Required reading for every Tiger Tracks team member and contractor. Three rules cover almost everything.
Rule 1
Platform Tier is Everything
Privacy is a platform setting, not a prompt. Use only approved Enterprise/Team accounts. Free or personal tiers are strictly prohibited for company work.
Rule 2
Redline-Only Protocol
Keep real client data in your prompts β that's what makes AI useful. Only redact the specific high-risk items: credentials, account IDs, SSNs, bank info.
Rule 3
The Junior Engineer Principle
Treat AI agents like a junior contractor. Least privilege, human approval on all outbound actions, IT sign-off before connecting to any system.
Most Important Rule
Approved vs. Prohibited Platforms
The only thing that protects client data is which platform tier you use. Writing "keep this confidential" in a prompt does nothing.
β Use These
Claude Team or Enterprise
Anthropic β DPA-backed
ChatGPT Team
OpenAI β data siloed
Gemini for Google Workspace
Google β enterprise tier only
β Never for Work
Personal ChatGPT (Free / Plus)
May train public models on your data
Personal Claude (Free / Pro consumer)
No DPA, no data isolation
Any other free/personal AI tool
Perplexity, Copilot personal, etc.
What's On This Site
Site Overview
Everything you need β across three tabs. Here's what lives where.
π Policy Tab
1. Approved Platforms
Enterprise tiers vs. prohibited accounts. Why platform tier is the only real security control and what DPAs guarantee.
View β Platforms
2. Daily Scenarios
Quick-reference table: 13 real AM scenarios rated Safe β , Caution β οΈ, or Hard Stop π with one-line action rules.
View β Cheat Sheet
3. Agent Security
The Junior Engineer Principle. Least privilege, outbound approval, no direct client messaging, IT sign-off required.
View β Agents
4. Meeting Recordings
Rules for AI transcription on client calls: approved tools only, mandatory disclosure, sensitive topic exclusions.
View β Meetings
5. Redline Protocol
The core of the policy. 6 data categories β what you can include vs. must redact for client data, contracts, credentials, financials, PII, and strategy.
View β Redline Protocol
6. Output Review
AI output is always a draft. Verify accuracy, check for bias, IP issues, and be transparent about AI-generated deliverables.
View β Output Review
7. Incident Response
If you accidentally share a credential or sensitive data: STOP β DELETE β ROTATE β REPORT (within 2 hours). Non-punitive policy.
View β Incident Response
8. Talking Points
Ready-to-use scripts for when clients, network contacts, or candidates ask how Tiger Tracks uses AI.
View β Talking Points
9. Clean Slate
Onboarding workflow: audit your personal accounts, delete flagged content, and confirm you're ready for enterprise access.
View β Clean Slate
10. Roles & Responsibilities
Who owns what: all employees, Sr. Director of Client Success, IT/Security, Legal β and what each role is responsible for.
View β Roles
AM Prompting Guide
Account Manager-specific guidance: exact budget authorization, pre-flight checklist, and safe vs. unsafe prompt examples for sensitive accounts.
View β AM Guide
π₯οΈ IT Portal Tab
Enterprise AI Account Request
Request your IT-provisioned Claude, ChatGPT, or Gemini Workspace credentials. Requires completed Sanitization Form first.
AI Agent Approval
4-step process to connect an AI agent to company systems: Request β Review β Provisioning β Connection using a Service Account.
Service Account Rules
Agents must use IT-provisioned Service Accounts β never personal admin logins. Least privilege, named accounts, quarterly review.
New to Tiger Tracks?
Where to Start
If you just joined or need to get enterprise AI access, follow this sequence.
1
Read the 3 Core Rules above
Platform tier, Redline-Only Protocol, Junior Engineer Principle. These cover 95% of daily decisions.
2
Read the Daily Scenarios Cheat Sheet
Bookmark it. It answers "can I put this in ChatGPT?" for the 13 most common situations.
3
Clean Slate β Audit & Sanitize Your Personal Accounts
Before getting enterprise access, audit every personal AI account you've used for work. Run this prompt in each one, then complete the 4 steps below.
"Please review our entire conversation history and flag any messages that contain: (1) passwords or API keys, (2) bank account or routing numbers, (3) full names combined with contact details, (4) client contract values or unreleased campaign data."
β History Audit β Run the prompt above in every personal AI account
β‘Data Deletion β Delete any threads with credentials, bank info, or unredacted client data
β’Secret Rotation β If you ever pasted a live password or API key, change it in the actual platform now
β£Memory Scrub β Use each platform's memory management to clear sensitive commercial or P&L details
4
Request Your Enterprise AI Accounts
Once your Sanitization Form is submitted, request Claude, ChatGPT, and/or Gemini Workspace access via the IT Portal.
