...
What are the LLMs that can be used? | Any provisioned models can be connected to the system via config. So far all, OpenAI Models have been tested:
Other LLM’s:
|
Can models be customised / bring our own models? | Yes, we even have customers that are doing this. |
Is there a platform available for conducting automated tests and comparing results for custom models? | Yes, through benchmarking, it is possible to perform comparisons. There is a documentation for this process: Benchmarking https://unique-ch.atlassian.net/wiki/x/AQDJIw |
How can one train, test, and deploy a model for use with Unique’s solution? | So far, we have not directly trained a model ourselves; instead, our customers have undertaken this task. However, our Data-Science team has provided support and guidance to them throughout the process. |
Does one need to use Azure AI Studio? | There's no need to restrict yourself to Azure AI Studio exclusively. As long as the model can be provisioned, we are capable of integrating it. |
Is it possible to implement version control for models, such as maintaining a development version, publishing a beta version, and continuing to use a previous version? | Yes, within the system, each prompt allows for the selection of the model and its version at will. We practice this on a regular basis, especially with the release of new minor or preview versions from Azure OpenAI. |
Can models be shared by user-groups? | Yes, it can be scoped by user-groups. |
Can models be restricted by | Yes, it can be restricted by user-groups. |
Can tokens consumption be followed by model or by user-groups? | This feature is currently under development and not available yet. However, an Analytics Framework with downloadable CSV-Reports is already in place and covers these points:
Read more about this here: Analytics A report incl. consumption by assistant/model is planned for Q2 2024. |
Are there several types of prices depending on the models used ? | Our pricing model remains fixed, however, the costs of the underlying models set by Microsoft are subject to change and are transparently communicated back to you. Prices may fluctuate. We offer guidance on which prompts require specific models. |
How is visibility kept on the costs related to the API usage? | We report the costs generated on the Subscription on a monthly basis. In the early days of the project, we can negotiate a faster rhythm. |
Is it possible to set token limits for each model or user group, including actions like sending alerts or shutting down the API? | This feature is not available yet and currently under development, planned for Q3 2024. |
Is it possible to grant standard access to ChatGPT-3.5, replacing the direct access currently provided to certain staff members? | Yes, this is even included in the base configuration of Unique. You can even give access to ChatGPT-4. |
Is your solution offered on the MS Marketplace? | Unique is currently not offered in the MS Marketplace. |
What test have been done to select the appropriate LLM models? | We conducted benchmarks using our documents, and our clients performed similar tests. This process helps us select the most suitable models for each prompt or use case. While we have evaluated other models, we found that they do not yet match the performance of GPT-4, especially in situations requiring RAG. |
...
How do you process the data? | All data is encrypted in transit and at rest. We minimize the data we store to only include what is needed. For more details please refer to: https://help.unique.app/en/articles/72879-your-data-at-unique |
Is personal information accessed, disclosed, processed, transmitted or retained by third parties across national borders? | For financial institutions: processing only on OpenAI API in Switzerland. Possible also in Amsterdam, NL or Paris, FR. For others: Speech-to-text (Optional, Frankfurt, DE), tracking (Optional, EU), OpenAI API (Amsterdam, NL). |
Are there documented policies and procedures for cross-border data flows or transfers of client data within the EU and Switzerland? | Yes, Standard Contractual Clauses (SSC) and DPA (Finma-rs-2008-21-20200101.pdf) for tracking providers. |
Is the voice sample of Unique biometric data? | No, because Unique voice samples cannot allow or confirm the unique identification of a natural person. |
How is my data segregated from other customers data? | If you choose the Platform as a Service deployment option your data is logically separated from other customers. If you have stronger requirements regarding tenant separation the single tenant deployment option completely physically separates your data in your own azure landing zone from other customers. |
Do you logically and physically segregate production and non-production environments? | Yes. |
