Will institutional data be processed through a third party or subprocessor that also uses AI?
Explanation
AI in the supply chain is the concern here: the question is whether institutional data will pass through any third party or subprocessor that itself relies on AI.
The question is important for security assessments because AI processing introduces unique privacy and security concerns. When institutional data (which may contain sensitive or personally identifiable information) is processed by AI systems, there are risks related to:
- Data retention - AI systems often need to retain data for training purposes
- Unexpected data use - AI models might use data in ways not originally intended
- Privacy implications - AI analysis might reveal patterns or information not explicitly shared
- Regulatory compliance - AI processing may trigger additional compliance requirements under laws like GDPR, CCPA, etc.
- Security vulnerabilities - AI systems may have unique security vulnerabilities
When answering this question, you should:
- Clearly identify if any third parties or subprocessors that handle your institutional data use AI
- If yes, specify which vendors/processors use AI and how they use it
- Describe what types of institutional data are processed by these AI systems
- Explain what controls are in place to protect the data
- Mention any contractual protections or limitations on AI usage in your agreements
Example Responses
Example Response 1
Yes, institutional data will be processed through two third-party services that utilize AI Our customer support platform, Zendesk, uses AI for ticket routing and sentiment analysis on support communications Additionally, our cloud storage provider, Box, uses AI for content classification and search functionality For both services, we have Data Processing Agreements (DPAs) in place that restrict AI usage to specific operational purposes and prohibit using institutional data for training their general AI models We conduct annual reviews of these vendors' AI practices and have implemented data minimization techniques to limit exposure of sensitive information to these systems.
Example Response 2
No, we do not currently utilize any third parties or subprocessors that employ AI technologies to process institutional data Our primary data processors are AWS for infrastructure hosting and Salesforce for CRM functionality, and we have confirmed with both vendors that the specific services we use do not employ AI processing on our institutional data Our contracts with these vendors explicitly prohibit the use of our data for AI training or other purposes beyond direct service provision We review this stance annually as part of our vendor management program to ensure continued compliance.
Example Response 3
We are currently unable to provide complete assurance that institutional data will not be processed by AI systems at third parties While our primary application is hosted on Microsoft Azure, which does offer AI capabilities, we have not implemented technical controls to prevent Azure's AI systems from potentially accessing our data Additionally, our analytics provider, Google Analytics, has recently introduced AI features that may analyze institutional data for insights We are in the process of conducting a review of all our vendors to identify AI usage and implement appropriate contractual safeguards, but this work is not yet complete We expect to have full visibility and appropriate controls in place within the next 6 months.
Context
- Tab
- Privacy
- Category
- Privacy and AI
Related questions
- Does your service use AI for the processing of institutional data?
- Is any institutional data retained in AI processing?
- Do you have agreements in place with third parties or subprocessors regarding the protection of customer data and use of AI?
- Is AI processing limited to fully licensed commercial enterprise AI services?
- Will institutional data be used or processed by any shared AI services?
- Do you have safeguards in place to protect institutional data and data privacy from unintended AI queries or processing?

