...
Can one configure custom prompts? | Yes, all Prompts can be completely customized. |
|---|---|
Is there a platform available for conducting automatic tests on prompts, including comparing results, etc.? | Yes, we have a benchmarking that automatically tests hundreds of prompts against the data and models that are in the system. |
Is it possible to implement version control for prompts, such as maintaining a development version, publishing a beta version, and continuing to use a previous version? | Yes, it is possible to apply version control to all prompts within the system, allowing for the independent experimentation of new prompts without affecting those that are already operational. This facilitates the development of new prompts and Assistants. |
Can prompts be shared by user-groups? | Yes, prompts can be defined by user-groups. |
Can one get feedback for the prompts? | Yes, there is a feedback mechanism for each answer so the users can give feedback on the quality of the prompts. |
Can one call configured prompts from an API? | Yes, this is possible. |
Is it possible to configure unique disclaimers for each prompt? | Yes, disclaimers for each prompt can be configured by the system's Admin, who has the ability to set disclaimers per user-group. |
How are updates carried out? | Currently, updates are done via API, but a User Interface is expected to be launched in April. |
Is chat history, encompassing questions and answers, stored somewhere, or are only the details of the current chat session retained? If stored, where is this information kept? | The chat history is stored in two places:
Prompts will not be stored on Microsoft Azure as we opted out of abuse monitoring, preventing Microsoft from saving the prompts. |
How Unique FinanceGPT prevents CID information in user prompts? | In principle, Unique's users are strongly warned not to paste any CID or personal data when using FinanceGPT; In addition, technically:
|
Large Language Models (LLMs)
...
How do guardrails work? | The language model operates within a set structure, using only the data provided by the organization to ensure its responses comply with specific standards and do not include external information not given by the company. Furthermore, by including citations in each reply, the origin of the information used in the responses can be traced. |
What tooling is used for pseudonymisation? | A local model is employed, executed directly within the cluster and independent of OpenAI, to recognize names and entities. These identified elements are subsequently substituted with anonymized tokens, which are later restored to their original form. |
How is Document ingestion maintained? | We maintain multiple default ingestion pipelines for the different types of files. See the documentation here: Ingestion Customers can build their own in the context of our Co-Development Agreement if needed. We are improving continuously to get the best possible results for the RAG. |
How long is the retention period for uploaded files? | Clients can configure their retention period for uploaded files how they want. Most of our clients have set it between 2-7 days. |
Are the sources always shared with the users? | Yes, Unique adds references to each answer to indicate to the user where the information is coming from. This happens through the RAG process. |
Can automated workflows be executed? | Yes, we already have customers that use our API to execute workflows autonomously without the intervention of a user. |
How is a continuous feedback loop orchestrated? | As an admin, you can export the user feedback as CSV on demand. There will be monthly meetings with the project lead to analyze the feedback and derive improvement options. |
Can your system integrate with various Identity Providers (IDPs), and does it support seamless user provisioning and login with credentials from external systems? | The IDP can be integrated into our system. Your logins can be used, and users are automatically provisioned. We support the following list: https://zitadel.com/docs/guides/integrate/identity-providers |
What gets anonymized and how does it work? | The anonymization service processes the prompt intended for the OpenAI Endpoint by performing Named-Entity Recognition. It replaces identified entities with placeholders before sending them to the model. Once the model responds, the anonymized placeholders are replaced with the original identifying data. The user will not receive the anonymized entities in the response. Additionally, the data is stored in subscription databases, which are exclusively accessible by the client. |
What happens with client names in the recordings, are they anonymized? | Clients show up as “Participant X” in the recording transcripts until you explicitly assign a name to them. After that, they are recognized by name on other recordings in the same deal. |
How flexible can new services be developed and tested? | This can be done independently developed, and tested. Each developer can run an independent version of FinanceGPT on their local machine to develop without interfering with others. |
How would customized workflows be prepared and released? | If you develop your own assistants that are not coming as part of the default, these assistants need to be deployed. The deployment can be orchestrated by you or us. Below you find a drawing explaining the process. |
Can we view defined users or applications in the tenant? | Yes, this is possible. |
Is there monitoring and alerting for the network? | Yes. |
Is encryption and integrity protection in place for all external (public) network traffic that potentially carries sensitive information? | Yes. |
Do you use an automated source code analysis tool to detect security defects in code prior to production? | Yes, GH Advanced security and trivy. |
What service hosting models and deployment models are provided as part of Unique services? |
|
Is a website supported, hosted, or maintained that has access to customer systems and data? | Yes. |
...
