Responsible Automation
We allow AI copilots and automation when they respect privacy, attribution, and review safeguards.
Allowed usage
Section titled “Allowed usage”- Generate scaffolding, tests, or refactors that do not include customer data.
- Draft docs or comments summarizing existing repository context.
- Suggest performance or reliability improvements with clear diffs.
Required practices
Section titled “Required practices”- Keep secrets out of prompts: never paste API keys, shared secrets, or webhook tokens. Use placeholders in examples.
- Redact payloads: do not share raw geocoding queries, addresses, or customer identifiers with AI tools.
- Attribute sources: cite upstream inspirations in commit messages or PR descriptions when AI suggestions borrow externally.
- Review everything: treat AI output as untrusted—run tests and perform manual review before shipping.
- Logging hygiene: ensure generated code keeps structured logging and does not introduce raw payload persistence.
Prohibited
Section titled “Prohibited”- Training or fine-tuning models on proprietary or customer data without a privacy review.
- Allowing automation to commit directly to protected branches or bypass required reviews.
- Exporting repository contents to services without a data processing agreement.
If something leaks
Section titled “If something leaks”- Rotate affected credentials immediately.
- Notify the privacy contact on your team and open an incident per your runbook.
- Document the exposure, remediation, and preventive controls.
This policy mirrors our internal guardrails and applies to any external contributors building on Geobridge.