β
You're ready
Use AI freely and confidently. The help desk bot (bottom-right) is always available if you have a question mid-prompt.
Internal Policy Reference
AI Usage & Security Policy
We're AI-forward. Use it with real client data β safely. Three rules cover almost everything.
Rule 1
Platform Tier is Everything
Privacy is a platform setting, not a prompt. You MUST use our approved Enterprise/Team tiers. Free or consumer "Pro" accounts are strictly prohibited for company work.
Rule 2
Redline-Only Protocol
Keep real data intact β client names, ROAS, contract terms. Only redact the specific high-risk elements: credentials, account IDs, signatures, SSNs, and bank info.
Rule 3
The Junior Engineer Principle
Treat AI agents like a junior contractor. Grant least privilege, require human approval for outbound actions, and get IT approval before connecting agents to any system.
Section 1
Approved Platforms
The platform tier is the only real security control. Writing "keep this confidential" in a prompt does nothing.
π
Hard Stop: Use of personal accounts, free tiers, or consumer "Pro" plans for ANY company work is strictly prohibited. This includes your personal ChatGPT, Claude, or Gemini accounts.
β Approved
Claude Team or Enterprise
Anthropic β DPA-backed, data siloed
ChatGPT Team
OpenAI β no training on your data
Gemini for Google Workspace
Google β enterprise data protection
β Prohibited
Personal ChatGPT (Free / Plus)
May train public models on your input
Personal Claude (Free / Pro consumer)
No DPA, no data isolation guarantee
Any other free AI tool
Perplexity, Copilot personal, etc.
Section 2
Daily Scenarios β Quick Reference
From completely safe to absolute hard stops. All assume you're using an approved enterprise platform.
Scenario
Status
Key Rule
β
Drafting ad copy variations using real client name and brand guidelines
Safe
Enterprise tier + no credentials
β
Uploading a performance CSV to analyze ROAS trends
Safe
Black out login emails / account IDs first
β
Summarizing a client NDA or contract for key terms
Login emails, Account IDs, browser cookies, session tokens visible in screenshots or CSVs
β Action
Black out credentials before uploading any CSV or screenshot
"Analyze Nike's Q4 ROAS of 4.5x on $50K spend and recommend optimizations."
π Contracts & Legal Documents
β Allowed
Contractual terms, scope of work, entity names, payment terms
β Must Redact
Signature pages, home addresses, bank/wire routing info, SSNs, tax IDs
β Action
Strip first and last pages if they contain PII or sensitive metadata
"Summarize the NDA for Red Bull focusing on non-compete and termination clauses."
π Credentials & API Keys
β Allowed
Placeholder text only β e.g., REDACTED_API_KEY
β ABSOLUTE HARD STOP
No live passwords, API keys, tokens, login URLs, or auth material β ever, on any platform
β Action
Replace with placeholders so AI can help with logic without seeing the actual secret
auth_token = "REDACTED" β then ask AI to debug the auth flow
π° Client Financials & Budgets
β Allowed
Budget strategy discussions, media spend modeling, forecasting methodology, client-approved summaries
β Must Redact
Exact contract values tied to individuals, unreleased pricing models, any financial data not approved for external use
β Action
Use rounded figures or ranges when exact amounts aren't necessary
"Our client has a $50K monthly budget. Help me model a channel mix for 20% ROAS growth."
π€ PII (Personal Info)
β Allowed
Real names alone in a business context on enterprise tiers (e.g., referencing a contact by name)
β Must Redact / HARD STOP
Name + phone/email/address combinations. Absolute stop: SSNs, bank accounts, tax IDs
β Action
Remove any name + contact detail combination before inputting
"Summarize notes from my meeting with Sarah Smith."
π§ Client Strategic Info
β Allowed
Abstracted strategic scenarios, general competitive landscape discussions
β Must Redact
Unreleased campaign strategies, confidential product launch plans, NDA-covered info not approved for external processing
β Action
Abstract the scenario without identifying the specific client if info is highly sensitive
"Help me build a Q3 growth strategy for a DTC brand in the wellness space."
Section 4
Agent & Framework Security
Treat an AI agent exactly like granting a junior contractor automated access to your systems.
β οΈ
Written IT/Security approval required before any AI agent is connected to company systems, ad platforms, Slack, or email.
π
Least Privilege
Only grant the minimum permissions necessary for the agent to complete its specific task. No broad access.
