Technical safety report — Smart AI
Purpose
Section titled “Purpose”This document describes the functional architecture, security controls, protection mechanisms, traceability, and governance measures implemented on the Artificial Intelligence component Smart AI, integrated within PrevenControl’s SmartOSH platform.
The objective of this technical report is to provide detailed information about the AI system’s operation, its security controls, and its integration within the SmartOSH technological and organisational ecosystem, addressing requirements from enterprise clients, cybersecurity audits, and regulatory frameworks related to Artificial Intelligence, data protection, and information security.
Smart AI is part of the corporate scope of the SmartOSH Information Security Management System (ISMS), certified under ISO/IEC 27001 and the National Security Scheme (ENS) HIGH category, also incorporating principles and controls aligned with Artificial Intelligence governance frameworks and the progressive integration of controls based on ISO/IEC 42001.
The solution has been designed under principles of Security by Design, Privacy by Design, and effective human supervision, minimising the exposure surface of the AI component and avoiding autonomous operation models.
Purpose and functional scope
Section titled “Purpose and functional scope”Smart AI is an intelligent assistance system integrated within the SmartOSH platform whose purpose is to operationally assist authenticated users in tasks related to Occupational Health and Safety management, intelligent information exploitation, document support, assisted content generation, and contextual queries about existing information within the SmartOSH environment.
The system has been designed as an operational support and productivity component, always keeping the authenticated user as the ultimate responsible party for validation and use of the generated content.
The AI functionalities include:
- Contextual conversational assistance.
- Information retrieval.
- Assisted content generation.
- Assisted communication generation.
- Operational queries on authorised information.
- Intelligent exploitation of existing information within the SmartOSH environment.
Smart AI does not constitute an autonomous decision-making system and does not perform:
- Automated decisions with legal effects.
- Automated profiling of individuals.
- Disciplinary evaluations.
- Automated labour decisions.
- Medical diagnoses.
- Actions without human supervision.
The platform has been specifically designed to operate under a human-in-the-loop model, where all relevant actions remain under explicit user control and validation.
Technical architecture
Section titled “Technical architecture”The SmartOSH platform operates on European enterprise-grade high-availability infrastructure deployed across Equinix data centres located in Paris (France) and Dublin (Ireland), with continuous data replication, geographic redundancy, and advanced disaster recovery capabilities.
The infrastructure has been designed to guarantee:
- High availability.
- Operational resilience.
- Business continuity.
- Logical segmentation.
- Advanced information protection.
The architecture incorporates:
- Tier-1 network redundancy.
- Segmentation via VLANs and L2/L3 overlays.
- BGP redundancy.
- Multilayer perimeter protection.
- Encryption in transit.
- At-rest encryption.
- Advanced monitoring and auditing mechanisms.
The backend of the Smart AI component is logically separated from the main SmartOSH core, implementing functional isolation between the AI component and the main transactional systems.
The LLM models used operate on Microsoft Azure OpenAI infrastructure deployed exclusively in European regions, keeping the traffic associated with the AI component within the territorial scope of the European Union.
The platform uses SQL Server as the main data persistence technology.
Access to information from the AI component is never performed directly against databases. Smart AI uses an intermediated model through internal APIs controlled by the backend, where the tools (tools) can only access previously defined and authorised functions and data.
The AI model does not have:
- Shell access.
- Direct access to internal systems.
- Direct access to databases.
- Access to secrets or credentials.
- Capability to execute arbitrary code.

Technological inventory and dependencies
Section titled “Technological inventory and dependencies”The Smart AI solution relies on a controlled set of corporate technological components integrated within the SmartOSH architecture.
| Component | Technology |
|---|---|
| Main platform | SmartOSH |
| AI component | Smart AI |
| AI infrastructure | Microsoft Azure OpenAI |
| Database | SQL Server |
| Document RAG | OpenAI Files + Vector Spaces |
| Perimeter protection | Cloudflare WAF |
| SIEM | Wazuh |
| Monitoring | Grafana |
| Analytical logging | Azure Synapse |
| Analytical storage | Parquet |
| Main infrastructure | Equinix Paris |
| Backup infrastructure | Equinix Dublin |
The implemented RAG architecture uses document retrieval mechanisms based on OpenAI Files and Vector Spaces also deployed on European Azure infrastructure.
Currently, the RAG system contains exclusively internal documentation and manuals related to SmartOSH, with no indexing of documentation provided by end clients.
Access security and RBAC control
Section titled “Access security and RBAC control”SmartOSH implements a corporate authentication and authorisation model based on role-based access control (RBAC), federated authentication, and multi-tenant logical segregation.
The platform supports:
- Internal authentication.
- SSO integration via Azure Active Directory.
- Granular permission management.
- Lockout on failed attempts.
- Access auditing.
- Logical client segregation.
Each tenant has independent logical isolation, ensuring operational separation between clients.
The AI functionalities incorporate specific governance and authorisation controls, including:
- AI activation per user.
- AI activation per tenant.
- Role-based restrictions.
- Functionality limitation.
- Tool access limitation.
- Limitation of access to communication generation functionalities.
Client administrators can activate or deactivate AI functionalities according to operational needs and internal security policies.

