Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

Introduction to Unique Compliance Layer (PPT)

In the given context, the compliance layer refers to a set of principles, processes, and control structures established by Unique to comply with legal, regulatory, and internal requirements for our banking customers. It is a mechanism that protects the organisation from compliance breaches and ensures that it adheres to generally accepted market standards and codes of conduct and data protection principles, in Switzerland and Europe.

Overview

image-20240515-091629.png

Details on different layers

1A. Deployment Models

Different deployment models are available:

  1. Multi-tenant on Unique cloud

  2. Single/bank-specific tenant on Unique cloud

  3. Single/bank-specific tenant on bank cloud (customer-managed tenant)
    Clients can choose from the most appropriate deployment model and incorporate
    their security and data protection requirements.

  4. On-premise

1B. FSI Amendments

We also have in place recommended FSI amendments for our contracts with Microsoft. In detail:

  • M453 – FINMA. This is the financial service amendment (FSA) and jurisdiction-specific companion amendment (Switzerland) including FINMA requirements

like audit rights.

  • M744 – bank secrecy. This includes professional secrecy and industry-specific

terms regarding banking secrecy.

  • M329 – CH data protection. This is the amendment for Switzerland regarding

Microsoft products and services Data Protection Addendum)

1C. No data storage by Azure Open.AI services and opt-out of human review process

Unique chose to opt out of the logging and human review process in Azure Open AI service by Microsoft. This option is available for highly sensitive industries like FSI. This means that no data is stored by Microsoft Azure Open.AI services. If this opt-out is not chosen, the general data storage period from Microsoft is 30 days. Microsoft Azure OpenAI services are currently available in Europe and Switzerland.

2. Data hosting location is Switzerland only

All client data (including CID) is stored and hosted in Switzerland (Microsoft Cloud in Switzerland North) if the client chooses so via a contractual agreement (other locations are also possible). For Azure OpenAI services, data is only processed and no data is stored at all times (see also opt-out of human review process).

We also performed a Transfer Impact Assessment for Microsoft Inc. according to the method of D. Rosenthal (leading Tech Lawyer in Switzerland). Results can be shared upon request.

3. Data Leakage Prevention (DLP) plus no data storage by Azure OpenAI services, opt-out of human review process with Microsoft, no data used for training purposes

DLP: Unique offers an API to connect your Data Leakage Prevention (DLP) to check if any CID data or PII data has been inserted by users. For details, please refer here.

When working with Microsoft Azure OpenAI Services no data (incl. client data) is stored by Microsoft or OpenAI.

Unique chose to opt out of the logging and human review process in Azure Open AI service by Microsoft. This option is available for highly sensitive industries like FSI. This means that no data is stored by Microsoft Azure OpenAI services. If this opt-out is not chosen, the general data storage period from Microsoft is 30 days. Microsoft Azure Open AI services are currently available in Europe and Switzerland.

Unique and Microsoft do not use any client data for training purposes of AI or any other neural network models.

In addition, Unique also follows Responsible AI Principles:

  • Privacy & Security: AI systems should be secure and respect privacy

  • Inclusiveness: AI systems should empower everyone and engage people

  • Accountability: People should be accountable for AI systems

  • Transparency: AI systems should be understandable

  • Fairness: AI systems should treat people fairly

  • Reliability & Safety: AI systems should perform reliably and safely

4. Restricted Access to data

We have built an access concept including processes and controls to ensure who can see what. In addition, clients can also choose how the processes and controls are auditable (e.g., via audit logs). Unique’s restricted access concept involves the following parts (which can be customized and adjusted to customer-specific setup and needs):

  • Role-based access based on the active directory of a bank

  • Privileged access management (PAM), privileged identity management (PIM)

  • Key management (done by Unique or bring your own key)

  • Encryption of data in transit and at rest

  • Audit logs

  • 2-Factor authentication

  • Strong password and login policy

  • Terms and Conditions for end-users

  • Regular threat modelling workshops

  • Enrolled in a bug bounty program

  • Additional security measures possible: e.g., MS Lockbox, Confidential Computing

5. Privacy by Design and Default

Privacy by design and default are fundamental principles for Unique, guiding our commitment to protecting client data. From the inception of our software solutions, during software development and also for UI/UX design, we prioritize the integration of robust privacy measures, ensuring that data protection is built into our products and services. This approach not only complies with Swiss and European data protection regulations but also fosters trust among our clients. By default, our systems are configured to prioritize user privacy, granting individuals control over their data while minimizing the need for additional user intervention.

We further place high importance on responsible AI and our AI-generated content is protected in several ways:

  1. Content Protection through AI-Generated Watermarks: Employ AI-generated watermarks to safeguard content integrity.

  2. End-User Terms and Conditions (T&Cs): Provide comprehensive Terms and
    Conditions for end-users, ensuring legal clarity.

  3. Client and Employee Training: Deliver training programs for both clients and
    employees to enhance security awareness and competence.

  4. Awareness Campaigns and Security Knowledge Sharing: Execute awareness campaigns and promote the sharing of security insights and best practices.

  5. AI Policy Implementation: Enforce a robust AI policy to govern responsible AI use within the organization.

  6. Adherence to OWASP Responsible AI Framework: Comply with the OWASP
    Responsible AI framework, ensuring ethical and secure AI practices.

6. Feedback loop

We have built in a feedback loop in all our Gen-AI based features. This is twofold:

  1. Empowering User Control (“Human in the Loop”): Users have the option to
    modify AI-generated output, ensuring control and also adding a personalized
    touch.

  2. Soliciting User Feedback on AI Output:
    • We encourage users to provide feedback on the AI-generated content to
    gauge its alignment with their expectations.
    • To maintain security, we caution users not to share any confidential information when providing feedback.

7. Skillset and training

Unique possesses specialized expertise in Swiss local law, demonstrating a comprehensive understanding of the legal landscape – both from a legal and IT security perspective. Our proficiency extends to the intricate realm of data protection specifications, ensuring compliance with stringent Swiss regulations at all times. Furthermore, our in-depth knowledge of FINMA guidelines underscores our commitment to offering solutions aligned with the intricacies of Switzerland’s financial regulatory framework. The accuracy of these claims will be validated through an external audit process, substantiated by both SOC 2/ ISAE 3000 Type 1 and 2 assessments and a FINMA report

Whitepaper on Compliance Layer

Link:


 

  • No labels