• wpml-ls-flag

AI Coding Standards

At Sailing Byte, we pay close attention to the tools we use. We are aware of technological advancements, but we always prioritise customer data security and business considerations. Only this approach aligns with our philosophy of partnership in projects. With the increasing adoption of AI in the market, we have decided to establish consistent guidelines for its use at Sailing Byte.

Base coding standards

  1. We only propose AI to our clients where it makes strategic or business sense or provides real value to the user. If using AI in your project doesn’t make sense, we’ll let you know. (After adding AI tags to the case studies section: “See how we’ve applied AI for our current clients and the value it has delivered to them”)
  2. We use only AI tools where there is no doubt that we retain control over the “input” and “output” of what is fed into the models. Only this approach guarantees that we can safely transfer all economic copyrights to the entire code to our clients in accordance with the terms of the contract.
  3. We use only AI tools that do not learn from the code and data provided. Only this approach ensures full ownership of the code and limits its potential use by third parties.
  4. We do not transmit any user data to AI during the development process. However, this should be distinguished from the transmission of user data to AI in functionalities implemented on production systems.
  5. We use only providers that comply with GDPR standards. This covers data privacy standards in both the EU and the US.
  6. We—Sailing Byte—are responsible for errors in the code generated by AI, because we are the experts, and the duty of care in this regard rests with us. We will not shift the responsibility for the results of working with the AI tools we have chosen onto you, the client.
  7. The use of AI tools for programming is already factored into all our quotes and proposals. We know which tools and how they can help bring your project to life.
  8. Where code privacy or the use of a specific local model is critical, we can deploy a dedicated private model exclusively for you. However, in such cases, you will cover the cost of maintaining this tool, and it will be added to your invoice.
  9. Where the model’s behaviour needs to be specifically tailored, we can train a model for you. For this, we’ll need a significant amount of data, but this approach significantly improves the model’s performance. If you’re interested in this solution, let us know.
  10. The points above and separate arrangements may be required if you—as our client—choose the AI tools we will work with yourself. In that case, none of the points above may apply, and you—as our client—are responsible for the selected AI tool.

We have made a comparison of AI providers and their compliance to help you and us see differences between different providers.

Data transfer to AI

Level 0 — Non-personal data – Not subject to the GDPR – We use providers that meet ONLY the above requirements, with a preference for ZDR. No additional consent is required to use AI. Example data:

  • Source code, system architecture
  • Technical documents, logs without identifiers
  • Company financial data (e.g., revenue, costs at the company level)
  • Public company data (KRS, NIP, registered office address)
  • B2B contracts where the party is a company, not a natural person
  • Internal strategies, presentations without personal data

Level 1 — “ordinary” personal data (Art. 6 GDPR) — we do not send this data. We will process it only with the Client’s explicit consent and at their request (for example, as part of a system). Requires a DPA with every processor (gateways, load balancers, model providers). The location of processing is significant. Recommended options include: OpenRouter Enterprise with EU Lock, Cortecs, or Eden AI

Criterion: data that identifies or could identify a natural person. Examples of such data:

  • Employee’s first and last name, work email
  • Customer contact information (natural persons, B2C)
  • User IP logs Content of emails and support tickets containing customer data
  • Invoices issued to natural persons (B2C)
  • CVs, employee HR data

Level 2 — sensitive data “special categories” (Art. 9 GDPR) — we do not transmit this data. We will process it only with the Customer’s explicit consent and willingness, and exclusively in justified cases (for example, as part of the system). This requires additional arrangements regarding the provider and supplementary documentation. As a general rule, processing is prohibited without an explicit legal basis. An example of a recommended stack is LiteLLM + a provider with hosting strictly within the EU (e.g., AWS Bedrock In Region, OVH, Azure Data Zone). A DPIA (Data Protection Impact Assessment) is required.

  • Health status, illnesses, test results
  • PESEL, ID card number Biometric data (faces, fingerprints)
  • Political, religious, or union affiliation
  • Criminal record data
  • Genetic data