Frequently Asked Questions (FaQ)


Prompts

Can one configure custom prompts?

Yes, all Prompts can be completely customized.

Can one configure custom prompts?

Yes, all Prompts can be completely customized.

Is there a platform available for conducting automatic tests on prompts, including comparing results, etc.?

Yes, we have a benchmarking that automatically tests hundreds of prompts against the data and models that are in the system.

Is it possible to implement version control for prompts, such as maintaining a development version, publishing a beta version, and continuing to use a previous version?

Yes, it is possible to apply version control to all prompts within the system, allowing for the independent experimentation of new prompts without affecting those that are already operational. This facilitates the development of new prompts and Assistants.

Can prompts be shared by user-groups?

Yes, prompts can be defined by user-groups.

Can one get feedback for the prompts?

Yes, there is a feedback mechanism for each answer so the users can give feedback on the quality of the prompts.

Can one call configured prompts from an API?

Yes, this is possible.

Is it possible to configure unique disclaimers for each prompt?

Yes, disclaimers for each prompt can be configured by the system's Admin, who has the ability to set disclaimers per user-group.

How are updates carried out?

Currently, updates are done via API, but a User Interface is expected to be launched in April.

Is chat history, encompassing questions and answers, stored somewhere, or are only the details of the current chat session retained? If stored, where is this information kept?

The chat history is stored in two places:

  • Audit Logs

  • In the history of the user, saved in a database accessible only by the client and not Unique

Prompts will not be stored on Microsoft Azure as we opted out of abuse monitoring, preventing Microsoft from saving the prompts.

How Unique FinanceGPT prevents CID information in user prompts?

In principle, Unique's users are strongly warned not to paste any CID or personal data when using FinanceGPT; In addition, technically:

  • FinanceGPT uses a pseudonymization layer which pseudonymizes any sensitive and client-identifying information before sending any prompt to the processing model

  • Data is replaced with placeholders before the prompt is sent to the model, and once the model generates a response, the anonymized placeholders are replaced with the original identifying data

 

Large Language Models (LLMs)

What are the LLMs that can be used?

Any provisioned models can be connected to the system via config. So far all, OpenAI Models have been tested:

  • GPT-3.5 - GPT-3.5-Turbo

  • GPT-4 - GPT 4-Turbo

  • GPT-4 Vision (in various minor versions)

  • GPT-4o

Other LLM’s:

  • Mistral AI - Zephyr AI

Is the availability of Azure OpenAI models restricted to certain regions?

Yes, the availability of Azure OpenAI models is dependent on the deployment region. The specific models available in each region can be checked on the Azure website:

Azure OpenAI Service models - Azure OpenAI

This page is regularly updated, allowing users to see when new models become available in different regions.

Will Azure retire OpenAI models over time?

Yes, Microsoft does retire OpenAI models over time. Information about model retirements is provided on the Azure page under “Model Retirements.”

Azure OpenAI Service model retirements - Azure OpenAI

This section includes a table listing the current models, their versions, and the retirement dates. Clients will be informed in advance about any model retirements, as well as new models becoming available in their region.

What is the difference between model retirement and deprecation communicated by Azure for their provided OpenAI models?

The difference between retirement and deprecation of a model is important to understand:

  • Retirement: This refers to when a model is completely removed and is no longer available for use. After the retirement date, clients can no longer use the model as it will be removed from the Azure service.

  • Deprecation: Deprecation occurs before retirement. After a model is deprecated, it can no longer be deployed or provisioned for new clients. However, if a client is already using the model, they can continue to do so until the retirement date. No new deployments of the deprecated model are allowed, but existing deployments will still function until the model is fully retired.

Can models be customized/bring our own models?

Yes, we even have customers that are doing this.

Is there a platform available for conducting automated tests and comparing results for custom models?

Yes, through benchmarking, it is possible to perform comparisons.

There is a documentation for this process: https://unique-ch.atlassian.net/wiki/x/AQDJIw

How can one train, test, and deploy a model for use with Unique’s solution?

