What activity is happening?
UltimateGPT offers functionality that mirrors that already offered by Ultimate; where customer support transcripts are processed in order to automate conversations. These transcripts can contain Personal Identifiable Information (PII) data of end users.
Who is involved?
In order to provide the LLM behind UltimateGPT, we use Microsoft as a sub-processor specific to the functionality of UltimateGPT which relies on Microsoft’s Azure OpenAI service.
What is shared?
In order to provide the functionality of UltimateGPT, all conversation content (including prompts) is provided to the Azure OpenAI service following our sanitization process to minimize any end user PII being transferred. This is shared via Microsoft Azure OpenAI’s API.
Where is data sent to?
Both Ultimate’s and Microsoft’s OpenAI Azure service infrastructure are located in the EU.
What safeguards are in place?
In addition to our own technical and organizational measures, there are a number of other safeguards in place in relation to the transfer:
- Data is not used to train other models. Microsoft’s Azure OpenAI service will not use data submitted via the API to train or improve their models.
- DPA & SCCs are in place. We have a Data Processing Agreement in place with Microsoft in relation to any transfer of PII, as well as the latest EU Standard Contractual Clauses.
- SOC2, Type 2 Compliance. As well as Ultimate’s own SOC2 compliance, Microsoft has a range of leading security standards and controls in place. More information can be found on their Trust Center pages.
- Encryption. Data is stored in Azure Storage, encrypted at rest by Microsoft Managed keys, within the same region as the resource and logically isolated.
- Sanitization. Before anything is sent to Microsoft’s Azure OpenAI service, the conversation is run through Ultimate’s sanitization process (as normal).
How does sanitization work?
Our machine learning and artificial intelligence systems do not require PII data to be trained or to do the classification so the PII data can be anonymized in the messages without compromising the service we provide our clients.
The anonymization methods for messages detect different categories of PII data in the messages and replace these values with an anonymous label corresponding to the detected categories using content entities. For example, email addresses in the messages are replaced with <EMAIL> labels, bank account numbers are replaced with <IBAN> labels and so forth. This way, we are able to avoid processing or storing any PII data in our systems. <EMAIL> and <IBAN> placeholders are examples of our default and pre-defined content entities. Here is a list of commonly used content entities.
Is there anything else to be aware of?
In addition to the safeguards above, UltimateGPT also provides you with optional functionality to discourage your end-users from sending any PII in the welcome message.
What is the difference between the Azure OpenAI service and OpenAI?"
Azure OpenAI Service gives customers advanced language AI with OpenAI GPT-3, Codex, and DALL-E models with the security and enterprise promise of Azure. With Azure OpenAI, customers get the security capabilities of Microsoft Azure while running the same models as OpenAI.
More information
Below are some useful links to relevant information:
- Ultimate’s technical & organizational security measures.
- Microsoft’s data, privacy, and security resources for their Azure OpenAI service;
- Microsoft’s Azure OpenAI service FAQs
- Microsoft’s Trust Center and compliance overview