AISC-02

Is user input data used to influence your solution's AI model?

Explanation

This question is asking whether your AI solution incorporates user input data to train, fine-tune, or otherwise influence its AI models. In the context of security, this is important because if user data (which may contain sensitive or proprietary information) is used to improve or modify AI models, there are significant security and privacy implications. The assessment is trying to determine: 1. If user data flows into model training/improvement processes 2. What protections exist to prevent sensitive data from being exposed 3. Whether users' intellectual property or confidential information might be inadvertently incorporated into models that serve other customers This question matters because AI systems that learn from user inputs could potentially: - Memorize and later reproduce sensitive information - Create models that contain traces of proprietary data - Mix one customer's data with another's if proper isolation isn't maintained - Create compliance issues related to data usage rights When answering, you should be transparent about whether and how user data influences your models. If it does, explain the safeguards in place. If it doesn't, clearly state that user inputs are processed but not retained for model improvement.

Guidance

Looking for protection of organizational data entered as inputs in a solution's AI feature(s).

Example Responses

Example Response 1

No, our AI solution does not use customer input data to influence or train our AI models All user queries are processed in real-time using our pre-trained models, but this data is not retained or used for model training purposes Our models are exclusively trained on carefully vetted datasets that we have proper licensing and usage rights for We maintain a strict separation between our production inference environment and our model development environment to ensure customer data cannot flow into the training pipeline.

Example Response 2

Yes, our solution does use certain user inputs to improve our AI models, but with strict controls We implement the following safeguards: 1) All data used for model improvement is explicitly opt-in, with clear user consent obtained through our Terms of Service and a separate AI improvement program; 2) All data is anonymized and stripped of personally identifiable information before entering our training pipeline; 3) We employ differential privacy techniques to ensure individual data points cannot be extracted from the model; 4) Customers can request deletion of their data from our training corpus at any time; 5) Enterprise customers can opt out entirely from having their data used for model improvement.

Example Response 3

Our solution currently does use user input data to improve our AI models without explicit opt-in mechanisms While we anonymize the data before using it for training, we recognize this is a gap in our security controls We're developing a more robust consent framework and data isolation system that will be implemented in the next quarter In the meantime, we're transparent in our privacy policy that user interactions may be used to improve our services For customers with specific compliance requirements, we can manually exclude their data from our training pipelines upon request, though this process is currently manual rather than automated.

Context

Tab
AI
Category
AI Data Security

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron