Skip to content
Bizzi AI Governance Framework
Pillar II: Legal and Regulatory · § 09

Deploy legal safeguards

A compliance architecture only counts if it is in the contract. Bizzi’s legal safeguards live in four artifacts. The standard DPA every enterprise customer signs. The SCC analog for cross-border transfers. The public sub-processor page. The in-product end-user disclosure. This section describes each.

Context

Section titled “Context”

Bizzi acts as the Processor. The customer acts as the Controller under Decree 13. The DPA is the document fixing the relationship in writing. Without it, every downstream control is unenforceable. Residency, breach notification, audit rights.

The standard DPA

Section titled “The standard DPA”

Every enterprise contract carries a DPA fixing.

  • Roles. Bizzi is Processor. The customer is Controller per Decree 13.
  • Scope of processing. Data categories, purpose, duration.
  • Technical and organizational measures. Encryption, access control, audit trail, incident response.
  • Sub-processors. The live list plus the 30-day pre-notification commitment for changes.
  • Data residency. The specific region per §4.
  • DSAR support. Bizzi commits to a 30-day response window.
  • Breach notification. Bizzi notifies the Controller within 72 hours of a confirmed breach, in line with Decree 13 Article 23.
  • Audit rights. The Controller audits on a defined cadence, via documentary review or scheduled on-site.
  • Termination. The data export and deletion workflow described in §7.

Standard Contractual Clauses for cross-border transfers

Section titled “Standard Contractual Clauses for cross-border transfers”

When a customer chooses Option 3 in §4 and data flows outside Vietnam, Bizzi applies an SCC analog modeled on the EU Standard Contractual Clauses, with three additions.

  • The destination region is named explicitly.
  • The sub-processor LLM holds a binding Zero Data Retention commitment.
  • The transfer is cancelled if legal conditions in the destination region change materially. For example, if government access orders become a foreseeable risk.

The sub-processor page

Section titled “The sub-processor page”

Contracted customers have access to a Sub-processor Page listing.

  • The sub-processor name.
  • The scope of processing (LLM inference, observability, OCR, vector DB, and so on).
  • The operating region.
  • A link to the sub-processor’s own DPA and compliance evidence (SOC 2, ISO 27001 attestations).

Changes are announced by email and in the CHANGELOG at least 30 days before they go live.

End-user disclosure

Section titled “End-user disclosure”

Every UI surface letting a user interact with AI carries three controls.

  • AI Disclaimer. Explicit language. “You are interacting with an AI assistant”.
  • Confidence indicator. AI-populated fields are visually distinct from human-entered fields.
  • Privacy Policy link. Easy to find, with a short plain-language description of how AI uses the input.

Indemnification and liability caps

Section titled “Indemnification and liability caps”

Bizzi’s MSA applies industry-standard terms with three deliberate carve-outs.

  • Standard liability cap. Typically 12 months of recent fees or an equivalent amount.
  • Carve-outs not subject to the cap. Data breach caused by gross negligence, IP infringement claims, intentional misconduct.
  • Bizzi indemnifies the customer for IP claims against the Bizzi platform and for data breaches caused by Bizzi.
  • The customer indemnifies Bizzi for data they place into the system. They warrant ownership and licensing rights.

Standards mapping

Section titled “Standards mapping”