Protection against AI-specific threats
Section titled “Protection against AI-specific threats”Smart AI has been designed following Defense in Depth principles and alignment with security best practices applicable to modern LLM systems.
The architecture incorporates specific controls aimed at mitigating threats inherent to generative Artificial Intelligence, including:
- Prompt injection.
- Indirect prompt injection.
- Jailbreak attempts.
- Unsafe content generation.
- Abuse of automated tools.
- Information exfiltration.
- Consumption of adversarial content.
The platform incorporates:
- Azure AI Content Safety.
- Prompt Shields.
- Anti-abuse protection.
- Event monitoring.
- Complete traceability.
- Perimeter protection via Cloudflare WAF.
Smart AI does not have free web browsing nor autonomous Internet access capabilities. This architectural decision has been deliberately adopted to reduce risks associated with:
- Information exfiltration.
- Malware.
- Indirect prompt injection.
- Malicious content.
- Consumption of adversarial pages.
- Expansion of the AI system’s attack surface.
The AI component cannot:
- Freely browse the Internet.
- Download external files.
- Execute Javascript.
- Consume arbitrary web content.
- Interact with uncontrolled external systems.
The SmartOSH infrastructure additionally incorporates:
- DDoS mitigation.
- OWASP protection.
- Malicious bot detection.
- IDS.
- Perimeter WAF.
- SIEM correlation of security events.

Logging, traceability and forensic auditing
Section titled “Logging, traceability and forensic auditing”All interactions related to Smart AI are subject to advanced traceability mechanisms and centralized logging.
The platform records:
- Complete prompts.
- Generated responses.
- Conversations.
- Function calls.
- Authorisation errors.
- Security events.
- Content Safety detections.
- Events related to abuse or jailbreak attempts.
Operation correlation is performed using conversation identifiers (ConversationID), allowing complete session reconstruction and subsequent forensic analysis.
Conversations and associated records remain stored for 30 days for purposes of:
- Support.
- Incident investigation.
- Auditing.
- Regulatory compliance.
- Forensic analysis.
The platform integrates ELK, certified by the CCN in the catalogue of ICT security products and services for security event correlation, anomaly detection, continuous supervision, and vulnerability monitoring.
Operational and analytical logs are centralised on Azure Synapse architecture and stored in Parquet format, enabling advanced capabilities for:
- Historical auditing.
- Prolonged retention.
- Incident analysis.
- Corporate monitoring.

Pseudonymisation
Section titled “Pseudonymisation”Smart AI incorporates mechanisms intended to minimise the exposure of personal data during information processing by LLM models.
Currently, the platform implements basic pseudonymisation mechanisms by dynamically substituting first and last names with initials before certain interactions with the AI model.
- Fields currently subject to pseudonymisation include first name and last names.
- The system does not currently use hashing, reversible tokens, or external mapping tables.
- The platform operates under principles of data minimisation, purpose limitation, traceability, logical segregation, and access control.
- The processing of personal data associated with the AI component is integrated within SmartOSH’s corporate GDPR and LOPDGDD compliance framework.
Outputs and communications
Section titled “Outputs and communications”Smart AI incorporates assisted generation functionalities for emails and communications within the SmartOSH environment.
Generated emails use SmartOSH’s own SMTP infrastructure and are subject to validation of allowed domains.
Communication generation functionalities maintain effective human supervision and require user confirmation before final sending.
All communication generated by AI is associated with user, conversation, prompt, timestamp, and associated operational context. This approach allows maintaining complete traceability and subsequent auditing capabilities.
Human supervision
Section titled “Human supervision”Smart AI operates under a continuous human supervision model.
The system has been designed as an operational support tool and not as an autonomous decision system.
Actions with operational or communicational impact remain under the control of the authenticated user, who retains final responsibility for:
- Validation.
- Review.
- Use.
- Sending of generated content.
The platform does not execute autonomous actions without human intervention and maintains confirmation mechanisms for sensitive operations.
Infrastructure security and resilience
Section titled “Infrastructure security and resilience”The SmartOSH infrastructure has been designed under criteria of high availability, operational resilience, and business continuity, operating on European data centres with redundancy and continuous information replication between production and backup environments. The architecture maintains data synchronization every 30 seconds between geographically separated data centres, significantly reducing the risk of information loss and guaranteeing advanced disaster recovery capabilities.
The information protection model combines continuous replication mechanisms, redundant storage, and multi-level backup policies, guaranteeing both operational availability and historical recovery capacity in the event of security incidents, logical corruption, or critical infrastructure events.
The corporate backup policy applied to SmartOSH is structured as follows:
| Backup type | Retention period |
|---|---|
| Daily backups | 30 days |
| Monthly backups | 6 months |
| Annual backups | 5 years |
All storage infrastructure operates on redundant and encrypted environments using AES at-rest algorithms, also incorporating geographic replication between independent European data centres. This approach allows maintaining high levels of availability and resilience even in the face of severe infrastructure incidents or partial service unavailability.

