Where will Client’s data be stored?

Client’s data will be stored by default on secure servers located in jurisdictions that align with Client’s operational requirements. If a Client so requests, we will choose a jurisdiction where servers are located; such case may imply technological choices that Client will need to priorly approve.

What are data retentions and deletion commitments?

When Azure OpenAI services are selected by Client:

• Data, including all prompts and generated content, are securely stored by Azure OpenAI services for up to thirty (30) days, primarily for abuse monitoring. Azure OpenAI does not use this data to train, retrain, or improve any models. 

• A Client wishing to opt out from Azure OpenAI’s data retention can submit a request through our support portal or contact our Person in charge of the protection of personal information directly to the contact details described below (“Person in Charge”). Upon receiving the request and subsequent approval, any previously stored prompts and completions will be deleted from Azure OpenAI’s systems according to their retention and deletion policies.

For data retained within our systems, including usernames, emails, and other operational data, it will not be retained after the end of the TOS between us and Client, except for the period prescribed in the TOS for the destruction of data. 

A Client may request the deletion of internal data by submitting a request to our Person in Charge, and we will process this request subject to applicable data protection laws and the TOS, as well as data retention to protect our legitimate legal interests.

Who will have access to Client’s data?

We maintain appropriate administrative, technical and physical measures designed to preserve the confidentiality, integrity and availability of PI and Client’s data.

Access to Client’s data is limited to designated end-users and authorized personnel within our organization. No third-party vendors have access to Client’s data unless specifically authorized under an agreement that includes data protection provisions. 

However, our cloud service providers, such as Azure and OpenAI, may have access to encrypted versions of data during transit or when stored at rest as part of their infrastructure management responsibilities.

Access is controlled through secure authentication methods, such as SSO and role-based access control (“RBAC”), ensuring that only individuals with a legitimate need can access the data. All access activities are logged and monitored to maintain accountability and ensure compliance with security policies.

What measures are in place to control and monitor access to Client’s data?

Our solution implements access controls and monitoring measures to protect Client’s data. We utilize SSO for secure authentication, ensuring that only authorized personnel can access our systems. Access to databases and management consoles within our cloud providers (e.g., AWS, Azure) is controlled through RBAC, multi-factor authentication (“MFA”), and regular access reviews to enforce the principle of least privilege.

In addition to these controls, all access to production environments is logged and monitored. Logs include details of access attempts, changes made, and the identity of the user performing the actions. These logs are securely stored, continuously monitored for suspicious activity, and audited regularly to ensure compliance with security policies. Moreover, query inputs and other potentially sensitive information are excluded from logs to prevent the inadvertent exposure of private data.

Together, these measures provide protection against unauthorized access and ensure that all activities involving Client’s data are properly controlled and monitored.

What security protocols are in place to protect Client’s data?

Our solution is designed with a robust set of security protocols to protect Client’s data. We implement industry-standard encryption for data in transit and at rest, ensuring confidentiality and integrity across our systems. For data transmission, we utilize advanced encryption methods such as TLS, while data stored in our databases is secured using encryption technologies that comply with leading industry standards. To mitigate potential threats, a Web Application Firewall (WAF) is employed to safeguard against various types of cyberattacks. Cryptographic key management is handled by a secure key management system.

How do we handle security breaches or data leaks?

We use Service Hub by HubSpot as our ITSM platform for managing incidents, problems, and changes. 

In the event of a data security incident, we follow a structured process to ensure an effective response. Our incident response plan includes the following steps:

• Detection and identification: Monitoring using security tools to detect unauthorized access or data leaks.

• Containment: Actions are taken to isolate affected systems, restrict access, or shut down operations to prevent further unauthorized access or data loss.

• Investigation: An investigation is carried out to identify the root cause of the breach, including reviewing logs, conducting forensic analysis, and identifying vulnerabilities.

• Client notification: We will notify Client’s own person in charge of the protection of PI without delay of any violation or attempted violation by any person of any obligation concerning the confidentiality of the information communicated by Client and we will reasonably collaborate with said person in charge of Client to conduct any verification relating to confidentiality requirements.

• Remediation: Corrective actions are taken to remediate the vulnerabilities that led to the breach, including applying patches and enhancing security protocols.

• Post-incident review: A review is conducted after the incident is resolved to evaluate the response, identify lessons learned, and improve security practices.

Will Client’s data be shared with any third parties?

Client’s data may be shared with third-party service providers, including cloud computing providers, to support the functionality and security of our services. We employ tools like Microsoft Presidio to handle and protect PI, ensuring that sensitive data is appropriately anonymized or redacted before processing. While we strive to minimize the sharing of PI, certain details such as first name, last name, and emails may be transmitted to these third parties for specific operational purposes, including email delivery and log management. All third-party interactions are governed by data protection agreements to safeguard Client’s information.

What agreements or safeguards are in place with third parties handling Client’s data?

Prompts are shared with Microsoft to ensure comprehensive safety verifications. LangFuse contributes to enhancing overall system integrity. The data stored in the vector database will only include information that has been previously anonymized to remove any PI.

What are Client’s obligations regarding data security?

Client must use our services securely and responsibly. This includes adhering to our security guidelines, such as using SSO for authentication and ensuring that access credentials are kept secure. Client must also follow best practices for data security, such as using MFA and implementing its own internal security measures to protect its data while using our services. These obligations are crucial for maintaining the overall security of the service and safeguarding sensitive information.