Has a Data Protection Impact Assessment (DPIA) been undertaken for the processing activities. | Yes. |
Have you engaged a third party to assess your organization's privacy compliance? | Yes, ISO 27001 and also SOC 2 Type 1. |
Are the services provided by you outsourced or delegated to any third party and if yes, which parts and to whom? | Yes, Microsoft cloud services. |
Do you notify your tenants when you make material changes to your privacy policy? | Yes. |
What data gets collected for a recording call? | In general, we fetch meeting events from your calendar. We only fetch deal-related data and only data of Unique users and never from the whole organization. |
Is personal data collected from the data subject or from any other sources? | No. |
How is Customer Identifiable Data (CID) handled at Unique? |
|
How do we make sure people do not upload documents they are not allowed to upload? | Uploading documents can be restricted by roles. Furthermore, we encourage you to build your own DLP to prevent ingestion of sensitive data. DLP integration can also be done with us. Refer to: https://unique-ch.atlassian.net/wiki/x/CIDmHQ |
Which sub-processors do you work with? | All mandatory and optional subprocessors are listed in our DPA which can be found here: Trust at Unique. |
Does Unique monitor its (sub)processors to ensure that they are in compliance with applicable privacy legislation? How often do you monitor them? | Yes, we monitor them yearly. |
Do subcontractors such as backup vendors, hosting providers, etc. have access to customer systems and data or processing facilities? | Subcontractors may have access to the cloud provider (Microsoft Azure). |
Has Unique appointed a Data Protection Officer? | Yes (voluntary appointment). |
Is there a privacy awareness training program? If yes, how often are the trainings conducted for the employees? | Yes, during onboarding and yearly. |
Is there a process in place that enables individuals to exercise their data subject rights (e.g., access, update, or correct their personal data)? | Yes. |
If you transfer personal data to a third country, are appropriate safeguards (e.g. Standard Contract Clauses, Binding Corporate Rules) in place? | No, data remains in Switzerland unless agreed otherwise. However, some OpenAI services can come from Europe if agreed. |
Is there a breach notification process in place? | Yes. |
Does Unique process client personal data as a: controller, joint-controller, or processor? | Processor |
Are Cookies used for performance, tracking, analytics, and personalization purposes and can contain non-identifiable/aggregated extracts of such information? | No. Unique does not use any tracking on enterprise tenants, this is only the case on our public SaaS offering. |
What security-relevant events are logged on your servers, workstations, firewalls, and switches? | Authentication events, access logs, error logs, risky sign-ins in Entra, audit logs |
Is there a designated individual responsible for: | Yes, the CDO is responsible for all of those. |
Is there a documented privacy policy or procedures for the protection of personal information collected, transmitted, processed, or maintained on behalf of the clients? | Yes, more information can be found here: https://www.unique.ch/privacy |
...
How do you adhere to the data security measures implemented on the data source when querying data in the vector database? | We have dedicated access controls applied to adhere to this. |
Is the client notified when unauthorized access to scoped systems and data is confirmed? | Yes, within 72h as required by GDPR (or other timelines if agreed with the client in the respective contract). |
Is there a process maintained to identify and record any detected or reported unauthorized disclosure of personal information? | Yes, we have a dedicated data breach notification process. |
Do you notify your tenants when you make material changes to your information security policies? | Yes. |
Do you review your applications for security vulnerabilities and address any issues prior to deployment to production? | Yes, we conduct automated pentests and Bug bounty programs. |
Do you retain security event logs for at least 12 months, and do you monitor them regularly? | Yes, we regularly review these logs and retain them in case we need to investigate a security incident. |
Is there a process in place to identify and report privacy incidents including notification to external authorities as required by applicable privacy or cyber security law? | Yes, this is also part of our data breach notification process. |
Session Management: what are the session timeouts for different operations? | Session management is about authentication/authorization, not about internal operations like transcription. All of the timeouts are configurable and we can adjust them to your liking regarding user sessions. |
Can we restrict access with MFA or IP filtering? | Yes, both options are possible. |
Can we have access to audit logs on resource security configuration? | Yes, audit logs be available upon request. |
How can the conversation history be extracted? | You can extract your chat history via API. |
Is there a process maintained to remove personal data based on the right to be forgotten if applicable to the services provided? | Yes, there is a process in place. |
Is full-disk encryption enabled for all systems that store or process customer data? | Yes, it is. |
Is a documented information security policy in place? | Yes, we have a documented information security policy in place, which is reviewed and approved by senior management at least annually. |
Do you allow remote access to the applications storing or processing of client information? | Yes, applications are running on Azure, so all access is remote. |
Will access rights be established and limited based on specific business requirements? | Yes. |
Are user access rights reviewed periodically? | Yes. |
Where required by access control policy, will access to systems and applications be password protected? | Yes. |
Are you able to restrict access to your service based on the client IP address or on an otherwise uniquely identifiable attribute of the accessing machines? | Yes. |
