How to govern AI in pricing, inventory and operations

About this document

This page provides a summary of how WithPraxis approaches governance, security, and data handling. It is intended as an orientation, not a complete specification.

The content here is not prescriptive. Every client engagement is different, and our governance approach adapts to context, risk profile, and regulatory requirements.

More detailed documentation is freely available from our governance team upon request. This includes full policy documents, technical specifications, and evidence of certifications.

If you require specific documentation for procurement, compliance, or due diligence purposes, please get in touch. We are accustomed to supporting client security reviews and will provide what you need.

Our operating principles

WithPraxis is built around judgement, governance, and evidence-led decision-making. Our approach to data, security, and AI reflects this.

We prioritise:

• Governance over capability
• Minimum necessary data
• Human judgement over automation
• Explicit decisions that can be reviewed and challenged
• Long-term trust over short-term convenience

Technology is used to support decision-making, not to bypass it.

Data ownership and control

Clients retain ownership of their data at all times.

WithPraxis acts as a steward and processor of data only for agreed purposes. Client data is never treated as a shared asset, product input, or training material by default.

We do not:

• Sell client data
• Reuse client data across engagements
• Train AI models on client data unless explicitly agreed in writing

Data residency: Client data is hosted within UK/EU infrastructure unless otherwise agreed. We support data residency requirements and can accommodate specific geographic constraints.

Data handling and classification

Data is handled according to its sensitivity and purpose.

We apply:

• Clear separation between clients
• Separation of live, test, and synthetic data
• Handling rules aligned to data classification
• Controls designed to prevent accidental leakage or misuse

Only data required to perform agreed work is requested or retained.

AI use and governance

AI within WithPraxis is used as a controlled decision support layer.

Our approach aligns with:

• NIST AI Risk Management Framework (trustworthy AI principles)
• ISO/IEC 42001 principles (AI management system standards)
• EU AI Act considerations (transparency, human oversight, risk management)

Our practices include:

• Clear distinction between advisory outputs and deterministic system behaviour
• Guardrails on prompts, inputs, and outputs
• Preference for refusal over guessing where uncertainty is high
• Human review where decisions carry material impact
• Explicit transparency on where AI is used and where it is not
• Regular assessment of AI model performance and bias
• Documentation of AI decision logic for auditability

AI does not act autonomously on client systems or data.

AI governance documentation available upon request.

Security practices

Security is treated as a design concern, not an afterthought.

Our practices include:

• Secure-by-design system architecture
• Encryption of data in transit and at rest where appropriate
• Environment isolation
• Ongoing maintenance and patching
• Monitoring with a bias towards early detection and containment

Our security posture is validated through:

• Annual penetration testing by independent security firms
• Regular vulnerability scanning
• Third-party security audits
• Code review and security assessment

Test results available to qualified prospects under NDA.

We focus on practical risk reduction rather than theatrical security.

Incident response

When security incidents occur, we respond promptly.

Our approach:

• Defined incident classification and escalation procedures
• Immediate containment and impact assessment
• Client notification within agreed timeframes
• Root cause analysis and remediation
• Post-incident review and documentation
• Continuous improvement based on lessons learned

We treat incidents as learning opportunities, not failures to be hidden.

Access control and permissions

Access to systems and data is controlled and intentional.

We apply:

• Role-based access control
• Least-privilege principles
• No shared credentials
• Regular review and removal of access when no longer required
• Clear separation between internal, client, and system access

Access exists to support work, not convenience.

Staff vetting: All WithPraxis staff undergo background checks appropriate to their role and data access level. This includes DBS checks where applicable and ongoing security awareness training.

Third-party systems and vendors

Where third-party platforms or services are used, they are selected deliberately.

Our approach:

• Use established, reputable providers
• Understand and document data flows
• Avoid uncontrolled data sharing
• Prefer platforms that support auditability and governance
• Review vendors for security posture, not just capability

Client data is not exposed to third parties unnecessarily.

Sub-processor management: We maintain a register of sub-processors with defined approval criteria. Changes to critical sub-processors are communicated to clients where contractually required.

Data retention and deletion

Data is retained only for as long as it serves a clear purpose.

We apply:

• Purpose-led retention periods
• Separation of active and archived data
• Defined deletion processes
• Support for client-led deletion requests where applicable

Retention is intentional, not accidental.

Backup and recovery

Client data and systems are backed up regularly with tested recovery procedures.

Our approach:

• Automated backup schedules aligned to data criticality
• Geographically distributed backup storage
• Regular recovery testing and validation
• Defined recovery time objectives (RTOs)
• Protection against ransomware and accidental deletion

Recovery procedures are documented and validated.

Compliance and alignment

Our practices are aligned with recognised data protection and security principles, including GDPR.

We focus on:

• Practical compliance
• Proportionate controls
• Governance that fits the data and the decision being made

Compliance is treated as a baseline, not a differentiator.

Accessibility

Our platform and services are designed to meet WCAG 2.1 Level AA standards.

This includes:

• Keyboard navigation support
• Screen reader compatibility
• Sufficient colour contrast ratios (4.5:1 for body text, 3:1 for large text)
• Resizable text without loss of functionality
• Clear focus indicators and skip navigation
• Alternative text for images and media
• Accessible form controls with clear labels and error messaging
• No content that flashes more than 3 times per second

We test accessibility throughout development using automated tools and manual testing with assistive technologies.

Platform accessibility aligns with:

EN 301 549European
Accessibility

Section 508US Federal
Accessibility

Accessibility statement and conformance documentation available upon request.

If you have specific accessibility requirements or need VPAT (Voluntary Product Accessibility Template) documentation for procurement, please contact our team.

Client assurance

We are open about how we operate.

We are comfortable:

• Explaining our governance approach in detail
• Aligning with reasonable client security reviews
• Adapting controls where proportionate and appropriate

Governance is part of how WithPraxis works, not an appendix.

Right to audit: Clients may request security audits or assessments as part of contract terms. We accommodate reasonable audit requests and provide evidence documentation to support due diligence.