Do you have procedures in place to ensure production data shall not be replicated or used in non-production environments? | Yes. |
For your SaaS or PaaS offering, do you provide tenants with separate environments for production and test processes? | Usually not, but can be added if needed. |
Is physical and logical user access to audit logs restricted to authorized personnel? | Yes. |
Will my data be used to train any models or fine-tune models? | No. No client data will be used without explicit consent in written form from client. |
Does the Azure OpenAI Model learn from my data? | No, Azure OpenAI models never learn from data and Unique has an opt-out available from output checking with Microsoft. |
Will my data be send to “unsafe, third countries”? | No. All data remains in Switzerland for data hosting and processing. If you chose the single tenant or customer tenant deployment option than no client data will leave your dedicated single tenant. |
Do you have a data processing agreement in place? | Yes, we do have a DPA: https://www.unique.ch/data-processing-addendum . |
Do you have Terms of Use? | Yes, we do have Terms of Use for end users. |
Does Microsoft Switzerland share data with Microsoft US (based on the so called CLOUD Act)? | No, Data is never shared between Microsoft CH and Microsoft US. |
Does the US government have access to the data on Azure CH (based on the CLOUD Act)? | Not directly. The US government can request accessto any data outside the US, regardless of where it is stored, based on the CLOUD Act if a judge approves the request. |
Did you perform a Transfer Impact Assessment (TIA) for Microsoft Inc. as they are headquartered in the US and there is a risk of lawful access from the US? | Yes, we performed a TIA and the probability of lawful access is close to zero. Details can be shared upon request. |
When using Microsoft Azure OpenAI services, is any data shared/stored with OpenAI? | Unique closely partners with Microsoft to offer GenAI solutions in a secured and controlled environment: when working with Unique and using Microsoft Azure OpenAI Services, users are using an enterprise and private instance of OpenAI’s ChatGPT packaged and hosted by Microsoft Switzerland (prompts and answered are not shared with OpenAI nor Microsoft; to be precise: Microsoft processes the data but never stores the data). |
Are prompts attributable to specific users or organizations (when no identifying information is included in the prompt)? If no, can you provide evidence of the controls? | Prompts are associated with a specific user (audit logs) via login credentials. If you choose the single tenant or customer tenant deployment option this data will only be stored in the client specific tenant. |
Do you have controls in place to ensure the foundational model was not trained with prohibited or biased content? | We rely on Microsoft public statements that they will cover costs for IP infringements in case needed (Customer Copyright Commitment Required Mitigations | Microsoft Learn). |
Is the model data de-identified, aggregated, and anonymized? | No. We will integrate your DLP to run on audit logs after user interaction. |
Have you performed any independent audits or validation of AI model outputs? | We perform regular internal tests and compare different models (see Benchmarking https://unique-ch.atlassian.net/wiki/spaces/PUB/pages/600342544 ). This has not been part of an external validation report so far. |
Are you a data controller or data processor? | We are acting as a data processor of your data only. |
Is data protection for Azure OpenAI preview services less than for GA (General Availability Services)? |
|
Is there a documented process to reasonably authenticate or verify an individual's request prior to fulfilling their request for access to their personal information? | Yes. |
Are agreements with third parties who have access to or potential access in place? | Yes we have a DPA that outlines confidentiality, audit, security, and privacy, including but not limited to incident response, ongoing monitoring limitations on data use, limitations on data sharing, return of data, and secure disposal of privacy data. |
Is there a policy or procedure for information handling (storing, processing, and communicating) consistent with its classification that has been approved by management, communicated to appropriate constituents and assigned an owner to maintain and periodically review? | Yes. |
Do you support the secure deletion (e.g., degaussing/cryptographic wiping) of archived and backed-up data? | Yes. |
Is Scoped Data sent or received via physical media? | No. |
Is Scoped Data sent or received electronically? | Yes. |
Is all Scoped Data sent or received electronically encrypted in transit within the network? | All external channels are TLS 1.2+ encrypted. |
Will data be accessed, modified, or stored on mobile devices? | No. |
...