So far, we have not directly trained a model ourselves; instead, our customers have undertaken this task. However, our Data-Science team has provided support and guidance to them throughout the process.

Does one need to use Azure AI Studio?

There's no need to restrict yourself to Azure AI Studio exclusively. As long as the model can be provisioned, we are capable of integrating it.

Is it possible to implement version control for models, such as maintaining a development version, publishing a beta version, and continuing to use a previous version?

Yes, within the system, each prompt allows for the selection of the model and its version at will. We practice this on a regular basis, especially with the release of new minor or preview versions from Azure OpenAI.

Can models be shared by user-groups?

Yes, it can be scoped by user-groups.

Can models be restricted by
user-groups?

Yes, it can be restricted by user-groups.

Can token consumption be followed by model or by user-groups?

This feature is currently under development and not available yet.

However, an Analytics Framework with downloadable CSV-Reports is already in place and covers these points:

  • User Engagement

  • Assistant Usage

  • Most referenced files

Read more about this here: Analytics

A report incl. consumption by assistant/model is planned for Q2 2024.

Are there several types of prices depending on the models used?

Our pricing model remains fixed, however, the costs of the underlying models set by Microsoft are subject to change and are transparently communicated back to you. Prices may fluctuate. We offer guidance on which prompts require specific models.

How is visibility kept on the costs related to the API usage?

We report the costs generated on the Subscription on a monthly basis. In the early days of the project, we can negotiate a faster rhythm.

Is it possible to set token limits for each model or user group, including actions like sending alerts or shutting down the API?

This feature is not available yet and is currently under development, planned for Q3 2024.

Is it possible to grant standard access to ChatGPT-3.5, replacing the direct access currently provided to certain staff members?

Yes, this is even included in the base configuration of Unique. You can even give access to ChatGPT-4.

Is your solution offered on the MS Marketplace?

Unique is currently not offered in the MS Marketplace.

What tests have been done to select the appropriate LLM models?

We conducted benchmarks using our documents, and our clients performed similar tests. This process helps us select the most suitable models for each prompt or use case. While we have evaluated other models, we found that they do not yet match the performance of GPT-4, especially in situations requiring RAG.

 

Services

How do guardrails work?

The language model operates within a set structure, using only the data provided by the organization to ensure its responses comply with specific standards and do not include external information not given by the company.

Furthermore, by including citations in each reply, the origin of the information used in the responses can be traced.
Additionally, extra safeguards can be implemented into the chat flow as needed, particularly if the user input encompasses forbidden or harmful material.

What tooling is used for pseudonymisation?

A local model is employed, executed directly within the cluster and independent of OpenAI, to recognize names and entities. These identified elements are subsequently substituted with anonymized tokens, which are later restored to their original form.

How is Document ingestion maintained?

We maintain multiple default ingestion pipelines for the different types of files.

See the documentation here: Ingestion

Customers can build their own in the context of our Co-Development Agreement if needed. We are improving continuously to get the best possible results for the RAG.

How long is the retention period for uploaded files?

Clients can configure their retention period for uploaded files how they want. Most of our clients have set it between 2-7 days.

Are the sources always shared with the users?

Yes, Unique adds references to each answer to indicate to the user where the information is coming from. This happens through the RAG process.

Can automated workflows be executed?

Yes, we already have customers that use our API to execute workflows autonomously without the intervention of a user.

How is a continuous feedback loop orchestrated?

As an admin, you can export the user feedback as CSV on demand. There will be monthly meetings with the project lead to analyze the feedback and derive improvement options.

Can your system integrate with various Identity Providers (IDPs), and does it support seamless user provisioning and login with credentials from external systems?

The IDP can be integrated into our system. Your logins can be used, and users are automatically provisioned.

We support the following list: ZITADEL Docs

What gets anonymized and how does it work?

The anonymization service processes the prompt intended for the OpenAI Endpoint by performing Named-Entity Recognition. It replaces identified entities with placeholders before sending them to the model. Once the model responds, the anonymized placeholders are replaced with the original identifying data. The user will not receive the anonymized entities in the response. Additionally, the data is stored in subscription databases, which are exclusively accessible by the client.

