Checklist for using a cyber assistant with client data

A cyber assistant can save time on documentation, procedures, compliance requirements and draft deliverables. But as soon as client documents enter the scope, the usage framework becomes as important as the answer itself.

This checklist helps define the right limits before using an assistant on sensitive documents.

Key takeaway Trust does not rely only on answer quality. It relies on document scope, visible sources, separated spaces, non-reuse of data and human validation.

1. Separate client spaces clearly

Before any use, check that contexts cannot be mixed.

• One space exists per client, entity or perimeter.
• Documents added to one space are not visible from another.
• Conversations and drafts remain attached to the right context.
• Users understand which space they are working in.
• Exports and deliverables use the correct scope.

This is essential for consultants moving from one mission to another.

2. Choose which documents are made available to the assistant

Not every stored document should necessarily be queried.

• Useful documents are added to the relevant client space.
• Their use by the chatbot is explicit.
• Obsolete versions are avoided or flagged.
• Sensitive documents with no purpose remain out of scope.
• Important categories are clear: policy, procedure, evidence, standard or other.

The rule should be readable: the assistant works on documents that the client or team makes available in the relevant space.

3. Check for visible sources

A useful answer must be reviewable.

• Used passages or documents can be identified.
• The reader can check whether the right source was used.
• Old or contradictory sources are visible.
• The draft does not hide uncertainty.
• Important answers are not used without review.

Without visible sources, the assistant may produce plausible text that is difficult to defend.

4. Set the confidentiality framework

The framework must be understandable by a CISO, a consultant and a cautious client.

• Client data remains separated by space.
• ZDR, or Zero Data Retention, is enabled for the relevant AI exchanges.
• Data transmitted to the model is not retained for training or reuse.
• Any contribution to a Torus reference base would require a separate, explicit and minimised agreement.
• Limits are explained without unnecessary jargon.

The promise should stay sober: control, separation, no default reuse and human validation.

5. Add useful company context

An assistant answers better when it understands context, without inventing what is missing.

• Organisation and perimeters.
• Applicable frameworks.
• Business constraints.
• Client or audit requirements.
• Expected validation levels.
• Existing reference documents.

This context helps orient answers and document drafting, but it does not replace client sources.

6. Keep deliverables under human control

An assistant can prepare a draft, not sign a deliverable.

• Policies, procedures and summaries are reviewed.
• Questionnaire answers are validated before being sent.
• Documentation gaps are arbitrated by an accountable person.
• Uploaded evidence is analysed as sufficient, incomplete or inconsistent before a decision.
• Sensitive conclusions remain under human responsibility.

This protects both deliverable quality and the client relationship.

Warning signs

Pause or reframe the usage if any of these signals appear.

• The user does not know which documents are being used.
• Sources are not visible.
• Several clients or perimeters may be mixed.
• An AI answer is treated as standalone evidence.
• ZDR or non-reuse of data is not understood.
• The final deliverable leaves without human validation.

How Torus fits this logic

The Torus Cyber Assistant is presented as a cybersecurity and compliance document assistant: it queries documents made available in a client space, cites its sources, draws on cybersecurity and compliance references when needed, and prepares drafts for review. The Security & data page explains the expected trust framework.