Where is client data hosted? | We work together with Microsoft Switzerland and our data is stored in the Azure Cloud in Switzerland. |
Are there any other locations outside Switzerland where data is stored? | Not for Swiss Financial Institutions. European Financial Institutions can choose the Netherlands, France or the UK as their data storage and processing location. |
For recording, are there any other locations outside Switzerland where data is stored? | Only if recorded through the app or uploaded manually on the Unique Portal the recording is temporarily (1 hour) stored in Frankfurt, Germany for transcription. Otherwise, no. |
Is regulated or confidential customer data stored in a database? | Yes, we store voice profiles to identify meeting participants. Company can opt out such that the voice print is only use vor diarization and not saved. |
Are voice profiles kept and used for subsequent calls? What are all other purposes where these voice profiles/prints are used? | Yes, if company did not opt out. Voice prints are used:
|
Where is personal data stored for audio and video recordings? | They are stored as media files in the Microsoft Azure Blob Storage. |
Where is personal data stored for transcripts and reports? | They are stored at Microsoft Azure AKS, Postgres. |
What databases store personal data? | As we use both Postgres and MongoDB, both database store personal data. |
Where are the videos saved that you record? | On Microsoft Azure cloud hosted in Switzerland protected by enterprise security standards of Microsoft. |
Are there backups that are stored on removable media (e.g., disks, tapes, etc.)? | We do not store backups on removable media. |
Data Retention
How long is client data stored?
How can companies safely deploy the Unique Moments App on employees mobile phones without compromising data protection and security? | The Unique Moments App is one of the few apps that support Mobile Device Management (MDM/MAM) via Microsoft Intune. It is listed on the website for Microsoft Intune protected apps. This means that clients can benefit from Advanced Device Management which simplifies the management of mobile devices securely and efficiently as well as improved App Management and stronger Data Protection with powerful encryption and enforced compliance checks. |
Data Retention
How long is client data stored? | Data is stored for the duration of the contract or until you delete it. Data backups are stored for an additional 30 days after removal of the data. Logs are stored for a year for compliance and security purposes. |
How long will our inputs/prompts be retained if submitted via the user interface? | Prompts are not stored. All relevant data, including prompts and output, is processed in memory in the model and never stored. Neither Unique nor Microsoft use prompts or any customer data to train the AI model. |
How long will our inputs/prompts be retained if submitted via the API? | Prompts are not stored. All relevant data, including prompts and output, is processed in memory in the model and never stored. Neither Unique nor Microsoft use prompts or any customer data to train the AI model. |
Are there different data retention polices for the user interface versus the API? | No. |
If the personal data of individuals is retained by your organization, are there processes (e.g., mail, phone, electronic) and procedures to enable individuals to view, access, correct, amend, or delete inaccurate information? | Yes, through self-service. All data can be corrected through the app by all internal participants of a call. |
...
As a SaaS provider, which clauses do you cover for the Unique GenAI services and products? |
Note: each client contract is discussed individually, and Unique may adjust to your specific settings. |
Which clauses does a usual Unique contract cover? | We start with a Master Service Agreement (MAS) as the main body for the contract with the following Annexes (some of them are optional and it will be decided individually client-by-client what is needed): Annex 1 Description of the Service Annex 2 Service Level Agreement (SLA) Annex 3 Statement of Work (SOW) Annex 4 Remuneration and payment terms Annex 5 Data Processing Agreement Annex 6 Banking Secrecy Declaration Annex 7 Co-Development collaboration Annex 8 Terms of Use Annex 9 Local Agreements |
Do you offer co-development agreements? | Yes. |
Do you have specific § on Intellectual Property rights? | Yes. |
Do you have specific § for the deletion of the data after contract expires? | Yes, following the termination of the contract, Unique will have the customer's data permanently deleted without retaining a copy, except where required by law, or where deletion is not reasonably possible (e.g., backups). |
Can the contract be focused on a certain region / country (data localization)? | Yes, Unique can store (and process) customer data exclusively in the geographical regions agreed with the customer, including for the purposes of customer support, security operations and abuse control. Data localization may be available only for certain services (e.g. if client chooses to work with Microsoft, then only certain regions are available for Azure OpenAI Services). |
