AI GOVERNANCE
How Tanqory selects, discloses, and reviews the AI providers used in our platform. The practices described here are designed in accordance with EU AI Act preparation and ISO/IEC 42001 principles; Tanqory is not certified against ISO/IEC 42001. Certification status, when achieved, is published on the Certifications page.
These principles are how we evaluate any AI provider before it is wired into production, and how we design any new AI feature before it ships. Each principle is owned operationally by the Data Protection Officer (dpo@tanqory.com) together with the AI lead.
AI outputs are advisory inside admin workflows. Critical actions — payouts, tax filings, customer-facing publishing — require explicit human confirmation. We do not deploy fully autonomous agents against customer money or customer data without a confirmation step. Owner: DPO + AI lead. Verification: design reviewed at vendor onboarding and at each feature release; recorded in the internal AI registry.
Where the upstream provider supports a workspace-level opt-out from model training (OpenAI, Anthropic, Google Gemini), Tanqory elects the opt-out by default. We do not need a customer to ask. Owner: DPO + AI lead. Verification: per-provider settings audited at vendor onboarding and recorded in the subprocessor registry.
Every third-party AI provider we use is listed on this page and on the Subprocessors page, with purpose, region, and opt-out status. No silent AI features and no silent provider swaps. Owner: DPO + AI lead. Verification: changes to the AI provider list trigger a Subprocessors page update on the next build cycle and a 30-day subprocessor notice owned by the DPO.
AI calls send the smallest payload that makes the feature work. We do not send full customer databases to a foundation model when an embedding or a single record will do. Owner: DPO + AI lead. Verification: payload boundaries reviewed at each feature design review and recorded in the internal AI registry.
Tanqory uses a small, deliberately chosen set of AI providers. Each entry below is wired in production and disclosed publicly. The Subprocessors page is the canonical legal register; this table is the operational view. DeepSeek is an optional provider listed for transparency. It is **disabled by default** at the platform level. Customer enablement requires an explicit support request, an acknowledgement of cross-border transfer to the People's Republic of China, and compatibility review for the merchant's data-residency commitments. EU/EEA/UK/Swiss merchants cannot enable DeepSeek without an Order Form amendment. AI provider review and risk assessment are owned by the Data Protection Officer (dpo@tanqory.com) together with the AI lead.
| Provider | Role | Region | Training opt-out | Status |
|---|---|---|---|---|
| OpenAI, L.L.C. | LLM inference (gpt-4o family), embeddings (text-embedding-3-small), image generation | United States | Yes (elected) | Default |
| Anthropic, PBC | LLM inference (Claude family) — selectable provider | United States | Yes (elected) | Default selectable |
| DeepSeek (Hangzhou DeepSeek AI Co., Ltd.) | Alternative LLM provider | People's Republic of China | n/a | Optional provider — disabled by default. Customer enablement requires an explicit support request and acknowledgement of cross-border transfer to the People's Republic of China. Production customer data is not routed to DeepSeek by default. EU/EEA/UK/Swiss merchants may not enable DeepSeek without an Order Form amendment. |
| Google LLC (Google Cloud) | Gemini TTS for tanqory-voice; on-device Gemini Nano on Android | United States / on-device | Yes (elected) | Default |
| Apple Inc. (FoundationModels) | On-device LLM (iOS 26+) via the FoundationModels framework | On-device only | n/a (no transfer) | Default on supported devices |
Region column states where inference runs, not where billing entities are domiciled. On-device entries do not transfer prompts off the customer device.
These are the customer-facing AI features Tanqory ships today. Each is mapped to the canonical product-feature registry; experimental or pre-release uses are not listed.
Vector search over the merchant's catalog and customer query intent. Backed by MongoDB Atlas Vector Search and OpenAI text-embedding-3-small.
Multi-turn chat with retrieval-augmented context over the merchant's knowledge base and recent customer queries. Provider is selectable across OpenAI (default) and Anthropic. DeepSeek is available as an optional provider, disabled by default, with the additional restrictions described in the Providers section.
Text completions for product descriptions, marketing copy drafts, and image edits. Human review remains the publishing gate.
Google Gemini TTS as the default voice engine via tanqory-voice. edge-tts is wired as a fallback.
Native iOS apps on iOS 26+ can run the FoundationModels framework on-device. No prompt leaves the customer device for these flows.
Native Android apps on supported devices can run Gemini Nano via AICore on-device. No prompt leaves the customer device for these flows.
Tanqory runs AI in two modes: on-device, where the platform provides a local foundation model, and cloud, where we call a third-party API. We choose the on-device path whenever the surface and the device support it.
iOS FoundationModels (iOS 26+) and Android Gemini Nano via AICore. No prompt or response leaves the customer device. Used for low-latency assistance and privacy-sensitive flows where the model is capable enough.
Calls go to a named provider (OpenAI, Anthropic, or Google Gemini). DeepSeek is available only as an optional provider, disabled by default, with the restrictions in the Providers section. Payloads are minimised, requests are TLS 1.2+, and provider-level training opt-outs are elected wherever available.
Every AI inference is via a third-party API or on the customer's own device. The internal product-feature registry explicitly flags ai-training-on-customer-data as not shipped. If that ever changes, this page and the Subprocessors page will be updated before the feature reaches production.
Tanqory designs its AI management practices in accordance with the leading standards, but we do not claim certifications we do not hold. The certification roadmap is on the Certifications page. AI compliance practices are owned by the Data Protection Officer (dpo@tanqory.com) together with the AI lead.
Tanqory monitors EU AI Act applicability across our use cases. The internal AI registry tracks per-feature provider, purpose, and risk classification per Article 11 / 18 obligations. We do not claim Conformity Assessment certification. Owner: DPO + AI lead.
AI management system practices are designed in accordance with ISO/IEC 42001 principles. Tanqory is not certified against ISO/IEC 42001. External certification is on the Certifications roadmap. Owner: DPO + AI lead, with the Compliance team.
AI-specific risk management is informed by ISO/IEC 23894, and applied alongside our broader ISO/IEC 31000 risk practice. Owner: DPO + AI lead.
Information-security and Trust Services Criteria certifications are tracked separately on the Certifications page. AI workloads inherit the same control set.
Watermarking of AI-generated content: Tanqory commits to surface AI-generation provenance when an upstream provider exposes it, and to label AI-assisted content inside merchant-facing tools. We do not yet apply cryptographic content provenance (C2PA) to AI-generated media.
Enterprise security, legal, and procurement teams can request our AI subprocessor registry summary, EU AI Act applicability mapping, and on-device versus cloud deployment breakdown under NDA.
Email the Trust team