...
How do guardrails work? | The language model operates within a set structure, using only the data provided by the organization to ensure its responses comply with specific standards and do not include external information not given by the company. Furthermore, by including citations in each reply, the origin of the information used in the responses can be traced. |
What tooling is used for pseudonymisation? | A local model is employed, executed directly within the cluster and independent of OpenAI, to recognize names and entities. These identified elements are subsequently substituted with anonymized tokens, which are later restored to their original form. |
How is Document ingestion maintained? | We maintain multiple default ingestion pipelines for the different types of files. See the documentation here: Ingestion Customers can build their own in the context of our Co-Development Agreement if needed. We are improving continuously to get the best possible results for the RAG. |
How long is the retention period for uploaded files? | Clients can configure their retention period for uploaded files how they want. Most of our clients have set it between 2-7 days. |
Are the sources always shared with the users? | Yes, Unique adds references to each answer to indicate to the user where the information is coming from. This happens through the RAG process. |
Can automated workflows be executed? | Yes, we already have customers that use our API to execute workflows autonomously without the intervention of a user. |
How is a continuous feedback loop orchestrated? | As an admin, you can export the user feedback as CSV on demand. There will be monthly meetings with the project lead to analyze the feedback and derive improvement options. |
Can your system integrate with various Identity Providers (IDPs), and does it support seamless user provisioning and login with credentials from external systems? | The IDP can be integrated into our system. Your logins can be used, and users are automatically provisioned. We support the following list: https://zitadel.com/docs/guides/integrate/identity-providers |
What gets anonymized and how does it work? | The anonymization service processes the prompt intended for the OpenAI Endpoint by performing Named-Entity Recognition. It replaces identified entities with placeholders before sending them to the model. Once the model responds, the anonymized placeholders are replaced with the original identifying data. The user will not receive the anonymized entities in the response. Additionally, the data is stored in subscription databases, which are exclusively accessible by the client. |
What happens with client names in the recordings, are they anonymized? | Clients show up as “Participant X” in the recording transcripts until you explicitly assign a name to them. After that, they are recognized by name on other recordings in the same deal. |
How flexible can new services be developed and tested? | This can be done independently developed, and tested. Each developer can run an independent version of FinanceGPT on their local machine to develop without interfering with others. |
How would customized workflows be prepared and released? | If you develop your own assistants that are not coming as part of the default, these assistants need to be deployed. The deployment can be orchestrated by you or us. Below you find a drawing explaining the process. |
Can we view defined users or applications in the tenant? | Yes, this is possible. |
Is there monitoring and alerting for the network? | Yes. |
Is encryption and integrity protection in place for all external (public) network traffic that potentially carries sensitive information? | Yes. |
Do you use an automated source code analysis tool to detect security defects in code prior to production? | Yes, GH Advanced security and trivy. |
What service hosting models and deployment models are provided as part of Unique services? |
|
Is a website supported, hosted, or maintained that has access to customer systems and data? | Yes. |
...
Has a Data Protection Impact Assessment (DPIA) been undertaken for the processing activities. | Yes. |
Have you engaged a third party to assess your organization's privacy compliance? | Yes, ISO 27001 and also SOC 2 Type 1. |
Are the services provided by you outsourced or delegated to any third party and if yes, which parts and to whom? | Yes, Microsoft cloud services. |
Do you notify your tenants when you make material changes to your privacy policy? | Yes. |
What data gets collected for a recording call? | In general, we fetch meeting events from your calendar. We only fetch deal-related data and only data of Unique users and never from the whole organization. |
Is personal data collected from the data subject or from any other sources? | No. |
How is Customer Identifiable Data (CID) handled at Unique? |
|
How do we make sure people do not upload documents they are not allowed to upload? | Uploading documents can be restricted by roles. Furthermore, we encourage you to build your own DLP to prevent ingestion of sensitive data. DLP integration can also be done with us. Refer to: https://unique-ch.atlassian.net/wiki/x/CIDmHQ |
Which sub-processors do you work with? | All mandatory and optional subprocessors are listed in our DPA which can be found here: Trust at Unique. |
Does Unique monitor its (sub)processors to ensure that they are in compliance with applicable privacy legislation? How often do you monitor them? | Yes, we monitor them yearly. |
Do subcontractors such as backup vendors, hosting providers, etc. have access to customer systems and data or processing facilities? | Subcontractors may have access to the cloud provider (Microsoft Azure). |
Has Unique appointed a Data Protection Officer? | Yes (voluntary appointment). |
Is there a privacy awareness training program? If yes, how often are the trainings conducted for the employees? | Yes, during onboarding and yearly. |
Is there a process in place that enables individuals to exercise their data subject rights (e.g., access, update, or correct their personal data)? | Yes. |
If you transfer personal data to a third country, are appropriate safeguards (e.g. Standard Contract Clauses, Binding Corporate Rules) in place? | No, data remains in Switzerland. However, some OpenAI services can come from Europe if agreed. |
Is there a breach notification process in place? | Yes. |
Does Unique process client personal data as a: controller, joint-controller, or processor? | Processor |
Are Cookies used for performance, tracking, analytics, and personalization purposes and can contain non-identifiable/aggregated extracts of such information? | No. Unique does not use any tracking on enterprise tenants, this is only the case on our public SaaS offering. |
What security-relevant events are logged on your servers, workstations, firewalls, and switches? | Authentication events, access logs, error logs, risky sign-ins in Entra, audit logs |
Is there a designated individual responsible for: | Yes, the CDO is responsible for all of those. |
Is there a documented privacy policy or procedures for the protection of personal information collected, transmitted, processed, or maintained on behalf of the clients? | Yes, more information can be found here: https://www.unique.ch/privacy |
...