At the network and communications level, the platform implements a segmented and redundant architecture based on high-availability switches, logical segmentation via VLANs and L2/L3 overlays, as well as Tier-1 BGP redundancy to guarantee resilient connectivity and efficient traffic balancing. Perimeter security relies on multiple layers of protection including firewalls, WAF systems, DDoS mitigation, intrusion detection, and continuous monitoring of traffic and security events.
The Equinix data centres used by SmartOSH operate under international enterprise standards and have 24x7 operation, physical access controls via biometric authentication, complete electrical and climate redundancy, as well as advanced certifications related to information security, business continuity, critical infrastructure protection, and international regulatory compliance.

Monitoring and operational metrics
Section titled “Monitoring and operational metrics”The Smart AI platform incorporates operational monitoring, security supervision, and technical traceability capabilities over the various components forming part of the Artificial Intelligence ecosystem integrated in SmartOSH. These capabilities allow continuous control over the system’s operational behaviour, anomaly detection, security event analysis, and tracking of AI resource consumption and utilisation.
Monitoring is performed by combining operational observability tools and security event correlation, integrated within the SmartOSH corporate environment. Platforms such as Grafana are used for technical monitoring and operational visualisation, and Wazuh as a SIEM platform for security event analysis, correlation, and continuous supervision of the infrastructure and services associated with the AI component.
Currently, Smart AI maintains active supervision over different relevant operational metrics and events:
| Monitored area | Description |
|---|---|
| Token consumption | Tracking the volume of LLM model usage and associated operational consumption. |
| AI operational cost | Control of economic consumption derived from the use of Azure OpenAI services. |
| Operational errors | Detection of execution errors, processing failures, and technical exceptions. |
| Filtering events | Monitoring of activations related to Content Safety and protection mechanisms. |
| Abuse events | Identification of anomalous behaviours or attempts of improper system use. |
| Tools usage | Traceability and tracking of invocation of internal tools and authorised APIs. |
| AI conversations | Recording and correlation of sessions via ConversationID. |
| Security events | SIEM correlation of activity related to access, anomalies, and relevant events. |
The implemented observability architecture provides technical auditing capabilities, forensic investigation, and historical analysis of operations associated with the AI component, also facilitating the integration of controls aligned with compliance requirements, ENS, ISO 27001, and corporate Artificial Intelligence governance.
The organisation additionally maintains a continuous process of evolution and improvement of observability capabilities, operational security, and advanced monitoring of the Smart AI component, progressively incorporating new metrics, supervision automatisms, and early detection capabilities for anomalies and operational risks.
Compliance and governance
Section titled “Compliance and governance”The Smart AI component is integrated within SmartOSH’s corporate governance, security, and regulatory compliance framework, forming part of the scope of the Information Security Management System (ISMS) certified under ISO/IEC 27001 and the National Security Scheme (ENS) HIGH category.
The platform has been designed and deployed following principles of security, traceability, human supervision, and risk minimisation aligned with current applicable requirements for Artificial Intelligence systems in enterprise environments and European regulatory frameworks.
The implemented governance model combines technical, organisational, and operational controls intended to guarantee controlled, supervised, and proportional use of the AI functionalities integrated in SmartOSH. This approach allows keeping the Smart AI component aligned with principles of:
- Information security.
- Privacy and data protection.
- Effective human supervision.
- Transparency.
- Traceability.
- Continuous management of technological risks.
Currently, the compliance framework considered includes, among others:
| Regulatory framework or standard | Applicability |
|---|---|
| General Data Protection Regulation (GDPR) | Processing of personal data. |
| LOPDGDD | Data protection and digital rights. |
| Regulation (EU) 2024/1689 — AI Act | Governance and use of AI systems. |
| National Security Scheme (ENS) | Information security. |
| ISO/IEC 27001 | Information Security Management System. |
| NIS2 Directive | Resilience and cybersecurity. |
| ISO/IEC 42001 | Governance of Artificial Intelligence systems. |
Smart AI is classified under a limited risk (limited risk) model according to the current AI Act approach, given that:
- It does not perform automated decisions with legal effects.
- It does not execute autonomous actions.
- It does not perform automated profiling.
- It maintains continuous human supervision over generated actions and content.
The organisation additionally maintains a continuous process of evolution and maturation of the AI governance model, progressively integrating additional controls related to:
- AI risk management.
- Advanced traceability.
- Usage monitoring.
- Periodic control review.
- Organisational supervision.
- Continuous improvement of the Smart AI component.
The AI component is subject to corporate processes of:
- Change management.
- Auditing.
- ISMS review.
- Risk analysis.
- Document control.
- Continuous improvement.
Thus, its integration within SmartOSH’s global corporate security and compliance model is guaranteed.