Are customer systems and data used in the test, development, or QA environments? | No, they are strictly separated. |
Do you have a system for Privileged Access Management (PAM)? | Yes, Azure Entra PIM. |
Are user IDs shared? If yes, for what purposes? | Yes, shared user IDs are allowed. We have controls in place to establish accountability against user actions. |
Is there a documented access control policy on least privilege and need-to-know principle? | Yes, the policy is reviewed, validated, and approved annually. |
Is access to applications, operating systems, databases, and network devices provisioned according to the principle of least privilege? | Yes, it is. |
How is the Database Encryption implemented? | Encryption at rest with customer-managed keys, Encryption in transit with TLS >=1.2 |
Does Unique have controls in place to disable user accounts, within 24 hours, of users who no longer need access e.g. left the company, or transferred to a new role? | Yes, we do. |
Is there a vulnerability management policy or program that has been approved by management, communicated to the appropriate constituent, and an owner assigned to maintain and review the policy? | Yes. |
Is there a responsible person for compliance and security policies? | Yes, we have an information security individual. |
Is there a password policy for systems that transmit, process, or store customer systems and data that has been approved by management, communicated to constituents, and enforced on all platforms and network devices? | Yes. |
Are applications used to transmit, process, or store customer data? | Yes. |
Does Unique address: employee hiring, employee termination, code of conduct, ethics, and non-disclosure agreements? | Yes, we have a defined policy/procedure to address these. |
Is there a documented security awareness training program in place? | Yes, these trainings are provided to employees at the time of joining and regularly thereafter. |
Is there a third-party risk management program in place? | Yes, we have a third-party risk management program in place, and risk assessments are conducted by Microsoft at the time of onboarding and periodically thereafter. |
Are risk assessments performed? | Yes, risk assessments are performed. However, the risk assessments are not performed on an annual basis. |
Is there a formalized risk governance plan and a continuous Risk Assessment program that identifies, quantifies, and prioritizes risks based on the risk acceptance levels relevant to the organization? | Yes, it is designed according to the ISO 9001, ISO 27001, and SOC 2 standards. |
Is there a documented third-party risk management program in place for the selection, oversight, and risk assessment of subcontractors? | Yes. |
Is there a set of information security policies that have been approved by management, published and communicated to constituents? | Yes, ISMS with Security Manual for Development and operations. |
Is there an asset management program approved by management, communicated to constituents and an owner to maintain and review? | Yes, ISMS asset management. |
Do secure code reviews include validation checks for the most critical web application security flaws including cross-site scripting, and SQL injection (e.g., OWASP Top 10 vulnerabilities)? | Yes. |
Are identified security vulnerabilities remediated before being promoted to production? | No, CI/CD pipelines are not blocked, and vulnerabilities are remediated according to their severity in the timeline required by the Security Manual for Development and Operations. |
What controls are in place to protect your systems? | Antivirus software, Anti-malware software, Firewall, Patch management, Endpoint protection, Least privilege principle, Security Information and Event Management (SIEM) |
Are anti-virus/malware signatures updated at least daily? Is there at least a weekly scheduled full scan of workstations and servers? | Yes, antivirus/malware signatures are updated daily. |
Are all servers configured according to security standards as part of the build process? | Yes. |
Does Unique use AI/GenAI components as part of its cyber defense? | No, we do not use AI/GenAI in our cyber defense. |
Are internal systems required to pass through a content filtering proxy prior to accessing the internet? | No, and we do not maintain a blacklist of malicious websites. |
Are firewalls in place to enable filtering traffic, logging traffic, inspecting protocols for non-compliance, restricting outbound connections on a need-to-know basis, and potentially incorporating threat intelligence information such as malicious IPs? | No, we do not have such firewalls in place. |
Is a documented change management/change control process in place? | Yes, we have this formally documented and enforced. |
Are periodic vulnerability, manual penetration, and system security testing performed to determine the adequacy of network and system protection? | Yes. |
Do you have the capability to patch vulnerabilities across all of your computing devices, applications, and systems? | Yes. |
Are all available high-risk security patches applied and verified on network devices? | Yes. |
Are End User Devices (Desktops, Laptops, Tablets, Smartphones) used for transmitting, processing, or storing customer data? | No. |
Do you run vulnerability scans? | Yes. |
How do you determine whether your network infrastructure is affected by vulnerabilities that require patching? | Security advisories and MS Defender for Cloud. |
At what frequency do you perform external penetration tests against your systems and services? | Monthly. |
Does customer data sent or received electronically include protection against malicious code by network virus inspection or virus scan at the endpoint? | No. |
For scans performed on incoming and outgoing emails, are there phishing preventions included? | Yes, an external email warning header and label. |
Are unique individual IDs required for user authentication to applications, operating systems, databases, and network devices? | Yes |
Is Multi-Factor Authentication enforced and deployed? | Yes, enforced for every employee at Unique. |
...
