Policies
Map.ca policy

AI Vendor Policy

Standards that AI vendors must meet to handle Map.ca traffic — data handling, training restrictions, audit requirements.

Map.ca uses AI vendors. The AI Vendor Policy is how Map.ca makes sure that using a vendor does not silently undo the AI Use Policy. It defines the contractual exclusions (no Map.ca data used to train the vendor’s models), the data-handling tier each vendor is bound to, the data-residency requirements, the sub-processor disclosure cadence, the audit-log requirements, and the termination rights Map.ca preserves when a vendor changes its practices.

It applies to every AI vendor handling Map.ca traffic, Map.ca’s procurement and AI teams, and the security reviewers who evaluate vendor changes.

Requirements

  • Contractually exclude Map.ca data from any vendor training pipeline.
  • Bind vendors to a documented data-handling tier.
  • Require sub-processor disclosure and a meaningful notice period for changes.
  • Preserve audit-log access on demand.

Prohibitions

  • Do not allow vendor use of Map.ca data for training without separate, explicit permission.
  • Do not allow sub-processor changes without notice.
  • Do not allow data exfiltration to unauthorized jurisdictions.
  • Do not waive audit rights for commercial convenience.

Related policies

AI Use PolicyWhere AI is used on Map.ca, what it can and cannot do, and how humans stay responsible for outcomes.AI Training and Data Use PolicyHow Map.ca's user content is and is not used for training AI — Map.ca's own systems and external vendors alike.Vendor Security PolicySecurity requirements Map.ca holds vendors to before, during, and after engagement.Data Residency PolicyDefines where Map.ca stores and processes data. Canadian-first residency wherever practical; disclosure when trusted vendors process data outside Canada.