How does Unique ensure that you comply with AI Regulations? | Yes, Unique’s services, products and activities are in compliance with AI regulations applicable to both Unique and the customer, including [in any event/if applicable] the EU AI Act (work in progress). |
Does Unique adhere to the EU AI Act? | Yes, we have performed a conformity assessment for each use case. In addition, we are in the process of obtaining a legal opinion by an external lawyer to also have an independent assessment. |
Does Unique use watermarking for AI-generated content? | Yes, this can be customized and Unique can agree with the client on the content of watermarking (e.g. which user message will appear), frequency (how often is the user reminded) and also customize watermarking requirements of the client. |
Is there a specific § in the contract on audit trails / logging? | Yes, Unique enables the customer to fully document, by way of logs, the input, the output and other use of its services, products or activities. Such logs are immutable. Logs can be provided via an API on a user level. Via API, the customer gets access to the logs and can retain them for at least one year or any other period defined on customer side. |
How does Unique ensure explainability of GenAI Services? | Unique provides the customer with the necessary documentation and other information to permit the customer to reasonably understand (i) how the AI components used in or by the services, products and activities work and (ii) why, in principle, the AI has generated the output or made the decision it has made (which requires an understanding of the basic logic of the AI and the data it relies upon when applying it). Please also refer to AI Governance and Benchmarking https://unique-ch.atlassian.net/wiki/x/AQDJIw. |
Does Unique cover Human-in-the-loop / Human Oversight concept when providing GenAI services to clients? | Yes, Unique offers services and features for customers to be able to maintain a human oversight. We are also actively collaborating with customers to further advance human oversight across various use cases for setting the appropriate risk levels and control measure. In addition, users are actively encouraged to review GenAI generated output (see Terms of Use). |
How does Unique ensure Abuse Monitoring? | For most of Unique’s clients, we will work with Microsoft and Azure OpenAI Services. In this case, prompts will not be stored on Microsoft Azure as we opted out for abuse monitoring, preventing Microsoft from saving the prompts. Unique and the customer can agree on how and who (either done by Unique or customer) they monitor the services, the use of the products or the activities for potential abusive use by their users. See also Data Leakage Prevention (DLP). |
Do you do content filtering? | Azure OpenAI Service includes a content filtering system that aimed at detecting and preventing harmful content. The content filtering system detects and takes action on specific categories of potentially harmful content in both input prompts and output completions. Content filtering happens without storing the prompts. Also, abuse monitoring by Microsoft where they store prompts for 30 days and manually review is deactivated. More information from Microsoft: https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/content-filter?tabs=warning%2Cpython-new |
Recording
How is the bot communicating with Teams/Zoom/Google Meet? | It is joining the call as a meeting participant and recording the audio and video. |
What is the output of the bot recording the meeting? | Recording of the meeting as video/audio, transcript, and statistics. |
What happens if there is an interruption in the internet connection during a recording? | If there is no internet connection during a recording, the app does not upload anything. Once the device goes back online and the user opens the app, the upload process starts. If a recording fails, it is still stored on the phone, but the user has the option to delete it. |
What happens if the app is closed unexpectedly during a recording? | The recording is immediately stopped and processed for uploading once the app is back in a consistent state. |
Will there be a push notification or any other notification if there is an interruption in the recording? | We currently do not have push notifications implemented, but we have a short onboarding message that instructs users to go back to the app if something happens. We are also working on implementing a pause functionality for recordings. |
What happens as soon as the recording is stopped? | The audio-file is transferred to the Unique Azure platform and the file is deleted on the phone. |
Is the audio-file protected on the phone and only usable with the Unique App? | Yes. |
What happens if a transfer to the Unique Azure platform gets interrupted (no connection, failure, no battery and other cases) | The audio files are stored on the Smartphone. |
Can a failed transfer be deleted in the Azure Unique Application? | A failed transfer can be deleted from the phone (failed means it did not reach out Azure Unique Application, so there is no need for deletion there). |
Could you provide a diagram of the data flow between the audio recording and Azure’s AI speech service? | Here is a nostalgic diagram that shows the data flows of the state machine with speech: |
.png?version=1&modificationDate=1724932803991&cacheVersion=1&api=v2)
...