AI Use & Governance Disclosure

Routable uses AI and ML in two categories of activity: Customer-Facing AI Features and Internal AI Tools. Customer Data flows only into the Customer-Facing Features as described in § 2.1.

2.1 Customer-Facing AI Features

2.2 Internal AI Tools (No Customer Data)

Routable also uses third-party AI tools internally for data analysis and reporting (e.g., OpenAI). Customer Data is not used to train these models, and Routable does not share or submit customer-identifying records with these tools. See the Sub-Processor List for current details about the Sub-Processors with whom Routable currently shares Customer Data.

3.1 Data Accuracy & Model Performance

• Continuous accuracy monitoring. Routable monitors output quality for each AI feature (extraction accuracy for OCR; coding-suggestion acceptance rates for predictive coding). Regressions trigger an internal review with the vendor.
• Vendor accuracy commitments. Our AI sub-processors provide accuracy benchmarks and model performance reporting under their commercial agreements with Routable.
• Customer feedback loop. When a user overrides an AI suggestion, the correction is captured as ground truth, both for the customer’s own future suggestions and (where contractually permitted — see §3.4) for model improvement.

3.2 Transparency & Explainability

• AI suggestions are clearly labeled in the Routable UI; users can identify which fields were populated by AI versus entered manually.
• All AI outputs are advisory. Predictive coding produces a suggestion — never an irrevocable decision. OCR-extracted fields are reviewable and editable before any payment is initiated.
• No automated decisions with legal or significant effect. Routable’s AI features do not make decisions that produce legal or similarly significant effects on individuals (e.g., denying a payment, rejecting a vendor) without human review.

3.3 Human Oversight (Human-in-the-Loop)

Routable’s AI features are designed for human-in-the-loop operation:

• OCR extraction is presented to the user for review before any downstream action.
• Predictive coding routes suggestions through the customer’s standard review and approval workflow. Depending on the customer’s confidence-threshold configuration and approval rules, suggestions may be auto-applied below a configured confidence floor; in all cases, the customer’s approval workflow gates the actual disbursement of any payment.
• Customers retain full ability to disable AI suggestions and override individual suggestions at any time.

3.4 Privacy & Data Handling

• Data minimization. Only the data fields necessary for the AI feature’s function are transmitted to the AI sub-processor. For predictive coding, this is invoice header/line metadata and prior coding decisions; it does not include payment instrument details (bank account numbers, card data) or sensitive PII (SSN, driver’s license).
• Model training on Customer Data. Kaunt may use Customer Data to improve its models only on an aggregated and/or consented basis, in accordance with the contractual terms between Routable and Kaunt.
• Retention. AI sub-processors retain data only for the period necessary to provide the service or to comply with their own legal obligations. See the relevant sub-processor’s privacy policy linked from the Routable Sub-Processor List.
• Customer instructions and DSARs. Customer Data deletion, access, and rectification requests under GDPR / CCPA / CPRA are passed through to AI sub-processors as instructed. See Privacy Policy.

3.6 Security

• Encryption. Data in transit between Routable and AI sub-processors is encrypted using TLS 1.2 or higher. Data at rest within sub-processor systems is encrypted per their attested security programs.
• Access controls. Sub-processor access is limited to scoped service accounts with credentials rotated under Routable’s standard schedule. No customer or sub-processor employee has standing access to Routable’s production data stores.
• Sub-processor security posture. Each AI sub-processor is required to maintain industry-standard certifications (e.g., SOC 2 Type II, ISO 27001) appropriate to its services. Current attestations are reviewed during onboarding and at least annually thereafter.
• Incident response. AI sub-processors are contractually required to notify Routable of security incidents affecting Customer Data. Routable’s customer notification obligations are described in DPA §4 (Security Measures and Security Incident Response).
• Routable’s overall security posture. See security.routable.com for current certifications and the Trust Center.

3.7 Vendor Governance & Due Diligence

Before engaging any AI sub-processor, Routable conducts a documented review covering:

• Security certifications and attestations (SOC 2, ISO 27001, etc.).
• Privacy posture, including GDPR and U.S. state-law alignment, training-data practices, and data residency.
• AI-specific risk: model inputs/outputs, training-data sources and automated decision-making scope.
• Financial and operational stability appropriate to the criticality of the integration.

Sub-processors are reviewed at least annually thereafter, and the Sub-Processor List is the authoritative public record of current engagements. Customers receive notice of new sub-processors via the mechanism described in DPA §3 (Subprocessing).

3.8 Customer Rights, Opt-Out, and Notice

• Disabling AI features. Customers may disable AI-driven coding suggestions at the workspace level on request to Routable Support.
• Opting out of model improvement. Customers may opt their workspace out of any contractually permitted model-improvement uses by contacting privacy@routable.com.
• Notice of material changes. Material changes to Routable’s use of AI, including new AI sub-processors, new customer-facing AI features, or changes to training-data practices, will be communicated through Routable’s standard sub-processor notice mechanism and reflected in this disclosure.