Which third-party AI providers do you use? (e.g., OpenAI, Anthropic, AWS Bedrock, Azure OpenAI) Describe where customer data is sent and how it is processed.

Explanation & Context

Understanding the Question

This question is asking you to identify any third-party AI providers your organization uses. Examples include well-known services like OpenAI, Anthropic, AWS Bedrock, and Azure OpenAI. The question also wants you to explain the flow of customer data when it is sent to these providers and detail how that data is processed. This is important because it helps assess the security and privacy risks associated with using external AI services. Knowing where data goes and how it is handled ensures that your organization maintains control over sensitive information and complies with data protection regulations.

Why It Matters

Understanding which third-party AI providers you use and how customer data is managed is crucial for several reasons. First, it helps you ensure that sensitive data is protected according to your organization's security policies and any relevant regulations, such as GDPR or HIPAA. Second, it allows you to evaluate the security practices of these third-party providers to ensure they meet your standards. For example, if you use OpenAI, you should know how data is encrypted, who has access to it, and how long it is retained. This information is vital for maintaining trust with your customers and avoiding potential data breaches.

Example of Evidence

To demonstrate fulfillment of this question, you might provide a document that lists all third-party AI providers your organization uses. For each provider, include details on:
- The specific services used (e.g., GPT-3 for text generation)
- How customer data is transmitted to the provider (e.g., via API calls)
- Data processing details, including encryption methods, data storage locations, and data retention policies
- Any contractual agreements or security assurances provided by the third-party provider

This documentation should be regularly reviewed and updated to reflect any changes in your use of third-party AI services.

Example Responses

Example Response 1

Our organization uses Vercel for hosting and Anthropic for AI-driven text analysis. Customer data is sent to Anthropic via secure API calls, where it is processed in their cloud environment. Data is encrypted both in transit and at rest, and it is retained for a maximum of 30 days as per our data retention policy.

Example Response 2

We utilize AWS Bedrock for our AI needs, specifically for natural language processing and machine learning model deployment. Customer data is transmitted to AWS through encrypted API calls and processed within their secure cloud infrastructure. Data is stored in AWS S3 buckets with server-side encryption, and access is restricted to authorized personnel only. We have a comprehensive data processing agreement with AWS to ensure compliance with GDPR and other relevant regulations.

Example Response 3

Our software is entirely on-premises, and we do not use any third-party AI providers. Therefore, the question about sending customer data to external AI services is not applicable to our organization. All data processing occurs within our secure, internal network, and we maintain full control over data handling and security practices.

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron