Skip to main content
Home Documentation Pages

Generative replies FAQs: Privacy and security

Eduardo Calvo

0 comments
Add-on AI agents - Advanced

What activity is happening?

Generative replies functionality processes customer support transcripts in order to automate conversations. These transcripts can contain personally identifiable information (PII) about end users. 

Who is involved?

In order to provide the large language model (LLM) functionality that powers generative replies, we use OpenAI as a sub-processor.

What is shared?

In order to provide the functionality of generative replies, all conversation content (including prompts) is provided to the OpenAI service following our sanitization process to minimize any end user PII being transferred. This is shared via OpenAI’s API.

Where is data sent to?

Both the AI agents - Advanced and OpenAI service infrastructure are located in the European Union (EU).

What safeguards are in place?

In addition to our own technical and organizational measures, there are a number of other safeguards in place in relation to the transfer:

  1. Data is not used to train other models. The OpenAI service does not use data submitted via the API to train or improve their models.
  2. DPA and SCCs are in place. We have a Data Processing Agreement (DPA) in place with OpenAI in relation to any transfer of PII, as well as the latest EU Standard Contractual Clauses (SCCs).
  3. SOC 2 Type 2 compliance. As well as our own SOC2 compliance, OpenAI has a range of leading security standards and controls in place. More information can be found on their Security & privacy pages.
  4. Encryption. Data is stored in Azure Storage, encrypted at rest by Microsoft Managed keys, within the same region as the resource and logically isolated.
  5. Sanitization. Before anything is sent to the OpenAI service, the conversation is run through our sanitization process (described below).

How does sanitization work?

Our machine learning and artificial intelligence systems do not require PII to be trained or to do the classification. This means PII can be anonymized in the messages without compromising the service we provide to you.

The anonymization methods for messages detect different categories of PII in the messages and replace these values with an anonymous label corresponding to the detected categories using entities. For example, email addresses in the messages are replaced with <EMAIL> labels, bank account numbers are replaced with <IBAN> labels and so forth. <EMAIL> and <IBAN> placeholders are examples of our default and pre-defined entities. Here is a list of commonly used entities.

Is there anything else to be aware of?

In addition to the safeguards above, you can include language in your AI agent's welcome reply to discourage end users from sending any PII during the conversation.

More information

Below are some useful links to relevant information:

 

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

0 comments

Please sign in to leave a comment.

Powered by Zendesk