AI Security at Cirrico

This page is about how Cirrico uses AI in delivering services to our customers. It is not guidance on how nonprofit organisations should adopt AI in their own operations.

How we use it. What we protect. What we promise.

AI is changing how software gets built, supported and delivered. We’ve adopted it at Cirrico – with clear rules, real limits, and a firm line on where it doesn’t belong.

This page is our public position on AI. Transparency is one of our values, and trust is something we earn rather than ask for – so we’re laying out how we use AI, what we won’t compromise on, and how it fits with the responsibility our customers place in us.

What you’ll find here is consistent with our internal Artificial Intelligence (AI) Policy and the related Data Classifications, Software and App Usage Policy, and Incident & Data Breach Policy, which apply to every member of our team.

Where we stand

Our approach to AI is intentionally cautious. The right posture is restraint, not enthusiasm. Rules every member of our team operates by:

  • We use only AI tools we have formally approved. Our team cannot use unapproved tools for Cirrico work.
  • We do not connect AI tools to Cirrico or customer systems through integrations, connectors or plugins unless that connection is explicitly approved.

Data we use. Data we don’t.

What goes into an AI tool follows our Data Classifications.

Yes: Public information. Business and project information. Routine professional contact details, such as work emails, meeting transcripts, and project documentation.

Never: Customer system credentials. Donor or service-user records. Individuals’ home addresses, payroll or financial data. Health, special category, or otherwise sensitive personal data.

This applies whether the data is typed in a message or contained in an attached file. It applies on Cirrico-provided and personal accounts, and on any device.

AI in our delivery work

Where AI tools assist with code or configuration, the same software development discipline applies as for human-written work. AI-generated code goes through human review, runs through our standard testing process, and is subject to the same version control, release and rollback controls as any other change.

AI tools cannot make changes to customer systems directly. Changes are always executed by an accountable human team member.

Accountability stays human

AI tools do not change who is responsible for the work. Every deliverable, whether a document, configuration, code or training material, is reviewed, signed off and owned by a named member of our team, exactly as it would be without AI involvement. We’re open with customers about how we work, AI use included. If a customer wants to discuss our AI use in the context of their engagement, we’re happy to do so.

Our approved AI tools

The AI tools we approve are assessed as part of our supplier onboarding. We review their terms of service, data processing agreement, data residency, retention practice, and where available we opt out of any use of our inputs to train future models.

Approved tools are listed in our internal Software and App Usage Policy, which is reviewed as the landscape evolves. Our currently approved primary AI tool is Claude (Anthropic).

If something goes wrong

AI-related events, for example a suspected disclosure of data into an AI tool, or an output that could cause customer impact, are handled under our Incident & Data Breach Policy.

Keeping pace

AI capability and AI-related risk are both moving fast. We review our AI Policy and our approved tools list on a regular cadence, and after significant developments in the landscape. As a processor of personal data on our customers’ behalf, we work to the Information Commissioner’s Office guidance on AI and data protection, and we track its developing position on emerging areas such as agentic AI. We also follow broader regulatory developments relevant to our customers, including the joint statement on frontier AI models and cyber resilience issued by the Bank of England, the Financial Conduct Authority and HM Treasury in May 2026.

Talk to us

Got specific questions about how this applies to your engagement? Speak to your Cirrico consultant.

Procurement and security teams running supplier reviews can request our AI Policy and related policies. We’ll share them subject to a standard confidentiality arrangement.

What's happening, in the cloud and in our communities

We work with every type of sustainable organisation, we’re obsessed with using technology to drive human progress, and we love sharing our insights. If you’re looking for news on big cloud tech developments or inspiring stories from your peers, you’ll find it all here.

View all Cirrico Insights

Never miss a beat with the Cirrico newsletter

We never spam or share your data with third parties.

Contact Us