Trust and Transparency in AI Tools: What to Look For

The AI tool market has a transparency problem. Every vendor claims their AI is trustworthy. Every privacy page says your data is secure. Every sales rep says the AI doesn't train on your data — unless, if you read the fine print, it does.

I've read a lot of AI vendor privacy policies and data processing agreements in the course of building DenchClaw. The gaps between what companies say in marketing and what they actually commit to in legal documents are significant. More than that, the framing around AI trust has become so muddled that it's hard to know what questions to even ask.

Let me try to give you a cleaner framework.

What AI Training on Your Data Actually Means#

The most common concern is: does my AI vendor train on my data?

The answer almost always has multiple layers:

Layer 1: Is your data used for training at all? OpenAI's terms distinguish between API users and consumer users. API users have historically had a different (more protective) default than consumer ChatGPT users. Anthropic, Google, and others have similar distinctions. Enterprise agreements often include explicit commitments not to train on customer data.

Layer 2: What counts as "training"? There's a difference between fine-tuning (using your conversations to update model weights) and reinforcement learning from human feedback (using ratings of responses), and these are distinct from logging/storing your inputs for safety review or improvement analysis. Vendors may commit to "not training" while still retaining and reviewing your data.

Layer 3: What about your AI being powered by a sub-processor? If your CRM's AI features are powered by an external AI API, there are two privacy policies in play: your CRM vendor's and the AI provider's. HubSpot's AI features may be powered by OpenAI. Salesforce Einstein may use multiple providers. You need to check the full chain.

Layer 4: Inference logging Even if a vendor doesn't use your data for training, they typically log API calls for security, debugging, and abuse detection. How long are those logs retained? Who can access them? Can they be subpoenaed?

The honest answer to "does this vendor train on my data?" requires answers to all four layers. Most vendors aren't forthcoming about all of them.

The Model Transparency Checklist#

When evaluating an AI tool for use with sensitive business data, I'd ask these questions:

1. What model powers this feature? "Our AI" is not an answer. Is it GPT-4? Claude 3? Gemini? A fine-tuned version of an open-source model? Knowing the underlying model matters for understanding data handling.

2. What's the data processing agreement? Not the privacy policy — the actual Data Processing Agreement or Business Associate Agreement. This is the legal document with binding commitments, not marketing language. Read it.

3. Is there an enterprise data processing agreement available? Many vendors have more restrictive data handling in enterprise agreements than in consumer terms. If you're using a business tier, make sure you have the enterprise DPA, not the consumer one.

4. What data is sent to the AI API? When the AI analyzes your CRM, what context is actually transmitted? Your contact's name? Their email? Your notes about them? A summary? The full record? The more data transmitted, the more privacy exposure.

5. For how long is inference data retained? Even if not used for training, inference logs are kept somewhere. What's the retention period? Who can access them?

6. Can you configure what data reaches the AI? Some tools let you configure which fields are included in AI context. This reduces privacy exposure by limiting what the AI can see.

7. What happens to your data if you stop using the product? Deletion timelines after account termination are often longer than users realize. What's in the contract?

Local AI Models: The Transparency Floor#

The cleanest answer to AI data transparency is running AI inference locally. If the AI model runs on your machine:

• No data leaves your infrastructure for AI processing
• There's no vendor training policy to evaluate
• There's no inference logging to worry about
• There's no sub-processor chain to trace

This isn't academic. Tools like Ollama, LM Studio, and Jan make it practical to run capable AI models locally on a modern laptop. Llama 3 8B, Mistral 7B, Phi-3 — these models are genuinely useful for the kinds of tasks CRM AI needs: summarizing contact histories, drafting follow-up emails, prioritizing lead lists, generating reports.

The quality gap between local models and the best cloud models (GPT-4, Claude 3.5 Sonnet) is real but narrowing. For many CRM tasks — summarization, classification, basic writing assistance — local models are entirely adequate. For tasks requiring deep reasoning or very long context, cloud models retain a meaningful advantage.

DenchClaw supports both configurations. You choose the model. Cloud APIs for power; local models for privacy. The architecture doesn't force you into a privacy tradeoff you didn't consent to.

Explainability: What It Means and When It Matters#

"Explainable AI" is a phrase that gets used in AI sales pitches more than it gets implemented in products. In the CRM context, explainability matters for specific decisions:

Lead scoring: If your CRM tells you a lead is "score 78, high priority" — do you know why? What signals drove that score? Is it based on factors you'd actually endorse?

Churn prediction: If the AI flags an account as at-risk, what's the reasoning? Is it based on actual engagement signals or on spurious correlations in the training data?

Email effectiveness: If the AI suggests email subject lines, can it tell you why those subjects perform better than alternatives? Or is it a black box that produces outputs without reasoning?

For consequential decisions — who to contact, how to prioritize limited time — unexplainable AI recommendations are a liability. You can't tell when the model is wrong. You can't explain to a colleague why you're making a particular call. You can't audit the system when it produces an outcome you don't understand.

True explainability in AI is hard. Most current systems produce post-hoc rationalizations rather than genuine explanations. But you can still distinguish between tools that make reasoning visible and tools that produce authoritative-sounding outputs with no transparency.

The Trust Framework#

My actual trust framework for AI tools that touch sensitive CRM data:

Tier 1 (Maximum trust, minimal friction): Local AI models running on your own hardware. No data leaves your infrastructure. Fully auditable.

Tier 2 (High trust, manage carefully): Cloud AI providers with explicit, contractual no-training commitments in enterprise agreements, clear data retention limits, and reputation as privacy-respecting companies. Anthropic, OpenAI (enterprise), Google Cloud Vertex AI with appropriate DPA.

Tier 3 (Conditional trust, high scrutiny): CRM-bundled AI where the underlying model is unclear, the sub-processor chain is undisclosed, or where enterprise data processing agreements are not available.

Tier 4 (Do not use with sensitive data): Consumer-tier AI features with consumer privacy policies. Free tiers of AI tools where your data subsidizes the product. AI from vendors with documented training-on-customer-data practices that aren't clearly opt-out-able.

Most AI-powered CRM features from major vendors fall into Tier 2 or 3 depending on your contract tier and the specific feature. Almost no feature defaults to Tier 1. Local-first software with local AI models is the only architecture where Tier 1 is the default.

Frequently Asked Questions#

Does DenchClaw train on my CRM data?#

DenchClaw is local-first: your CRM data stays on your machine. Dench doesn't have access to it. When DenchClaw's AI features make calls to external AI APIs (Claude, GPT), those calls are governed by the respective vendor's terms — typically with enterprise/API-tier protections against training. For maximum privacy, configure a local Ollama model.

How do I know if my current CRM's AI is training on my data?#

Look for your vendor's Data Processing Agreement, not just the privacy policy. Specifically look for: "training" or "model training" clauses, retention periods for query logs, and whether the AI features are powered by a sub-processor.

Can I use DenchClaw without any external AI API?#

Yes. Configure DenchClaw to use a local model via Ollama or LM Studio. All AI inference happens on your machine with no external calls.

What's the best local model for CRM tasks?#

For most CRM tasks (summarization, email drafting, lead prioritization), Llama 3 8B or Mistral 7B run adequately on a modern MacBook Pro. For more complex analysis, Llama 3 70B via Ollama on a machine with sufficient RAM is a strong option. See the Ollama documentation for current model recommendations.

Ready to try DenchClaw? Install in one command: npx denchclaw. Full setup guide →