This document governs ALL AI systems used by ALL fund personnel across ALL fund jurisdictions (United States, United Kingdom, Switzerland, United Arab Emirates). Individual preferences do not override this framework. One standard. No exceptions.
This document establishes what data AI agents may access, under what conditions, and with what restrictions. It applies to all AI systems used by any fund personnel, including GP AI partners, analyst tools, and any future systems.
Why this exists: AI access to fund documents creates operational leverage but also creates risk -- data leakage, regulatory non-compliance, LP privacy violations, and privilege waiver. This constitution draws a clear, enforceable line.
Governing law and regulatory references: see Legal tab.
One standard. No exceptions.
All fund personnel -- including GPs, analysts, associates, and any future hires -- follow this framework regardless of which AI system they use.
| Level | Badge | Definition |
|---|---|---|
| Full | Full | AI has unrestricted access. Can analyze, summarize, draft, flag issues. |
| Support | Support | AI provides research support. AI cannot access raw data. The human authors the output. AI assists with structure, frameworks, comparable analysis. |
| Redacted | Redacted | AI sees a version with sensitive fields removed. Names, amounts, addresses, personal identifiers stripped. AI analyzes structure and patterns, not specific commercial details. |
| Reference Only | Reference Only | AI knows the document exists and its purpose. Cannot see contents. Can reference its existence in context. |
| No Access | No Access | AI has zero access. Document is never shared, referenced, or described to AI. Human-only. |
When in doubt, find it here.
Behavioral principle: Before sharing, ask: "Does the AI need the specific names and numbers, or just the pattern?" If the pattern is sufficient, redact the specifics.
The primary reference for employees. Every document type the fund handles, classified with explicit permissions and restrictions.
| Document Type | Access Level | AI Can | AI Cannot |
|---|---|---|---|
| Market Research & Industry Analysis | Full | Analyze, summarize, compare, flag trends | -- |
| Fund Marketing Materials | Full | Draft, edit, format, suggest improvements | -- |
| Published Articles & Thought Leadership | Full | Research, draft, edit, suggest topics | -- |
| Operational Procedures & Workflows | Full | Document, optimize, suggest improvements | -- |
| Public Regulatory Filings (Form D) | Full | Review, summarize, flag requirements | -- |
| GP Strategic Thinking & Thesis | Full | Brainstorm, challenge, research, structure | -- |
| Compliance Manual | Full | Analyze, reference, help update | -- |
| Due Diligence Reports | Support | Research public data, competitive analysis, red flag scanning, structure frameworks | Access data room materials, draft final conclusions, sign off on findings |
| Investment Committee Memos | Support | Structure format, comparable analysis, market context | Draft final IC recommendation, access confidential deal terms |
| Portfolio Company Board Decks | Support | Help structure, suggest frameworks | Access actual financial figures, LP-specific data |
| Portfolio Company Board Minutes | Support | Help structure agendas, prepare follow-ups, research context | Access raw sensitive deliberations, make decisions on behalf of board |
| Portfolio Company Financials | Redacted | Analyze patterns, compare structures, flag anomalies | See company names, specific figures (unless analysis requires them) |
| Term Sheets & Deal Terms | Redacted | Analyze clause structure, compare against templates | See counterparty names, specific valuations (unless required) |
| Fund Strategy Documents | Redacted | Help refine thesis, market analysis | See specific pipeline targets with deal values |
| Internal Partner Communications | Redacted | Understand context for tasks | See raw partner disputes or disagreements |
| Aggregate Fund Performance | Redacted | Analyze trends, benchmark, draft commentary | See individual LP attribution |
| Employee Compensation Data | Redacted | Analyze aggregates, benchmark ranges | See individual records |
| Private Placement Memorandum (PPM) | Redacted | Help draft sections, review structure, flag regulatory requirements | See specific LP-targeted terms without redaction |
| Capital Call Notices | Redacted | Help structure and format | See individual LP names, amounts, bank details (redact before sharing) |
| Distribution Notices | Redacted | Help structure and format | See individual LP names, amounts, bank details |
