Ginger.

Published Standards

AI Use Charter

Version 2.0 · Effective May 27, 2026 · Supersedes v1.0

Ginger Solutions advises clients on independent systems strategy, program delivery, and operational risk. Where artificial intelligence tools help us do that work better, faster, or more accurately, we use them. Where they introduce risk to client data, decision quality, or regulatory standing, we do not.

This Charter is the published standard every Ginger engagement is run under. It is public so clients, regulators, partners, and our own people can hold us to it.

1. Scope

This Charter applies to all Ginger Solutions engagements — advisory and delivery — and to every Ginger principal, employee, associate, and subcontractor who participates in client work. It governs how we use AI tools internally and on client systems, regardless of whether the tooling is provided by Ginger, by the client, or by a third party.

2. Definitions

  • AI Tool. Any generative AI model (including large language models), AI agent, automated reasoning system, or workflow that uses machine learning to produce content, recommendations, or actions on client work.
  • Engagement. A scoped piece of work performed by Ginger for a client under a signed statement of work or master services agreement.
  • AI Tool Registry. The per-engagement record of every AI tool used, including provider, model name and version, residency, consent basis, and intended use.
  • Evidence Pack. The auditable record of AI use on an engagement: tools, inputs, outputs, redactions applied, human reviewers, timestamps, and any incidents.
  • Subprocessor. A third party (including AI model providers and cloud hosts) that processes client data on Ginger's behalf in the course of an engagement.
  • Material Decision. A decision affecting strategy, risk acceptance, regulatory posture, financial commitment, contractual terms, or production system change.

3. Principles

Five principles govern every operational rule that follows.

  1. Independence. Our recommendations are not influenced by AI vendor relationships.
  2. Data sovereignty. Client data stays in Canada by default and never leaves a defined, consented path.
  3. Human accountability. A named senior human is responsible for every client deliverable.
  4. Auditability. Every material use of AI is recorded and reviewable.
  5. Proportionality. AI is used where it improves quality, speed, or accuracy — not by default and not where the risk exceeds the benefit.

4. Operational Controls

4.1 Independence

Ginger does not accept commissions, referral fees, revenue share, equity consideration, or marketing development funds from any AI vendor, platform, or model provider. Where any Ginger principal holds a financial interest in an AI vendor, that interest is disclosed in writing before the vendor is discussed with a client.

4.2 Data residency

Client data is processed and stored within Canadian regions of approved cloud providers (currently including Azure Canada Central, AWS ca-central-1 and ca-west-1, and Google Cloud northamerica-northeast). Cross-border processing requires written client consent, a documented lawful basis, and disclosure in the engagement Evidence Pack.

4.3 Consent

No client document, data extract, or identifiable information is submitted to an AI Tool without the client's informed, written consent. Consent terms are recorded per engagement, are revocable at any time, and are renewed when scope, tools, or model versions change materially.

4.4 Redaction

Personally identifiable information, payment data, regulated health data, privileged legal material, security credentials, source code under confidentiality, and contractual confidentiality classes are excluded from AI Tools by default. Specific redaction rules are agreed with the client before work begins and reflected in the AI Tool Registry.

4.5 Tool Registry

Every engagement maintains an AI Tool Registry listing provider, model name and version, residency, consent basis, and intended use. The Registry is updated when tools change. Experimental, unreleased, or pre-production models are not used on client work.

4.6 Human review

Every artifact delivered to a client is reviewed and signed off by a named senior Ginger advisor whose identity is recorded in the Evidence Pack. AI may shape the work; it does not replace authorship or accountability.

4.7 Material Decisions

Material Decisions are made by humans. AI may inform analysis or generate options; it does not approve, ratify, or commit on a client's behalf. Agentic AI is permitted in client environments only under an explicit, narrowly scoped, human-approved mandate with defined limits on actions, systems, and duration.

4.8 Training data exclusion

Ginger does not use client data to train, tune, or fine-tune any model. Where subprocessor terms permit model training on submitted data by default, Ginger configures those features off before client data is processed and records that configuration in the Evidence Pack.

4.9 Retention

Client data is not retained inside AI Tools beyond what is necessary to complete the engagement. At engagement end, client data is purged from AI Tool sessions and prompt histories under our standard data-disposition procedure.

