our cloud and AI infrastructure provider.
- Human-in-the-loop — a design in which an AI output is reviewed, approved, or overridden by a person before it has any consequential effect.
Our responsible-AI principles
Our use of AI is designed to align with the AI Ethics Principles of the Saudi Data and Artificial Intelligence Authority (SDAIA) and SDAIA’s Generative AI Guidelines, and reflects the expectations of the Saudi Personal Data Protection Law (PDPL) and the National Cybersecurity Authority’s Essential Cybersecurity Controls (ECC-2:2024). Where we serve customers or process personal data in scope of the GDPR or the EU Artificial Intelligence Act, we apply the specific transparency and oversight practices described in this policy.
We test models across Arabic and English and across regions to reduce unjustified bias in ranking, classification, and detection.
AI runs on data minimisation, tenant isolation, encryption, and access control by design.
AI assists professionals; it does not replace the human judgement that IP and legal decisions require.
Generative features are grounded in retrieved sources and constrained by approval gates and safety filters.
AI involvement is disclosed, and outputs cite the sources they rely on wherever feasible.
Every AI-assisted action is logged and attributable to the model and the person who approved it.
We size AI workloads for the task and prefer efficient models over capacity for its own sake.
Where we use AI in the platform
AI is used to assist specific, defined workflows. In each case the system surfaces a signal, applies the customer's configuration, drafts or scores an artifact, and presents it for human review.
Human oversight & decision-making
NovaLexi does not make autonomous decisions that produce legal or similarly significant effects without human involvement. AI features are assistive by design.
- Approval gates. Any AI action that creates, changes, or deletes a record, sends a communication, or triggers a workflow is presented as a proposed draft and requires explicit human approval before it takes effect.
- Permission-bound. The assistant and agents can only call functions the signed-in user is already authorised to perform; AI does not expand a user's permissions.
- Override. Users can edit, reject, or ignore any AI output. The final professional judgement always rests with the user.
- Configurable. AI features can be enabled or disabled per tenant, and individual users can opt in or out where the feature allows it.
Data used by AI
AI features process the data needed to perform the requested task and no more. The categories are:
- Customer content you and your users provide — IP records, documents, notebook entries, and the prompts you submit.
- Reference corpora — publicly available patent and IP data we ingest to support search and comparison.
- Operational metadata — logs of AI inferences kept for security, traceability, and audit.
Data is encrypted in transit (TLS 1.3) and at rest (AES-256), with access controlled by role-based permissions, multi-factor authentication, and audit logging. Confidential content is redacted from assistant conversation memory where applicable, and we apply purpose limitation and field-level classification to personal data.
Training & model improvement
Any future use of customer-derived data to improve NovaLexi's own models will be opt-in only, governed by a separate consent and, where relevant, conducted using aggregated or synthetic data. We will not change this position for an existing customer without notice and a clear choice.
Model providers & sub-processors
Our generative and reasoning features are currently powered by Google's Vertex AI, called through a hosted, in-Kingdom service. We use this provider where its capability is the best tool for the workflow, under contractual terms that prohibit the use of our data to train the provider's models.
Over time we may introduce NovaLexi's own domain-specialised models for selected IP workflows, hosted under the same residency and governance posture described in this policy. A current list of sub-processors is available on request, and material changes are communicated to platform customers in line with their agreements with us.
Accuracy, limitations & no professional advice
AI outputs can be incomplete, out of date, or wrong. Similarity scores, prior-art rankings, novelty indicators, and infringement flags are decision-support signals, not determinations.
To reduce error, generative answers are grounded in retrieved sources and cite those sources where feasible, and our pipelines include checks intended to limit unsupported ("hallucinated") output. These reduce risk; they do not remove the need for human verification.
Transparency & explainability
- AI-assisted features are clearly indicated in the interface, so you know when you are interacting with an AI system.
- Generative outputs cite the sources they draw on so a reviewer can trace a claim to its origin.
- We maintain explainability documentation describing how each AI feature works, and we log AI inferences to support traceability and audit.
- On a substantiated request, and subject to confidentiality and security limits, we can explain the role AI played in producing a specific output.
