DataVibe Policy Rule Corpus
Every governance rule DataVibe enforces is documented here with its exact legal basis, enforcement agency, penalty range, and plain-English rationale. These rules can be cited in regulatory proceedings.
Last full legal review: 2026-06-02 · View rule changelog →
Privacy & PII7 rules
hipaa_phi_identifierBLOCKReviewed 2026-06-02Transmission of Protected Health Information (PHI) without patient authorization violates HIPAA Privacy Rule. All 18 Safe Harbor identifiers are enumerated in 45 C.F.R. § 164.514(b)(2). AI systems produce PHI when processing healthcare records.
gdpr_no_lawful_basisWARNReviewed 2026-06-02Processing personal data without a documented lawful basis under GDPR Art. 6 is the primary enforcement trigger. AI-generated communications that process personal data (e.g., referencing recipient's personal information) must have an identified lawful basis.
gdpr_cross_border_unsafeWARNReviewed 2026-06-02Cross-border personal data transfers from EU/EEA require an adequacy decision, SCCs, BCRs, or explicit consent. AI systems often transfer data to US processors without adequate safeguards. The 2023 EU-US DPF provides some relief but requires certification.
gdpr_automated_decisionWARNReviewed 2026-06-02GDPR Art. 22 prohibits fully automated decisions that produce legal or similarly significant effects without human review. AI governance systems that auto-approve content with significant commercial or legal consequences may require human-in-the-loop controls.
pipl_sensitive_dataBLOCKReviewed 2026-06-02China's PIPL imposes heightened requirements for sensitive personal information (biometrics, religion, health, finance, location). Processing without explicit separate consent and security assessment is prohibited. Extraterritorial application means global companies serving Chinese users must comply.
lgpd_sensitive_dataWARNReviewed 2026-06-02Brazil's LGPD Art. 11 requires specific lawful basis and DPO involvement for sensitive personal data. AI-generated content that processes health, biometric, genetic, political, religious, or sexual orientation data needs explicit consent or specific legal authorization.
apac_cross_border_transferWARNReviewed 2026-06-02APAC data protection laws require specific safeguards for cross-border personal data transfers. Japan's 2022 APPI amendment introduced adequacy assessments; Singapore PDPA requires comparable protection in recipient country; Korea PIPA requires individual consent unless exceptions apply.
Healthcare5 rules
unauthorized_medical_adviceBLOCKReviewed 2026-06-02AI systems providing specific medical diagnoses or treatment recommendations constitute the unauthorized practice of medicine in most US states and create FDCA drug/device liability. Single incidents have triggered FDA enforcement letters.
dshea_disclaimer_missingWARNReviewed 2026-06-02Structure/function claims about dietary supplements require the DSHEA disclaimer. AI-generated supplement marketing omits this disclaimer at very high rates, creating FDA enforcement risk.
healthcare_anti_kickbackBLOCKReviewed 2026-06-02AKS prohibits offering anything of value to induce referrals of federal healthcare program business. No specific intent required for criminal liability. AI-generated communications that reference referral fees or payment for patient volume create immediate criminal exposure.
healthcare_false_claimsBLOCKReviewed 2026-06-02FCA imposes per-claim penalties for false billing representations. AI systems that generate billing language, coverage representations, or coding recommendations that are inaccurate create FCA liability. The 2023 Practice Fusion case established AI-assisted false claims liability.
samhsa_safe_messagingBLOCKReviewed 2026-06-02SAMHSA Safe Messaging guidelines prohibit specific descriptions of suicide methods in crisis communications. AI models trained on general text can reproduce unsafe messaging patterns. A single unsafe response in a crisis context can constitute negligence.
Finance & Securities5 rules
pricing_hallucinationBLOCKReviewed 2026-06-02AI-fabricated pricing or discount claims that reach customers constitute deceptive trade practices. The FTC's 2023 AI enforcement guidance specifically names AI-generated false pricing as an enforcement priority.
finra_investment_adviceBLOCKReviewed 2026-06-02AI-generated investment recommendations to specific clients without FINRA registration and suitability analysis violate FINRA Rule 2111 and the Investment Advisers Act. FINRA Regulatory Notice 21-16 specifically addresses AI-generated communications.
bsa_aml_tipping_offBLOCKReviewed 2026-06-02BSA § 5318(g)(2) creates a criminal prohibition on disclosing the existence of a Suspicious Activity Report (SAR) or investigation to the subject. AI systems with access to compliance data that generate customer-facing communications can inadvertently tip off AML investigation subjects.
executive_forward_looking_statementBLOCKReviewed 2026-06-02AI-generated forward-looking financial statements without required cautionary language violate Securities Exchange Act § 10(b). The PSLRA safe harbor only protects statements accompanied by meaningful cautionary language identifying risk factors. AI systems produce confident projections without this language.
executive_unauthorized_material_eventBLOCKReviewed 2026-06-02Regulation FD requires simultaneous public disclosure when material non-public information is selectively disclosed. AI systems with access to internal communications can inadvertently disclose material events (earnings, M&A, product launches) to unauthorized recipients.