ποΈ
Human Approval on Outbound
Require human review and approval for all outbound actions β sending emails, posting to Slack, deploying code, adjusting live ad campaigns.
π«
No Direct Client Messaging
Agents must never communicate directly with clients without explicit human review. Zero exceptions.
π
IT Approval Required
Written approval from IT/Security is required before connecting any agent to company systems, APIs, or external platforms.
Section 5
Meeting Recordings & AI Transcription
AI transcription tools capture everything said β including sensitive client data. Follow these rules on all client-facing calls.
β
Approved Tools Only β Only use IT-approved, enterprise-tier transcription tools. Free consumer accounts (e.g., personal Otter.ai) are strictly prohibited for company meetings.
β
Mandatory Disclosure β Always inform all participants that the meeting is being recorded and transcribed by AI before starting. If a client asks you to turn it off, comply immediately.
β
Sensitive Topics β Do not use AI transcription for meetings involving contract negotiations, unreleased campaign results, legal disputes, or any meeting where the client has requested confidentiality.
β
Accidental Disclosure β If a participant accidentally shares credentials or sensitive PII verbally during a recorded meeting, manually delete that portion of the transcript afterward.
Section 6
Output Review Standards
AI output is always a draft. The human who submits, publishes, or acts on it is fully accountable for the final result.
π― Accuracy
Verify all facts, figures, and calculations. AI hallucinations happen β especially with numbers and statistics.
βοΈ Bias
Review for unintended bias in tone or recommendations before sending to clients or leadership.
Ensure output does not inadvertently plagiarize or infringe on third-party intellectual property.
π·οΈ Attribution
If a significant portion of a deliverable is AI-generated, be transparent about it internally.
Section 7
Incident Response
If sensitive data is accidentally entered into an AI tool or an agent executes an unauthorized action, follow this protocol immediately.
1
STOP
Close the browser tab or app immediately. Do not enter any further prompts or attempt to "ask the AI to forget it." That does nothing.
2
DELETE
If the platform allows, delete the specific chat history or prompt containing the sensitive data as quickly as possible.
3
ROTATE
If a password, API key, or token was leaked, log into the affected platform immediately and change the password or revoke the key.
4
REPORT
Notify IT/Security via Slack within 2 hours. Include: what was leaked, which tool was used, and what steps you've already taken.
π
Non-Punitive Reporting Policy: Honest mistakes reported promptly are treated as learning opportunities, not disciplinary issues. Hiding a mistake or failing to report it is a policy violation.
Section 8
Answering External Questions
Use these talking points when clients, contacts, or candidates ask about our AI usage. Be confident and transparent.
π¬ Client: "Are you putting our data into ChatGPT?"
"We are an AI-forward agency and we do use AI to process data and generate insights faster. However, we never use public or consumer tiers. We use enterprise-tier AI platforms (like ChatGPT Team/Enterprise) backed by strict Data Processing Agreements. This guarantees your data is completely siloed and is never used to train public models. We also use a 'Redline-Only Protocol' internally β we strip out sensitive credentials and PII before any data touches an AI system."
π¬ Network contact: "How is Tiger Tracks using AI?"
"We use it across the board β from generating ad copy variations and expanding keyword lists, to summarizing contracts and analyzing performance trends. It doesn't replace our team; it gives them a massive head start so they can focus on strategy rather than manual execution."
π¬ Potential hire: "Will I be expected to use AI?"
"Absolutely. We expect everyone here to use AI to multiply their output. If you're hired, we'll provision you with enterprise AI accounts and train you on our Redline-Only Protocol, so you know exactly how to use real data safely without slowing down."
Section 9
Clean Slate Transition
Before being granted access to Tiger Tracks enterprise AI accounts, every team member must complete this one-time audit of their personal accounts.
Privacy Auditor Prompt
Run this in each of your personal AI accounts before closing them:
Please review our entire conversation history and flag any messages that contain: (1) passwords or API keys, (2) bank account or routing numbers, (3) full names combined with contact details, (4) client contract values or unreleased campaign data. List each instance with a short description.
Clean Slate Checklist
β
Run the Privacy Auditor Prompt in all personal AI accounts (ChatGPT, Claude, Gemini, etc.)
β
Delete or sanitize any flagged conversations containing client data, credentials, or PII
β
Confirm you will no longer use personal AI accounts for any company work going forward
β
Received and set up IT-provisioned enterprise AI account(s)
β
Read and understand the Redline-Only Protocol for the six data categories
β
Completed AI usage training with Team Lead
Section 10
Roles & Responsibilities
Who owns what in our AI security framework.
