If your firm's IT or compliance function needs documentation before unlocking BASILISK on the work network, this DPIA covers it.
Island AI Ltd operates BASILISK. The research preview processes queries against a public legislation corpus. No client PII is collected or stored. Session metadata (query count, jurisdiction, response type) is retained for rate limiting and product improvement.
Query text is transmitted to Island AI's research pipeline for retrieval and synthesis. Query text is logged in an audit table for 90 days for debugging and abuse prevention. Citations and responses are stored per session. No client names, account numbers, or other PII should be entered.
Legitimate interest: enabling compliance professionals to research public legislation. Consent: explicit opt-in via access code acceptance. Contract: where a firm has a pilot agreement with Island AI.
Session content: retained until user deletion. Query logs: 90 days. Telemetry (anonymised): indefinite. Access code records: until code revocation.
TLS 1.3 in transit. AES-256 at rest. JWT sessions with httpOnly cookies. Row-level security in Supabase. Service-role access only for backend operations.
BASILISK Desktop (Q3 2026) runs entirely on the user's machine. Client names are replaced with anonymous tokens before any query reaches external APIs. The AI sees [ENTITY_001] — never the real name. This online preview does not implement ZTHI; it is research-only against public corpus.
Users may delete their sessions at any time. Access code holders may request export or deletion of their data by emailing dpo@islandai.im.
Data Protection Officer: dpo@islandai.im