Sales & Marketing15 rules
competitor_mentionWARNReviewed 2026-06-02Naming competitor products in AI-generated outbound creates legal exposure (trade libel) and competitive intelligence leakage. Workspace-configurable denylist extends coverage to custom competitors.
competitor_disparagementBLOCKReviewed 2026-06-02AI-generated negative claims about a named competitor that are false or misleading constitute commercial disparagement under the Lanham Act. A single published claim can trigger TRO injunctions.
fake_guaranteeBLOCKReviewed 2026-06-02AI-generated guarantee or warranty language creates binding contractual obligations if received by a customer. Magnuson-Moss regulates written warranties; common law promissory estoppel binds on reasonable reliance.
spam_trigger_phraseWARNReviewed 2026-06-02Classic spam trigger phrases cause email deliverability failure and potential CAN-SPAM liability for commercial email. AI generation dramatically increases false positive rates on these patterns.
urgency_scarcity_manipulationBLOCKReviewed 2026-06-02Artificial urgency ('only 2 left!', 'offer expires in 1 hour') without factual basis constitutes a deceptive dark pattern under the FTC Act and the EU's evolving dark patterns framework. FTC 2022 report specifically targets AI-generated urgency manipulation.
all_caps_phraseWARNReviewed 2026-06-02ALL CAPS blocks are spam signals that trigger filtering. AI models produce these patterns when prompted for emphasis.
excessive_exclamationWARNReviewed 2026-06-02Multiple exclamation marks are a primary spam classifier signal (SpamAssassin, Google Postmaster). AI models over-use exclamation marks for enthusiasm.
unsubscribe_missingWARNReviewed 2026-06-02Every commercial email must include a functioning opt-out mechanism. AI generation frequently omits this. Applies to email channel only — SMS and WhatsApp have different opt-out requirements handled by channel-specific rules.
suspicious_url_patternWARNReviewed 2026-06-02URL shorteners obscure destination links (CAN-SPAM violation) and trigger phishing filters. AI models use them to 'save space' without understanding the compliance implications.
unverified_metric_claimWARNReviewed 2026-06-02AI-generated ROI claims ('increase revenue by 40%') without substantiation violate FTC guidance on performance claims. The FTC requires advertisers to possess substantiation before making claims — AI systems invent plausible-sounding metrics without any factual basis.
unverified_compliance_claimWARNReviewed 2026-06-02AI-generated claims of SOC 2, HIPAA, or FedRAMP certification without verification constitute material misrepresentation. In B2B procurement, these claims form part of the contract and can trigger fraud liability.
fabricated_executive_endorsementBLOCKReviewed 2026-06-02Fabricated quotes attributed to executives of real companies constitute false advertising under the Lanham Act and violate FTC Endorsement Guides. AI models generate convincing executive quotes that never occurred.
fabricated_testimonialWARNReviewed 2026-06-02FTC Endorsement Guides (updated 2023) require testimonials to reflect the honest opinion of real customers. AI-generated customer quotes violate this rule. The 2023 update specifically extends coverage to AI-generated synthetic testimonials.
ftc_green_claimWARNReviewed 2026-06-02AI-generated unsubstantiated environmental claims ('carbon neutral', 'sustainable', 'eco-friendly') violate the FTC Green Guides. The FTC updated Green Guides in 2024 specifically to address AI-generated marketing content.
ftc_ai_review_disclosureWARNReviewed 2026-06-02The 2023 FTC Endorsement Guides update requires disclosure when reviews or endorsements are AI-generated or incentivised. AI systems that generate synthetic positive reviews without disclosure violate this rule.
Messaging Channels10 rules
forbidden_attachment_refBLOCKReviewed 2026-06-02AI models hallucinate attachment references when the gate system delivers plain text emails that cannot carry attachments. Customer receives false information about attached documents.
tcpa_autodialer_hintBLOCKReviewed 2026-06-02TCPA imposes strict per-message liability for autodialed or prerecorded messages to cell phones without prior express written consent. Severity escalated to BLOCK on voice/text channels where per-message liability attaches.
tcpa_cold_smsBLOCKReviewed 2026-06-02FCC's December 2023 ruling requires 1:1 prior express written consent for each sender before sending marketing SMS. Cold AI-generated SMS sequences without consent documentation create per-message liability. The 2023 rule eliminated lead generator exemptions.
sms_opt_out_keywords_missingBLOCKReviewed 2026-06-02CTIA Messaging Principles § 5.2 require STOP, HELP, and UNSUBSCRIBE keywords in every commercial SMS campaign. Missing opt-out keywords trigger carrier filtering and 10DLC campaign suspension. TCPA also requires providing an opt-out path.
