Policies

fewer policies, all of them enforced

Our policy posture is deliberately thin: we would rather have five policies that are mechanically enforced than fifty that are aspirationally written. Every policy at Mynd Labs has an owner, an enforcement mechanism, and a review date — a policy without all three is a blog post wearing a tie. The acceptable-use policy is enforced by rate limits and capability ceilings, the data policy by the trust kernel, the disclosure policy by a tracked inbox with response-time commitments. We also say plainly what we do not yet have: no AI ethics board, no external advisory council, no certification theater. Those may come when the company is large enough for them to be real. Until then, the policies are short, the enforcement is code, and both are public.

[ what we actually run ]

[01]

Owner, mechanism, review date — or it isn't a policy

Every policy document names the person accountable, the technical mechanism that enforces it, and the date it will next be reviewed. Documents that cannot satisfy all three are published as intentions, labelled as such, and kept out of the policy register.

[02]

Acceptable use enforced at the capability layer

Prohibited uses — harassment automation, surveillance of third parties, bulk unsolicited outreach — are blocked where possible by capability ceilings and rate limits, not just prohibited in prose. Where enforcement is not yet technical, the policy says so explicitly.

[03]

Policy changes are versioned and announced

Policies live in version control. Material changes ship with a diff, a dated changelog entry, and notice to affected users before they take effect — the same discipline we apply to API changes.

[04]

Annual adversarial review

Once a year each policy is reviewed by someone whose job is to argue it is being violated or has gone stale. Findings are handled like bug reports: tracked, fixed, or explicitly accepted as risk with a written rationale.

[ open questions — honestly ]

Technical enforcement reaches the uses we can detect. A customer using legitimately granted capabilities for an illegitimate purpose — surveillance disguised as productivity — is largely invisible to us, and we have no honest detection story yet.
When we are large enough to need formal governance — an ethics board, external review — how do we adopt it without it becoming the theater we currently criticize? We have not seen a company do this well at the transition point, and we may not either.