Policy & Compliance Framework

Proportionate controls mapped to deviation risk

Use deviation classification to decide when to intervene. Corrective and low-risk flows stay fast. Cost-risk and policy-risk trigger proportionate controls. Friction is a tool, not a default.

Decision Modes

Four intervention levels — from passive logging to hard blocks.

Inform

None

Suggestion + log only. Agent sees the copilot recommendation but retains full autonomy.

Justify

Low

Agent must add a structured reason tag before proceeding. Creates an audit trail.

Approve

Medium

Supervisor or policy desk review required before action can proceed.

Block

Hard stop

Action prevented — critical boundaries that cannot be overridden at agent level.

Enforcement Mapping

Each deviation type maps to one or more decision modes based on risk profile.

Corrective Override

InformJustify

Agent correcting a weak suggestion — low risk, preserve autonomy

Empathy-Within-Policy

Inform

Agent exercising judgment within guardrails — log only

Cost-Risk

JustifyApprove

Escalation proportional to compensation threshold exceeded

Policy-Risk

ApproveBlock

Severity-based — mandatory process or safety boundary

Quality-Risk Closure

Post-audit

Caught retroactively — coaching and escalation checks

Hard Boundaries

Non-negotiable rules that always trigger a Block — no override path exists.

Zero-Tolerance Zone

Zero-tolerance safety and code-of-conduct violations
Prohibited data disclosure or privacy-breach actions
Compensation above critical thresholds without supervisor approval

Evidence Model per Decision

Every intervention captures a structured evidence packet for audit and learning.

1Deviation class + risk score

2Policy/rule references consulted

3Selected action and override rationale

4Approval identity and timestamp

5Final resolution and cost outcome

Governance Cadence

Regular review cycles keep thresholds calibrated and policies current.

Weekly

High-risk deviation review — threshold adjustment proposals, escalation pattern analysis

Biweekly

False-positive / false-negative calibration — rule accuracy review and tuning

Monthly

Threshold and policy mapping updates with compliance sign-off

Data Privacy by Market

Six Southeast Asian markets, each with distinct privacy regulations governing support data.

Market	Regulation	Key Requirements
🇸🇬Singapore	PDPA	Consent, purpose limitation, breach notification within 3 days
🇲🇾Malaysia	PDPA 2010	Consent + notice, cross-border data transfer restrictions
🇮🇩Indonesia	PDP Law	Explicit consent, DPO appointment, breach notification 72h
🇵🇭Philippines	DPA 2012	Consent, NPC registration, breach notification 72h
🇹🇭Thailand	PDPA 2022	Lawful basis, DPO appointment, cross-border safeguards
🇻🇳Vietnam	PDPP	Consent, data localization, impact assessment required

Data Classification

Every data type has a classification, retention window, and access boundary.

Data Type	Classification	Retention	Access
Customer PII	Sensitive	2 years	Agents — own cases only
Agent action logs	Operational	2 years	Supervisors + QA
Supervisor dispositions	Operational	2 years	Supervisors + QA
Risk scores	Operational	2 years	System + QA
Chat transcripts	Sensitive	Per-market	Agents — own cases only
Learning data	Derived / Anonymized	Indefinite	ML pipeline

Privacy-by-Design Requirements

Structural safeguards embedded in the system architecture.

Pseudonymization

PII replaced with reversible tokens in processing pipelines

Purpose limitation

Data used only for declared support and improvement purposes

Right of access / correction

Customers and agents can request data export or correction

Cross-border transfer

Data stays in-region unless adequate safeguards verified

Data breach response

Automated detection with escalation within regulatory windows

Retention enforcement

Automated purge jobs aligned with per-market retention rules