whatsapp_cold_outreachBLOCKReviewed 2026-06-02WhatsApp Business Policy prohibits messaging individuals who have not opted in to receive messages from the business. Meta enforces this via account-level bans. Under GDPR, sending unsolicited commercial messages requires explicit consent as a lawful basis.
whatsapp_template_bypassBLOCKReviewed 2026-06-02WhatsApp Cloud API only permits freeform (non-template) messages within 24 hours of the last customer-initiated message. Sending freeform follow-ups outside this window results in API rejection and account review.
linkedin_automated_solicitationBLOCKReviewed 2026-06-02LinkedIn ToS § 8.2 explicitly prohibits automated sending of messages, connection requests, or InMail to multiple members. Automated solicitation using AI bots constitutes ToS violation and may trigger CFAA liability.
linkedin_scraped_profile_hintWARNReviewed 2026-06-02References to data points (recent job changes, post likes, company headcount) typically sourced from scraping tools (Clay, Apollo, Clearbit) implicate LinkedIn ToS and GDPR Art. 14 transparency obligations for third-party-sourced personal data.
telegram_mass_dmWARNReviewed 2026-06-02Telegram ToS prohibits mass-messaging non-contacts and running spam bots. Telegram actively detects and bans accounts sending identical or bulk DMs. GDPR requires lawful basis for sending commercial messages to identifiable individuals.
slack_connect_solicitationBLOCKReviewed 2026-06-02Slack ToS § 12 prohibits using Slack Connect to send unsolicited commercial messages. Slack actively enforces this with channel-level bans and workspace suspensions. Using an external Slack Connect channel for cold sales outreach is treated the same as email spam under the ToS.
Employment & Housing4 rules
eeoc_age_languageBLOCKReviewed 2026-06-02ADEA prohibits age-based preferences in job advertising and employment decisions. AI recruitment tools frequently generate age-coded language ('digital native', 'recent graduate', 'energetic team') that constitutes discriminatory preference. EEOC has issued guidance specifically targeting AI screening tools.
fair_housing_steeringBLOCKReviewed 2026-06-02AI real estate systems that steer buyers/renters toward or away from neighborhoods based on protected class characteristics violate the Fair Housing Act. HUD's 2023 guidance explicitly holds AI systems to the same standards as human agents.
hr_employment_guaranteeBLOCKReviewed 2026-06-02AI HR systems that guarantee employment outcomes ('you will definitely get the job') create promissory estoppel claims if the offer is not extended. State employment laws may create implied contract obligations from such statements.
hr_compensation_promiseBLOCKReviewed 2026-06-02Unauthorized salary commitments made by AI in recruitment create enforceable compensation promises. Equal Pay Act complications arise if different salary promises are made to different demographic groups. Requires HR leadership sign-off.
Customer Support4 rules
support_unauthorized_refundBLOCKReviewed 2026-06-02AI support bots that commit to specific refund amounts create enforceable obligations under promissory estoppel doctrine. Support agents lack authority to approve refunds above certain thresholds — AI bots have no authority at all without explicit workspace configuration.
support_liability_admissionBLOCKReviewed 2026-06-02Under evidence rules, admissions by agents (including AI systems) acting within apparent authority bind the principal. A support bot admitting fault ('this was entirely our error') creates a binding evidentiary admission that can be used in subsequent litigation. Air Canada was held liable for its chatbot's unauthorized refund commitment.
support_compensation_promiseBLOCKReviewed 2026-06-02Promissory estoppel creates enforceable obligations when: (1) a promise is made, (2) the promisee reasonably relies, (3) to their detriment. AI bots promising compensation ('we will compensate all affected customers') meet all three elements. The 2024 Air Canada decision confirmed AI commitments bind the company.
support_sla_guaranteeWARNReviewed 2026-06-02AI bots that promise specific SLA windows ('we will respond within 4 hours') create contractual service level obligations. Flagged for human review to confirm the commitment is within policy and can actually be fulfilled.
Security & Adversarial2 rules
prompt_injectionBLOCKReviewed 2026-06-02Prompt injection attempts to override the AI system's instructions, potentially causing it to exfiltrate data, execute unauthorized commands, or bypass governance controls. CFAA liability attaches when injection achieves unauthorized access to computer systems.
content_obfuscationBLOCKReviewed 2026-06-02Hidden content in HTML comments or invisible markup is a technique used to evade spam filters while delivering prohibited content. Constitutes deceptive routing under CAN-SPAM and deceptive omission under FTC Act § 5.
Profanity1 rule
profanityBLOCKReviewed 2026-06-02AI-generated profanity reaching customers creates brand risk and potential hostile environment claims. Block is conservative given low false-positive risk.
"The AI governance controls described herein are enforced by DataVibe Inc. using deterministic pattern-matching rules. Each rule's legal basis, enforcement agency, and penalty range is publicly documented at datavibe.cc/rules (last reviewed 2026-06-02). Evidence packages signed by DataVibe can be verified at datavibe.cc/verify."
For expert witness engagement or regulatory submissions, contact [email protected].