| Annual Audited Financial Statements | Redacted | Analyze patterns, compare periods | See LP-specific allocations |
| Quarterly LP Reports (final) | Redacted | Help draft narrative, analyze aggregate performance | See individual LP attribution |
| Valuation Reports / NAV Statements | Redacted | Help with methodology analysis, benchmarking | See specific portfolio company marks without redaction context |
| Advisory Board Materials | Redacted | Help prepare agendas, research topics | See specific names and terms without redaction |
| Investor DDQ Responses | Redacted | Help draft responses, structure answers | See LP-specific details in questions |
| Limited Partnership Agreement (LPA) | Ref Only | Know it exists, reference general structure | See specific terms, waterfall provisions, LP-specific clauses |
| Side Letters | Ref Only | Know they exist, reference in context | See any contents |
| Subscription Agreements | Ref Only | Know they exist | See LP details |
| Co-investment Agreements | Ref Only | Know they exist, reference in context | See specific terms, third-party details |
| Fund Formation Documents | Ref Only | Know structure exists | See raw legal filings |
| Insurance Policies (D&O, E&O, Cyber) | Ref Only | Know coverage exists | See policy terms, limits, exclusions |
| LP Personal Data (SSNs, passports, bank details) | No Access | Nothing | Everything -- never shared under any circumstance |
| KYC/AML Documentation | No Access | Nothing | Everything -- regulatory violation |
| Attorney-Client Privileged Communications | No Access | Nothing | Everything -- privilege waiver per Heppner |
| Material Non-Public Information (MNPI) | No Access | Nothing | Everything -- securities law violation |
| Suspicious Activity Reports (SARs) | No Access | Nothing | Everything -- criminal offense (tipping-off) |
| Individual LP Commitment Amounts | No Access | Nothing | Everything -- breach of confidentiality |
| Raw NDA-Protected Documents | No Access | Nothing | Everything -- breach from transmission itself |
| K-1 Tax Documents | No Access | Nothing | Everything -- LP personal tax information |
| GP Commitment Documentation | No Access | Nothing | Everything -- personal financial commitments of principals |
| Wire Instructions / Bank Details | No Access | Nothing | Everything -- financial infrastructure, fraud risk |
These items never touch any AI system under any circumstances. There is no "with care" option. There is no "use judgment." The answer is always NO.
For data in the Support and Redacted tiers, a mechanical rule is not always sufficient. Apply this test:
"Does the AI need the specific details, or just the pattern?"
When in doubt, redact first. You can always add specifics later. You cannot un-share what has already been shared.
If a data type is NOT listed in the classification table, DO NOT share it and DO NOT refuse the task. Escalate to the AI Governance Officer for classification before proceeding. The default is ESCALATE, not SHARE and not REFUSE.
Data classification is not permanent. Some data moves between tiers based on context:
| Scenario | Classification Change |
|---|---|
| Deal under active negotiation → deal publicly announced | Redacted → Full |
| Portfolio company quarterly financials during reporting period → after LP report published | Redacted → Reference Only (aggregated in published reports) |
| Draft IC memo → final IC decision documented | Support → Redacted (final version with redacted specifics can be referenced) |
| Pipeline company under evaluation NDA → company passes, NDA expires | No Access → Redacted (if NDA permits post-expiry use) |
Reclassification requires AI Governance Officer approval. No individual can reclassify data unilaterally.
Fund data stays on fund-approved platforms. Personal AI is your business. Do not share fund-classified data with personal AI systems. If a GP uses a personal AI assistant for non-fund work, no fund data -- regardless of tier -- may be shared with that system. The boundary is absolute.
New tools or integrations connecting to fund data require approval before use. No individual -- including GPs, analysts, or any fund personnel -- connects unapproved tools to fund systems unilaterally. If a tool touches fund data -- even indirectly -- it must be reviewed and authorized by the AI Governance Officer or GP vote before deployment.
Document-level classification defines what AI can see in individual files. Folder-level classification defines what AI can access at the directory level. This prevents browsing of restricted areas even when individual documents within them may have varied classifications.