As a SaaS provider, which clauses do you cover for the Unique GenAI services and products? |
Note: each client contract is discussed individually, and Unique may adjust to your specific settings. |
Which clauses does a usual Unique contract cover? | We start with a Master Service Agreement (MAS) as the main body for the contract with the following Annexes (some of them are optional and it will be decided individually client-by-client what is needed): Annex 1 Description of the Service Annex 2 Service Level Agreement (SLA) Annex 3 Statement of Work (SOW) Annex 4 Remuneration and payment terms Annex 5 Data Processing Agreement Annex 6 Banking Secrecy Declaration Annex 7 Co-Development Collaboration Annex 8 Terms of Use Annex 9 Local Agreements |
Do you offer co-development agreements? | Yes. |
Do you have a specific § on Intellectual Property rights? | Yes. |
Do you have a specific § for the deletion of the data after the contract expires? | Yes, following the termination of the contract, Unique will have the customer's data permanently deleted without retaining a copy, except where required by law, or where deletion is not reasonably possible (e.g., backups). |
Can the contract be focused on a certain region/country (data localization)? | Yes, Unique can store (and process) customer data exclusively in the geographical regions agreed with the customer, including for the purposes of customer support, security operations, and abuse control. Data localization may be available only for certain services (e.g. if the client chooses to work with Microsoft, then only certain regions are available for Azure OpenAI Services). |
How does Unique ensure that you comply with AI Regulations? | Yes, Unique’s services, products, and activities are in compliance with AI regulations applicable to both Unique and the customer, including [in any event/if applicable] the EU AI Act (work in progress). |
Does Unique adhere to the EU AI Act? | Yes, we have performed a conformity assessment for each use case. In addition, we are in the process of obtaining a legal opinion from an external lawyer to also have an independent assessment. |
Does Unique use watermarking for AI-generated content? | Yes, this can be customized and Unique can agree with the client on the content of watermarking (e.g. which user message will appear), frequency (how often is the user reminded), and also customize watermarking requirements of the client. |
Is there a specific § in the contract on audit trails/logging? | Yes, Unique enables the customer to fully document, by way of logs, the input, the output, and other uses of its services, products, or activities. Such logs are immutable. Logs can be provided via an API on a user level. Via API, the customer gets access to the logs and can retain them for at least one year or any other period defined on the customer side. |
How does Unique ensure the explainability of GenAI Services? | Unique provides the customer with the necessary documentation and other information to permit the customer to reasonably understand (i) how the AI components used in or by the services, products, and activities work and (ii) why, in principle, the AI has generated the output or made the decision it has made (which requires an understanding of the basic logic of the AI and the data it relies upon when applying it). Please also refer to AI Governance and https://unique-ch.atlassian.net/wiki/x/AQDJIw. |
Does Unique cover a Human-in-the-loop / Human Oversight concept when providing GenAI services to clients? | Yes, Unique offers services and features for customers to be able to maintain human oversight. We are also actively collaborating with customers to further advance human oversight across various use cases for setting the appropriate risk levels and control measures. In addition, users are actively encouraged to review GenAI-generated output (see Terms of Use). |
How does Unique ensure Abuse Monitoring? | For most of Unique’s clients, we will work with Microsoft and Azure OpenAI Services. In this case, prompts will not be stored on Microsoft Azure as we opted out for abuse monitoring, preventing Microsoft from saving the prompts. Unique and the customer can agree on how and who (either done by Unique or the customer) they monitor the services, the use of the products, or the activities for potential abusive use by their users. See also Data Leakage Prevention (DLP). |
Do you do content filtering? | Azure OpenAI Service includes a content filtering system that is aimed at detecting and preventing harmful content. The content filtering system detects and takes action on specific categories of potentially harmful content in both input prompts and output completions. Content filtering happens without storing the prompts. Also, abuse monitoring by Microsoft where they store prompts for 30 days and manually review is deactivated. More information from Microsoft: https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/content-filter?tabs=warning%2Cpython-new |
...