Data processing policy for CODEXIS AI in Microsoft 365

This document describes how the CODEXIS AI application within Microsoft 365 — i.e. the add-ins for Word, Excel and Outlook and the app for Microsoft Teams — accesses your data and how it uses, stores and protects it.

The use and transfer of information received from Microsoft interfaces (Office Add-ins / Office.js, Microsoft Graph, Microsoft 365 and Microsoft Teams) by the CODEXIS AI application is governed by the Microsoft APIs Terms of Use and Microsoft Graph, and by the principle of the least necessary scope of permissions.

Information obtained through Microsoft interfaces, as well as any content you enter into the application, is not used for advertising purposes, marketing, user profiling or for training artificial-intelligence models.

1. What data we process

The CODEXIS AI application accesses only the minimum data necessary for the service to function within Microsoft 365.

Basic profile information — to sign you in and identify the linked account (typically via Microsoft Entra ID / SSO), the application may process:

• the user’s name,
• the e-mail address (UPN),
• the user identifier and the organization identifier (tenant ID).

Content you actively work with — in order to provide the requested action (revision, suggested wording, formula, draft reply), the assistant processes the content you hand to it:

• the content of a document open in Word or Excel on which you invoke the assistant (a selected passage or the entire document);
• the content of an e-mail open in Outlook on which you invoke the assistant;
• your queries (prompts) and conversations and the files you upload for analysis;
• the outputs the application creates for you, which it can write back into the document at your instruction.

Operational and log data — to ensure operation, security and support, we process technical records (e.g. access time, session identifier, audit logs of who accessed the data and when).

The CODEXIS AI application does not read, search or download the content of your Microsoft 365 environment (mailbox, files on disk, Teams chats) beyond the document or item you hand to it yourself. It requires only those permissions (Office add-in / Microsoft Graph scopes) that are necessary to provide the assistant’s functions.

2. Purpose of data processing

The data is used exclusively for the following purposes:

• Providing the service – processing your queries, documents and e-mails and generating legal research, drafts, checks and wording over verified legal sources.
• Identifying the account link – signing in and displaying information about the linked Microsoft account.
• Operation, security and support – ensuring functionality, resolving incidents and providing technical support.

The data is not used for any other purposes, and in particular is not used for:

• advertising purposes or ad personalization,
• marketing analytics or user profiling,
• tracking user behaviour,
• selling or providing data to third parties or data brokers,
• training artificial-intelligence models.

3. Legal basis for processing

Processing is carried out on the basis of:

• performance of a contract under Art. 6(1)(b) GDPR – providing the licensed CODEXIS AI service to the user, or to the organization that acquired the licence;
• legitimate interest under Art. 6(1)(f) GDPR – ensuring the security, operation and quality of the service;
• consent under Art. 6(1)(a) GDPR where linking the account or a specific function is voluntary and is activated by authorization (OAuth / Microsoft Entra).

Linking the account is voluntary and the user may cancel the integration at any time.

4. AI subprocessor and data transfer

For artificial-intelligence functions, CODEXIS AI uses OpenAI as a processor (subprocessor). The following applies:

• the content you enter into the application (prompts as well as analysed documents) is not used to train or improve models – neither at ATLAS GROUP nor at OpenAI;
• the processing is contractually covered by a data processing agreement (DPA) under Art. 28 GDPR;
• AI queries are processed within the European Union (EU data residency) – requests and responses do not leave the EU and do not travel to the USA;
• on the basis of the agreed Zero Data Retention (ZDR), OpenAI does not store the content at all.

Apart from the subprocessor mentioned, data is not shared with third parties. The only exception is where disclosure is required by law or by a decision of a public authority.

5. Human access to data

Access to your data by employees or contractors of ATLAS consulting spol. s r.o. is strictly limited. Access may occur only:

• where the user has given explicit consent to view specific data (e.g. when handling a technical support request),
• where it is necessary to resolve a security incident or a technical error,
• where it is required by law.

Access is limited to the minimum number of authorized persons, is governed by access rights and is recorded in audit logs.

6. Data storage and protection

We use appropriate technical and organizational measures to protect data. In particular:

• encryption at rest (AES-256) and encryption in transit (TLS 1.2+);
• centralized management of cryptographic keys and encrypted backups;
• access control based on user permissions and audit records;
• operation in a secure data centre within the European Economic Area;
• a security programme in line with ISO/IEC 27001, 27017 and 27018; certificates can be provided on request.

7. Retention period and data deletion

We retain data only for as long as necessary to provide the service, or for the duration of the licence / account link.

• The user can delete a conversation in the chat history; deleting a chat is irreversible.
• After disconnecting the Microsoft account, authorization tokens are immediately and irreversibly deleted from the CODEXIS AI servers.
• Upon termination of the licence or deletion of the account, the related data is removed in accordance with the contract and the law.

A request for deletion of data can be made at klientske.centrum@atlasgroup.cz; we handle requests within 30 days at the latest.

8. Data portability and export

Documents and outputs remain the property of the customer. Inputs and outputs can be exported from the application, or are saved back into your case folders or directly into the document you are working on.

9. Security incident notification

In the event of unauthorized access to data or its misuse, we will inform the affected users without undue delay in accordance with the applicable law, in particular Regulation (EU) 2016/679 (GDPR).

10. In-app notice

When linking a Microsoft account with the CODEXIS AI application, the user is shown, before access is granted, information about which data the application will access and for what purpose the data will be used. The user grants access through authorization (OAuth / Microsoft Entra).

11. Rights of data subjects

The user has the following rights: the right of access, rectification, erasure, restriction of processing, data portability and the right to withdraw consent given.

If you believe that the processing has breached the law, you have the right to lodge a complaint with the supervisory authority. In the Czech Republic this is the Office for Personal Data Protection, www.uoou.cz.

12. Changes to this policy

If the way data is processed changes, this policy will be updated and users will be informed of the changes before the data starts to be used in the new way. By continuing to use the application after the changes are announced, the user expresses agreement with the updated policy.