Portfolio Company Data Room| Folder | AI Access | Rationale |
|---|---|---|
| /business/ | Support | Business plans, market analysis, pitch materials. AI assists with research and analysis. Human authors conclusions. |
| /technical/ | Support | Technical documentation, architecture, code. AI assists with evaluation. Human assesses. |
| /legal/ | Reference Only | Contracts, IP filings, regulatory. AI knows documents exist. Cannot see contents unless counsel authorizes specific sharing on enterprise platform. |
| /financial/ | Redacted | P&L, balance sheets, projections, cap table. AI analyzes patterns with company names and specific figures removed. |
| /kyc-aml/ | No Access | Identity documents, background checks. Regulatory requirement. Never exposed to AI. |
| /correspondence/ | Reference Only | Emails, notes between fund and company. May contain privileged or commercially sensitive communications. |
| Folder | AI Access | Rationale |
|---|---|---|
| /deal-pipeline/ | Support | Active prospects, initial screens. AI assists with research, scoring, market analysis. |
| /investment-committee/ | Support | IC memos, voting records. AI helps structure memos. IC lead authors conclusions. |
| /lp-relations/ | Redacted | LP communications, reports, DDQs. AI helps draft narrative. All LP-identifying information redacted. |
| /lp-data/ | No Access | Personal information, subscriptions, KYC. Regulatory requirement. Human-only. |
| /legal/ | Reference Only | LPA, side letters, fund formation docs. AI knows structure exists. Cannot see specific terms. |
| /finance/ | Redacted | Fund accounting, NAV, capital calls, distributions. Aggregate analysis permitted. Individual LP amounts removed. |
| /compliance/ | No Access | Regulatory filings, AML records, SARs. Criminal liability for AI exposure of SARs. |
| /hr/ | No Access | Employment contracts, compensation, performance. Personal data. Human-only. |
| /strategy/ | Full | GP strategic discussions, fund thesis, market positioning. AI fully supports strategic thinking. |
If a folder is classified at a certain level, all documents within it inherit that classification unless individually classified at a more restrictive level. A document can be more restricted than its folder, but never less restricted.
When AI assistance involves documents from multiple folders with different access levels, the most restrictive classification applies to the entire interaction.
Example: Drafting an IC memo (Support) that references LP commitment data (No Access). The entire interaction is governed by No Access rules.
| Role | Responsibility |
|---|---|
| AI Governance Officer | Owns this document. Handles escalations. Conducts quarterly reviews. Approves reclassifications. To be assigned by GP resolution. |
| General Partners | Follow this framework without exception. Model correct behavior. Report violations immediately. |
| Analysts / Associates | Follow this framework. When uncertain, escalate -- never guess. |
| External Advisors | Bound by this framework when using fund AI systems. Must acknowledge in writing before access is granted. |
| AI Systems (all) | Must be configured to refuse No Access data if technically possible. Cannot override GP-locked compliance rules. |
AI Governance Officer: [To be named by GP resolution before first close]
If any fund personnel departs -- whether GP, analyst, or associate -- MAKR-workspace data, AI-generated deliverables, and fund-related outputs remain with the fund. Personal-zone data leaves with the departing individual. Specific terms to be defined in employment or partnership agreement. The departing individual's AI system must not retain fund-classified data after exit.
This classification applies to ALL AI systems used by ALL fund personnel -- including GPs, analysts, associates, advisors, and any future hires. Different individuals may use different AI systems. Everyone follows this framework. Individual preferences, seniority, workflows, or AI system capabilities do not override these classifications.
If an AI system cannot technically enforce a classification (e.g., cannot redact automatically), the human user is responsible for manual compliance.
One standard. No exceptions.