Fairness & bias
Our customers and their data span Arabic and English and multiple jurisdictions. Generic models can underperform on Arabic IP material and regional context. We test AI features for fairness across language and region, monitor for skew in ranking and classification, and treat Arabic-language coverage as a first-class requirement rather than an afterthought. Where we identify material bias that affects outcomes, we remediate it and record the change.
Security of AI processing
- Isolation & encryption. Tenant data is segregated; data is encrypted in transit and at rest, with keys managed in a hardware-backed key service.
- Access control. Role-based access, least privilege, and multi-factor authentication govern who and what can reach AI features and the data behind them.
- Abuse resistance. AI surfaces include prompt-injection defences, output filtering, and refusal patterns for risky actions.
- Auditability. AI-assisted actions are recorded in an audit log attributing each action to the model and the approving user, retained to support investigation and compliance.
- Incident response. AI-specific incidents are handled under our incident response procedure, with notification consistent with PDPL and, where applicable, GDPR timelines.
Your rights & choices
Where NovaLexi processes personal data, data subjects have the rights granted under the PDPL — including the rights to be informed, to access personal data, to obtain a copy of it, to request correction, completion, or updating, to request destruction, and to withdraw consent — and, where the GDPR applies, its additional rights including restriction of and objection to processing and data portability.
- AI opt-out. Customers can disable AI features at the tenant level, and users can opt out of optional AI assistance where a feature permits it.
- Requests about automated processing. You may ask about the logic involved in an AI-assisted output and request human review of any decision you believe was made without adequate human involvement.
- Exercising rights. For data held on behalf of a customer, requests are routed through that customer (the data controller). For data NovaLexi controls directly, contact us using the details below; we verify identity before fulfilling a request and respond within the periods required by law.
Acceptable use of AI features
When using NovaLexi's AI features, you agree not to:
- Input data you are not authorised to process, or that you are contractually or legally barred from disclosing.
- Use outputs as a substitute for qualified legal or professional advice, or present them as such to others.
- Attempt to extract, reverse-engineer, or circumvent the models or safety controls, or to access another tenant's data.
- Use the platform to generate unlawful, infringing, deceptive, or harmful content, or to make consequential decisions about a person solely on an unreviewed AI output.
We may suspend AI features where use breaches this policy, our Terms & Conditions, or applicable law.
Regulatory alignment
NovaLexi's AI governance is built to align with:
- Saudi PDPL and its implementing regulations, including data subject rights, purpose limitation, and breach notification.
- SDAIA AI Ethics Principles and SDAIA Generative AI Guidelines, mapped to the responsible-AI principles in section 3.
- NCA Essential Cybersecurity Controls (ECC-2:2024) for the protection of the systems and data behind our AI features.
- GDPR and the EU Artificial Intelligence Act, where we process data or serve users within their scope: we disclose clearly when you are interacting with an AI system, we apply the human-oversight and logging practices described in this policy, and we do not offer AI systems in categories the EU AI Act treats as prohibited or high-risk.
We pursue independent assessment and certification of our information security and AI governance on a defined roadmap, and we describe our current status honestly rather than claiming controls we have not yet implemented. Where a customer requires evidence, we share our current control mapping and assessment status under NDA.
Changes to this policy
As our AI capabilities, providers, and the regulatory landscape evolve, we will update this policy. The effective date and version at the top reflect the current edition. For material changes that affect how we use AI on customer data, we provide advance notice through the platform or to the customer's administrator. Continued use of AI features after an update constitutes acceptance of the revised policy, subject to any rights to object set out above.
This policy is published in Arabic and English. In case of any conflict or discrepancy between the two versions, the Arabic version prevails.
Contact & governance
Questions about this policy, requests relating to AI-assisted processing, or requests to exercise data rights can be sent to our governance team. For platform customers, the data controller is your organisation; NovaLexi acts as processor and will support your administrator in handling any request.
Privacy, security & AI governance: info@novalexi.com
NovaLexi Company — CR No. 7053584103 — 6809 Safwan Ibn Saleem Street, Al Arid District, Riyadh 13342 (Additional No. 3456), Kingdom of Saudi Arabia