Role
Responsibilities
All Tiger Tracks Employees
Follow the Redline-Only Protocol Β· Use only approved enterprise platforms Β· Review all AI outputs before sharing with clients Β· Report incidents promptly
Sr. Director of Client Success
Ensure team is trained on this policy Β· Model appropriate AI usage Β· Escalate any client contract concerns before using AI on restricted accounts
Review client MSAs and vendor DPAs to confirm AI processing is permitted
π
MSA Check: Ensure our Master Services Agreements permit the use of third-party AI processors. If a client's contract restricts this, escalate to your manager before using AI on that account.
Addendum Β· AM Guide
Account Manager Prompting Guide
High-precision guidance for using exact financial figures and sanitizing sensitive account strategy.
β
Explicit Permission β Exact Budgets: Account Managers are authorized to use exact budget figures (e.g., "$42,381.17") for pacing, forecasting, and ROAS modeling β provided the prompt is executed within an approved Enterprise/Team tier.
The AM Pre-Flight Checklist
Before hitting "Send" on any prompt containing client data, run this 5-second mental check:
1
Tier Check: Is the "Team" or "Workspace" badge visible in the AI tool UI? If not, stop β you're on the wrong account.
2
ID Scrub: Are there any Account IDs, Pixel IDs, or Manager Emails in the text/CSV? If yes, black them out before sending.
3
Strategy Scrub: Are there any unreleased pitch details, new product names, or M&A info? If yes, abstract it (see examples below).
π‘
If you answer Yes / No / No β you're clear to proceed with exact budgets and real client names.
Sanitized Strategy Examples
For sensitive accounts, abstract unreleased details to avoid exposing pitch concepts.
Client
β Unsafe Prompt
β Safe Sanitized Prompt
Hims
Draft a media plan for Hims' upcoming unannounced weight-loss chewable product launching in Q3.
Draft a media plan for a DTC men's health brand launching a new consumable product in Q3.
Aura Health
Aura Health is pivoting their messaging away from mindfulness to focus entirely on clinical sleep disorders next month. Give me 5 ad angles.
A mental wellness app is shifting its positioning from general mindfulness to clinical sleep solutions. Give me 5 ad angles.
Onboarding Requirement
AI Sanitization Completion Form
This form must be completed and submitted before you will be granted access to Tiger Tracks Enterprise AI tiers. Complete each step honestly β this protects you, your clients, and the company.
IT Administration
IT Portal
Request enterprise AI accounts, get agents approved, and track your access. All requests go to IT/Security for review.
π
Enterprise AI Account
Request your IT-provisioned Claude, ChatGPT, or Gemini Workspace access. Requires completed Sanitization Form.
π€
AI Agent Approval
Connect an AI agent to company systems. Requires IT review of DPA and a dedicated Service Account.
π§
IT / Security Contact
Report an incident, ask a policy question, or escalate a concern about AI use on a client account.
Agents must use a dedicated Service Account β never a personal admin login. Read-only, least privilege, IT-provisioned.
AI Agent Approval Workflow
All AI agents that access company systems must go through this 4-step process before connection.
1
Request
Submit the Agent Request Form below. Include the tool name, what system it needs access to, and why.
2
Review
IT reviews the tool's Data Processing Agreement and permissions scope. Typical review time: 2 business days.
3
Provisioning
IT provisions a dedicated Service Account with restricted permissions β read-only to a specific resource, never full admin.
4
Connection
You connect the agent using the Service Account credentials only. Personal admin accounts must never be used.
Service Account Requirements
π
Hard Stop: Agents must never be connected using a personal Admin account. Always use an IT-provisioned Service Account.
π Least Privilege
Service accounts get the minimum access needed β e.g., read-only to one Google Drive folder, not full domain admin.
π·οΈ Named Accounts
Each agent gets its own Service Account. Shared credentials between agents or team members are prohibited.
π IT Provisioned
Only IT can create Service Accounts. Do not create your own or use existing admin logins.
π Quarterly Review
IT reviews all active agent connections quarterly. Unused or unauthorized connections are revoked.
Enterprise AI Account Request
AI Agent Request Form
β
Request submitted! IT/Security will review and respond within 2 business days at elizabeth@tigertracks.ai.
π‘οΈ
Security Help Desk
Online Β· Powered by Claude
π Hi! I'm the Tiger Tracks AI Security Help Desk. Ask me anything about our AI usage policy β approved platforms, what to redact, how to handle incidents, anything.