The goal is compliance, not punishment. Most incidents arise from confusion, time pressure, or inadequate training -- not malice. The response matches the cause.
| Level | Type | Example | Response |
|---|---|---|---|
| Level 0 | Near-miss (caught before exposure) | Prepared to share an unredacted document, caught the error before sending to AI | Positive acknowledgment -- the system worked. Document anonymously for training. No disciplinary action. Pattern of near-misses from same individual triggers coaching. |
| Level 1 | Inadvertent, no harm | Shared a company name that should have been redacted on enterprise platform. Caught within 24 hours. | Coaching conversation with Governance Officer. Identify root cause (unclear classification? time pressure? tool limitation?). If root cause is a framework gap, update the framework. No formal record unless recurrence. |
| Level 2 | Policy violation, potential harm | Shared portfolio financials without redaction on consumer AI platform | Formal written notice. Mandatory retraining within 14 days. Incident logged. Governance Officer assesses potential harm and need for external notification. Temporary AI access restriction to Full-tier only until retraining complete. If caused by infrastructure gap, MAKR addresses the gap. |
| Level 3 | Serious breach | Shared LP personal data, KYC documents, or MNPI with any AI system | Immediate suspension of all AI access. Formal investigation (Governance Officer + GP oversight). Legal exposure assessment. Regulatory notification if required. LP notification if personal data exposed. Outcomes may include: termination, clawback, personal liability, and regulatory referral. Intent and cooperation considered. |
| Level 4 | Malicious conduct | Deliberate exfiltration of fund data via AI. Intentional breach for personal benefit. | Immediate termination. Legal action. Regulatory referral. LP notification. |
Distinguishing negligence from malice matters. Level 1-2 responses focus on education and remediation. Level 3-4 responses address harm and accountability. The distinction is deliberate.
Pattern recognition: All incidents (Levels 0-4) are logged and reviewed quarterly. Multiple Level 1 incidents from one individual = additional coaching. Multiple Level 1 incidents across different individuals = framework or training gap, not individual failure. Any Level 2+ triggers review of whether framework, tools, or training need updating.
"I didn't know" is not a defense. This document exists. Every fund employee acknowledges it in writing. But MAKR's obligation under the Fund Duties tab is to ensure everyone has the training, tools, and support to know.
MAKR operates across four jurisdictions: United States (New Jersey/New York), United Kingdom (London), Switzerland (Geneva), and United Arab Emirates (Dubai). Fund data flows between these locations through AI systems, document sharing, and communications. Each jurisdiction has distinct data protection requirements.
Regulatory Landscape| Jurisdiction | Primary Regulation | Key Requirements |
|---|---|---|
| United States | NJ Data Protection Act (NJDPA, effective Jan 15, 2025), NY SHIELD Act, SEC Regulation S-P | Reasonable security measures, breach notification, financial data protection. SEC 2026 priorities flag AI-related Reg S-P compliance. |
| United Kingdom | UK GDPR + Data Protection Act 2018 | Lawful basis for processing, data subject rights, transfer safeguards. ICO guidance on AI and data protection. |
| Switzerland | Federal Act on Data Protection (nFADP, revised Sep 2023) | Similar to GDPR. EU adequacy confirmed. FINMA Guidance Note 08/2024 on AI in financial services. |
| UAE | Federal PDPL (2021, enforcement tightening toward Jan 2027) + DIFC DPL + ADGM DPR | Three parallel regimes (Federal, DIFC, ADGM). Cross-border transfers require adequate safeguards. |
| From | To | Mechanism | Status |
|---|---|---|---|
| UK | Switzerland | Mutual EU GDPR adequacy | Free flow. No additional safeguards needed. |
| UK | US | UK-US Data Bridge (2023) | Operational. US entity must self-certify under Data Privacy Framework. |
| Switzerland | US | Swiss-US Data Privacy Framework | Operational. Same certification requirement. |
| UK | UAE | Standard Contractual Clauses (SCCs) | Required. No adequacy decision exists. |
| Switzerland | UAE | Standard Contractual Clauses (SCCs) | Required. |
| US | UAE | Standard Contractual Clauses (SCCs) | Required. UAE PDPL requires adequate safeguards determination. |
A single internal agreement governs all data flows between MAKR's four offices. Incorporates EU/UK SCCs as the baseline transfer mechanism, adds UAE PDPL-specific provisions, and defines handling standards meeting the highest applicable standard (UK GDPR). Signed by each GP. One agreement replaces six bilateral arrangements.
