AI Operations & Monitoring

This page defines the minimum operational practices for deploying Clerk.io AI features in line with the EU AI Act. It references existing security and compliance documents for authoritative detail.

Logging and traceability

Maintain logs sufficient to explain decisions and outputs over time:

• Correlation/request ID and timestamp
• Pseudonymous user/session identifiers (where applicable)
• Inputs/context (e.g., query, widget context), without storing unnecessary personal data
• Model/config version or rule set ID
• Results served (top‑k exposures) and overrides applied
• Feedback events (click, add to cart, purchase) where collected

Export and retention:

• Customers should enable exports needed for their audits and record‑keeping.
• Retention should align with your legal basis and internal policies.

Authoritative references:

• SOC 2 – Logging & Monitoring Policy
• ISO 27001 – Information Security Policy

Monitoring and quality

Track key indicators and set alert thresholds:

• Recommendations/search: CTR, add‑to‑cart rate, conversion rate, latency (P95), exposure diversity by category/brand
• Email/audience: open/click rates, unsubscribe/complaints, segment stability
• Drift indicators: catalog churn, seasonality shifts, data ingestion errors

Where degradation or unexpected behavior is detected, pause affected experiences (kill switch) and investigate.

Human oversight

• Keep humans in the loop for campaign approvals, merchandising overrides, and any LLM‑generated content.
• Use preview/QA environments prior to enabling changes.
• Document oversight roles and escalation paths.

Serious incidents and corrections

An AI “serious incident” includes, for example, systemic surfacing of unsafe content, a material security compromise affecting inference integrity, or large‑scale harmful erroneous outputs.

When suspected:

1. Activate incident procedures and pause affected modules.
2. Collect logs, configuration snapshots, and example outputs.
3. Notify Clerk.io support with severity, scope, and business impact.

Authoritative references:

• SOC 2 – Incident Response Plan
• ISO 27001 – Incident Response Procedure
• SOC 2 – Vendor Management Policy

Changes and versioning

• Track model/config changes with semantic versions and release notes.
• Define rollback criteria and maintain previous stable versions.
• Communicate material changes that may affect behavior.

For product‑specific controls and safeguards, see AI Products.