BEL Advisory Diligence. Systems. Leadership.
Version v0

Data and AI Policy v0

Last updated: 2026-05-22

Scope

This policy describes how BEL Advisory handles client data when using analytical tools, automation, and AI-supported workflows. It is intended for reference from engagement letters and client documents.

Baseline commitments

BEL Advisory treats client information as confidential unless it is clearly public, already known without restriction, or approved for broader use by the client. Client information is used only for the engagement purpose, internal work management, legal and tax obligations, or another purpose agreed with the client.

AI tools may be used to support drafting, summarizing, structuring, coding, modeling, translation, quality review, or internal knowledge work. AI output is not treated as final professional judgment. Brian remains responsible for review, interpretation, and delivery.

Sensitive material

Highly sensitive material, including non-public transaction data, personal data, trade secrets, board materials, unreleased financials, and privileged or regulated information, should not be entered into external AI services unless the engagement permits it and the tool is appropriate for the sensitivity level.

Where feasible, data is minimized before tool use. This can include removing names, redacting identifiers, aggregating figures, or using synthetic examples.

Client-specific rules

If a client has stricter AI, data, confidentiality, or security requirements, those requirements control for the engagement once agreed in writing. BEL Advisory can work within client-provided systems where practical.

Records and retention

Working files are retained only as long as needed for the engagement, business administration, tax/legal obligations, or reasonable professional recordkeeping. Client-specific retention terms can be agreed in the engagement letter.

Data processing agreement and sub-processors

Where BEL Advisory acts as a processor of personal data on a client’s behalf, a data processing agreement (Auftragsverarbeitungsvertrag, Art. 28 GDPR) is available where applicable. Sub-processors used for that engagement are listed in the annex to that agreement and kept current there.

Changes

This is version v0. Future material changes will be published as a new version at a new stable URL.