Cross-border processing consent is obtained from LPs and portfolio companies during onboarding -- not after the fact. Consent specifies which jurisdictions, for what purposes, under what safeguards. Consent is revocable within 30 days.
Template language for LP subscription documents: "By subscribing to the Fund, the Limited Partner consents to the processing of personal data across the Fund's operating jurisdictions (US, UK, Switzerland, UAE) for fund administration, regulatory compliance, and investor communications, governed by the Fund's AI Data Governance Constitution and applicable data protection laws."
Certain data categories do NOT leave specific jurisdictions:
All approved AI platforms must:
Consumer AI platforms are NOT approved for any fund data. Enterprise tiers with contractual terms may be approved following Governance Officer review.
Before any new data flow is established between offices, a Transfer Impact Assessment evaluates: what data categories are involved, the legal basis for transfer, whether the destination provides adequate protection, what supplementary measures are needed, and the risk if compromised. TIAs are maintained on file and reviewed annually.
| Jurisdiction | Authority | Notification Deadline |
|---|---|---|
| United Kingdom | ICO | 72 hours |
| UAE (DIFC) | Commissioner of Data Protection | 72 hours |
| UAE (ADGM) | ADGM Registration Authority | 72 hours |
| UAE (Federal) | UAE Data Office | Pending PDPL enforcement (Jan 2027) |
| Switzerland | FDPIC | As soon as possible |
| US (NJ) | NJ Division of Consumer Affairs | Without unreasonable delay |
| US (NY) | NY Attorney General | Expeditiously |
| Jersey (fund domicile) | JFSC | Without undue delay |
Practical rule: Report any breach to the AI Governance Officer immediately. The Governance Officer coordinates jurisdiction-specific notifications with legal counsel. Do not self-assess which regulators need notification.
Guiding PrinciplesUK GDPR is the most restrictive regime MAKR operates under. Meeting UK GDPR meets or exceeds requirements in all other jurisdictions.
Obtain cross-border processing consent during LP/portfolio company onboarding. Retroactive consent is legally fragile.
Only transfer what is necessary. Share the analysis (Support/Redacted tier), not the raw data behind it.
A breach in any jurisdiction triggers a centralized response coordinated by the Governance Officer.
Map where data goes, why, and under what legal basis. Required by UK GDPR Article 30 and best practice under all four regimes.
Jurisdiction-specific counsel reviews and validates implementation details including SCC versions, consent language, and notification procedures.
This framework imposes obligations on all fund personnel. In return, MAKR commits to providing the infrastructure, training, and support necessary for compliance. Compliance is a shared responsibility -- not a burden placed solely on individuals.
Training ProgramAll new fund personnel complete mandatory training before receiving access to any fund AI system. Training covers:
No fund personnel receives AI access without completing onboarding training. No exceptions, including GPs.
MAKR maintains and communicates:
If a tool is not on the approved list, it is not approved. Fund personnel do not need to guess.
When fund personnel are unsure about classification or handling:
When this framework is updated:
MAKR commits to investing in enterprise-grade AI infrastructure rather than relying on consumer platforms. This includes:
If the fund requires compliance but does not provide the tools to comply, the burden falls on the institution, not the individual.
Holding: Information input into consumer AI platforms does NOT receive attorney-client privilege protection.
Rule: "Sharing privileged information with consumer AI tools waives privilege over the underlying communications."
Implication: Once waived, subsequent disclosure to attorneys cannot cure the waiver.
Exception: Counsel-directed use on a secure enterprise platform with contractual confidentiality terms could yield a different result.
Fund Policy: All attorney-client communications are classified No Access. No exceptions. If you need AI assistance with legal analysis, request a sanitized summary from counsel -- do not input privileged communications directly.
Ready-to-use paragraph for offering documents:
"The Fund uses AI-assisted tools for operational efficiency, including research, communications, and portfolio monitoring. The General Partner maintains an AI Data Governance Constitution governing data classification and handling across five access tiers. LP personal data is classified as Restricted and is never shared with AI platforms. The Fund's AI governance framework is available for LP review upon request."