While our global policies address data privacy at rest, the use of Generative Artificial Intelligence requires an additional layer of technical governance. This document explains how Pipefy AI is structured to ensure operational control, cost transparency, and sovereignty over the processing of Large Language Models (LLMs).
Below, we outline the mechanisms that differentiate our AI infrastructure.
1. Architectural Flexibility: Choose Your Control Model
We recognize that different organizations have different compliance requirements. For this reason, Pipefy AI is a platform that offers two distinct technical operating modes.
🧠 Operating Modes and Data Control
Pipefy AI can operate in two ways:
🔹 Pipefy-Intermediated Mode
Pipefy processes your AI requests through contracted LLM providers such as OpenAI, Google, or AWS (“providers”).
These providers do not use your inputs or outputs to train models.
Data may be retained for up to 30 days solely for abuse prevention and technical maintenance purposes, always in anonymized form or under Zero Data Retention (ZDR) policies when available.
🔹 BYO-LLM Mode (Bring Your Own Large Language Model)
You may connect your own LLM or AI account (e.g., OpenAI API, Azure, AWS Bedrock, or Vertex AI).
In this mode, you retain full control over data privacy, retention, and data residency.
Pipefy does not have access to the content processed by your provider and does not interfere with the retention policies you configure.
🔹 Option A: Pipefy-Intermediated (Managed) Mode
Ideal for organizations seeking speed and simplicity without complex configuration.
How it works: Pipefy acts as a secure proxy, managing contracts and infrastructure with tier-one providers such as OpenAI, Google, or AWS.
Protection Mechanism: APIs are configured to operate under Zero Data Retention (ZDR) policies whenever available, ensuring that the external provider processes the request and immediately discards the content after generating the response, with no persistent storage or use for training purposes.
🔹 Option B: BYO-LLM (Bring Your Own Model)
Ideal for organizations with strict data sovereignty requirements or existing enterprise agreements with hyperscalers.
Full Sovereignty: Customers connect their own credentials (API keys) for services such as Azure OpenAI, AWS Bedrock, or Vertex AI.
Isolation: In this scenario, Pipefy acts solely as an orchestration interface. We do not interfere with retention policies defined directly between your organization and your cloud provider.
2. The “Human-in-the-Loop” Concept
To mitigate the inherent risks of Generative AI (such as hallucinations or cognitive bias), Pipefy AI’s architecture is designed to enable human review within automated processes. Customers can freely configure validation checkpoints within their workflows.
Operational Validation: We recommend that AI-generated outputs be treated as “suggestions,” requiring human validation before triggering critical actions.
Regulated Industries: For customers in financial services or the public sector, the platform enables traceability of who requested and who approved AI-generated content, ensuring full auditability of the decision-making process.
💰 AI Credits and Usage Transparency
Pipefy AI operates on a monthly AI credit system that reflects processing resource consumption.
Credits are renewable and monitored directly by the environment Administrator.
Excess usage or additional credits are billed transparently according to the prices defined in the Purchase Order.
3. Consumption Management
Unlike traditional data storage, AI cost and performance are based on token usage. Our governance model includes specific tools to manage this consumption:
AI Credit System: Usage is tracked through a renewable credit system, providing Administrators with financial predictability and preventing unexpected charges due to excessive token consumption.