4.10 Staff conduct and training

Every Ginger principal, employee, associate, and subcontractor with client access is trained on this Charter and acknowledges it in writing before working on an engagement. Failure to comply is grounds for removal from the engagement.

4.11 Evidence Pack

For each engagement we maintain an Evidence Pack containing: the AI Tool Registry, the consent record, the redaction rules applied, the human reviewer assignments, and a log of any incidents or model behaviour requiring escalation. The Evidence Pack is available to the client at any time and to regulators and auditors where applicable.

5. What We Will Not Do

  • Recommend an AI vendor in which Ginger or its principals hold a financial interest, without prior written disclosure.
  • Place agentic AI in a position to take material action on a client system without an explicit, narrowly scoped, human-approved mandate.
  • Present AI-generated content as human work, or human-authored content as AI work.
  • Retain client data inside AI Tools beyond the engagement term.
  • Use client data to train, tune, or fine-tune any model without explicit written consent.
  • Deploy experimental, pre-production, or unreleased models on client work.
  • Use consumer-grade AI accounts (personal ChatGPT, personal Claude, personal Gemini, or similar) on identifiable client data.
  • Allow AI to make final hiring, procurement, regulatory, or commercial decisions on a client's behalf.

6. Subprocessors and Model Providers

AI model providers are Subprocessors under PIPEDA, PIPA, and FOIP. Ginger maintains a current list of approved Subprocessors, including the model providers and cloud hosts on which client data may be processed. The list is provided to clients on request and reviewed before each engagement begins.

Where a client requires use of a specific Subprocessor not on our approved list, we evaluate it under the same criteria and document the outcome before proceeding. Where a client prohibits a Subprocessor, we comply.

7. Standards Alignment

This Charter is designed to align with and support compliance against:

  • Privacy law: Personal Information Protection and Electronic Documents Act (PIPEDA); Alberta and British Columbia Personal Information Protection Acts (PIPA); Alberta Freedom of Information and Protection of Privacy Act (FOIP).
  • AI risk and governance frameworks: NIST AI Risk Management Framework (AI RMF 1.0); ISO/IEC 42001:2023 (AI management systems); OECD Principles on AI.
  • Information security: Controls aligned with ISO/IEC 27001 and the Center for Internet Security (CIS) Controls v8, scaled to engagement risk.
  • Sector frameworks: Where in scope, we align to applicable sector standards including HIPAA-equivalent provincial health privacy regulation and PCI DSS.

Alignment is operational and proportionate to engagement risk; this Charter is not a certification claim.

8. Incident Response

If an AI Tool used on an engagement produces an output that causes or risks harm, leaks client data, or behaves outside its sanctioned mandate, Ginger will:

  1. Pause use of the affected tool on the engagement.
  2. Notify the client's designated contact within one business day of confirmation, or sooner where required by law or contract.
  3. Investigate, record the incident in the Evidence Pack, and provide a written account of cause, impact, and remediation.
  4. Comply with statutory breach-notification obligations under PIPEDA, PIPA, FOIP, or other applicable law.

9. Reciprocal Expectations

To uphold this Charter, we ask clients to:

  • Identify regulated data classes (privacy, health, payment, security, privileged) before work begins, so redaction rules can be set correctly.
  • Disclose any AI tools the client itself uses on Ginger work product so we can track residency and consent end-to-end.
  • Provide an authorized contact for consent and incident notification.
  • Tell us promptly when consent is changed or withdrawn.

10. Changes to this Charter

We review this Charter at least annually, and sooner where material changes in technology, regulation, client expectation, or industry practice require it. Versioned changes are published at this URL with the effective date and a brief changelog. Active clients are notified of material changes that affect work in flight.

11. Accountability

This Charter is owned by the Managing Partner of Ginger Solutions. Questions, concerns, requests for the current Subprocessor list, or requests for the Evidence Pack underlying a specific engagement may be directed to:

Managing Partner
Ginger Solutions
Email: info@gingersolutions.ca
Address: Edmonton, AB, Canada

Version History

  • v2.0 — May 27, 2026. Added Scope, Definitions, Subprocessor disclosure, Standards Alignment, Incident Response, Reciprocal Expectations, and Change Management.
  • v1.0 — May 27, 2026. Initial publication.

Back to About