AITS Framework
AITS — AI Trust Score Framework — 20 privacy and AI governance criteria (ISO / LGPD)
AITS Criteria
20 privacy and AI governance criteria
This table presents the 20 criteria of the AITS (AI Trusty Score), comprising 12 traditional privacy criteria and 8 specific to software that uses AI.
All criteria are based on international ISO standards for privacy and AI governance.
AI Data Use
Does the organization clearly inform how long input data (inputs, prompts) and output data (outputs, responses) from AI systems are retained, and whether they can be deleted by the user?
ISO/IEC 42001 (8.2) + ISO/IEC 27701 (7.4.6)
AI Data Use
Does the organization clearly state whether data entered by users (inputs, prompts, content) is used to train, improve, or develop AI models?
ISO/IEC 42001 (8.2) + ISO/IEC 23894 + EU AI Act
AI Data Use
Can the user opt out of having their data used for AI model training? Is the process clear and accessible?
ISO/IEC 42001 (8.3) + ISO/IEC 29100 + EU AI Act
Fundamental Transparency
Does the software clearly declare whether it uses artificial intelligence in its features?
ISO/IEC 42001 (7.4)
AI Governance
Does the organization declare commitments to ethical AI use, including measures against bias, discrimination, or social harm in its automated systems?
ISO/IEC 42001 (6.1) + ISO/IEC TR 24028 + EU AI Act (Art. 9)
AI Transparency
Does the policy clearly inform which software features use AI and for what purposes?
ISO/IEC 42001 (7.5)
Rights and Data Subject Control
For automated AI decisions that significantly impact the user, is there a clear explanation of how the decision was made?
ISO/IEC TR 24028
Rights and Data Subject Control
Can the user contest or request human review of automated AI decisions?
ISO/IEC 42001 (8.3)
Fundamental Transparency
Are scope and roles clear (controller/processor) and for which products/services?
ISO/IEC 27701 (7.3)
Fundamental Transparency
Are the controller's identity and contact details clearly provided?
ISO/IEC 27701 (7.3)
Rights and Data Subject Control
Is there a contact channel available for privacy or data protection questions?
ISO/IEC 27701 (7.3)
Fundamental Transparency
Are processing purposes listed for the main data categories?
ISO/IEC 27701 (7.3)
Fundamental Transparency
Does the policy inform how long personal data is retained or the criteria for determining this period?
ISO/IEC 27701 (7.4.6)
Fundamental Transparency
Are the recipients (or categories) of data identified?
ISO/IEC 27701 (7.3)
Best Practices and Detail
Does the policy inform about international data transfers?
ISO/IEC 27701 (7.3)
Best Practices and Detail
If there is international transfer, are the safeguards mentioned?
ISO/IEC 27701 (7.3)
Best Practices and Detail
Is the 'Performance of Contract' legal basis mentioned for essential data?
ISO/IEC 27701 (7.2.2)
Maturity and Excellence
If 'Legitimate Interest' is used, does the policy explain the interest and the balancing of rights?
ISO/IEC 27701 (7.2.2)
Best Practices and Detail
Is the processing of sensitive data made explicit with additional safeguards?
ISO/IEC 29100
Best Practices and Detail
Does the policy indicate availability of a Data Processing Agreement (DPA) or processing terms for enterprise clients, per LGPD Art. 39 and GDPR Art. 28?
ISO/IEC 27701 (8.2) + LGPD Art. 39 + GDPR Art. 28
| ID | Group | Description | ISO Standard (LGPD, GDPR, CCPA & NIST) | Weight | AI |
|---|---|---|---|---|---|
| 1 | AI Data Use | Does the organization clearly inform how long input data (inputs, prompts) and output data (outputs, responses) from AI systems are retained, and whether they can be deleted by the user? | ISO/IEC 42001 (8.2) + ISO/IEC 27701 (7.4.6) | 3 | |
| 2 | AI Data Use | Does the organization clearly state whether data entered by users (inputs, prompts, content) is used to train, improve, or develop AI models? | ISO/IEC 42001 (8.2) + ISO/IEC 23894 + EU AI Act | 3 | |
| 3 | AI Data Use | Can the user opt out of having their data used for AI model training? Is the process clear and accessible? | ISO/IEC 42001 (8.3) + ISO/IEC 29100 + EU AI Act | 3 | |
| 4 | Fundamental Transparency | Does the software clearly declare whether it uses artificial intelligence in its features? | ISO/IEC 42001 (7.4) | 3 | |
| 5 | AI Governance | Does the organization declare commitments to ethical AI use, including measures against bias, discrimination, or social harm in its automated systems? | ISO/IEC 42001 (6.1) + ISO/IEC TR 24028 + EU AI Act (Art. 9) | 3 | |
| 6 | AI Transparency | Does the policy clearly inform which software features use AI and for what purposes? | ISO/IEC 42001 (7.5) | 3 | |
| 7 | Rights and Data Subject Control | For automated AI decisions that significantly impact the user, is there a clear explanation of how the decision was made? | ISO/IEC TR 24028 | 3 | |
| 8 | Rights and Data Subject Control | Can the user contest or request human review of automated AI decisions? | ISO/IEC 42001 (8.3) | 3 | |
| 9 | Fundamental Transparency | Are scope and roles clear (controller/processor) and for which products/services? | ISO/IEC 27701 (7.3) | 3 | |
| 10 | Fundamental Transparency | Are the controller's identity and contact details clearly provided? | ISO/IEC 27701 (7.3) | 3 | |
| 11 | Rights and Data Subject Control | Is there a contact channel available for privacy or data protection questions? | ISO/IEC 27701 (7.3) | 3 | |
| 12 | Fundamental Transparency | Are processing purposes listed for the main data categories? | ISO/IEC 27701 (7.3) | 3 | |
| 13 | Fundamental Transparency | Does the policy inform how long personal data is retained or the criteria for determining this period? | ISO/IEC 27701 (7.4.6) | 3 | |
| 14 | Fundamental Transparency | Are the recipients (or categories) of data identified? | ISO/IEC 27701 (7.3) | 3 | |
| 15 | Best Practices and Detail | Does the policy inform about international data transfers? | ISO/IEC 27701 (7.3) | 3 | |
| 16 | Best Practices and Detail | If there is international transfer, are the safeguards mentioned? | ISO/IEC 27701 (7.3) | 3 | |
| 17 | Best Practices and Detail | Is the 'Performance of Contract' legal basis mentioned for essential data? | ISO/IEC 27701 (7.2.2) | 3 | |
| 18 | Maturity and Excellence | If 'Legitimate Interest' is used, does the policy explain the interest and the balancing of rights? | ISO/IEC 27701 (7.2.2) | 3 | |
| 19 | Best Practices and Detail | Is the processing of sensitive data made explicit with additional safeguards? | ISO/IEC 29100 | 3 | |
| 20 | Best Practices and Detail | Does the policy indicate availability of a Data Processing Agreement (DPA) or processing terms for enterprise clients, per LGPD Art. 39 and GDPR Art. 28? | ISO/IEC 27701 (8.2) + LGPD Art. 39 + GDPR Art. 28 | 3 |