What happens with client names in the recordings, are they anonymized? 

Clients show up as “Participant X” in the recording transcripts until you explicitly assign a name to them. After that, they are recognized by name on other recordings in the same deal.

How flexible can new services be developed and tested?

This can be done independently developed, and tested. Each developer can run an independent version of FinanceGPT on their local machine to develop without interfering with others.

How would customized workflows be prepared and released?

If you develop your own assistants that are not coming as part of the default, these assistants need to be deployed.

The deployment can be orchestrated by you or us.

Below you find a drawing explaining the process.

Can we view defined users or applications in the tenant?

Yes, this is possible.

Is there monitoring and alerting for the network?

Yes.

Is encryption and integrity protection in place for all external (public) network traffic that potentially carries sensitive information?

Yes.

Do you use an automated source code analysis tool to detect security defects in code prior to production?

Yes, GH Advanced security and trivy.

What service hosting models and deployment models are provided as part of Unique services? 

  1. Multi-tenant

  2. Single tenant on UNIQUE Cloud

  3. Single tenant on Customer Cloud (=customer managed tenant)

  4. On-premise

Is a website supported, hosted, or maintained that has access to customer systems and data? 

Yes.

 

Architecture, RAG, Vectors, and more

What technologies are used in the RAG pattern?

For Vectorisation, the embedding model ADA from Azure OpenAI’s is used.

To learn more about our Architecture, see here: Architecture

We use Qdrant to save the vector and the metadata (self-hosted).

For saving text, we use Postgres (Azure service).

Why is vector DB Qdrant being used?

Qdrant performs very well on metadata filtering and similarity search compared to others. This is also needed for ACL

Do you duplicate data and store a local copy of indexed documents?

Yes, we store the data locally.

What are the existing connectors?

  • Sharepoint (online/on-prem)

  • Confluence (online/on-prem)

  • Website-Crawlers

Can a local (on-premise) vector database be used?

If Unique is deployed on-prem, yes.  But in phase 1, it’s a workload we deploy on Azure fully encrypted.

Do connectors support images, video, and sound indexation?

Currently not, though we are exploring options with GPT-4 Vision.

Can hook be added in the dataflow to check data before indexing?

Planned for Q3 2024 in product roadmap

Can hook be added to enrich metadata during indexing?

Planned for Q3 2024 in product roadmap

How is the lifecycle of indexed documents managed?

The same documents are replaced with the new version. Content owners are responsible for deduplication.

What are the supported languages?

Unique supports the languages that are listed and offered on Azure:
Language support - Speech service - Azure AI services

Can multiple context sources, like vector databases + custom databases be used?

Yes, this is possible.

Is there an initial limit on the documents provided?

No, but it’s useful to only index what is truly needed, this makes the quality control easier. Documents are taken in and transformed by our ingestion workers into markdown. Markdown is then broken apart into chunks preserving titles with paragraph connections. And tables with headings so that the ideal context is given to the models at retrieval time.

Are the sources of information selected automatically?

Yes, this is fully automatic.

What limitations on documents are there?

Images on documents are not yet included in the ingestion process.

Can defined users or applications be viewed in the tenant?

Yes, this is possible.

How can the chatbot in web applications be integrated?

This can be achieved by utilizing Unique's APIs or by employing Iframe-like functionalities for front-end display.

Can the solution be integrated with Microsoft Dynamic CRM on-premise?

Yes, this is possible.

Can Semantic Kernel with indexation, prompt, and models be used?

Yes, this is possible.

Can LangChain be used to interact with indexation, prompts, and models?

Yes, any Python can be used with our APIs/SDK.

See details about the APIs/SDK here: Software Development Kit (SDK)

How long does a typical RAG request take?

Time to streaming the answer is around 3-5 seconds depending on the use case.

 

Cloud Computing & Development

What features does the Cloud service offer?

Measured service: to control and optimize resource use by leveraging a metering capability.
Resource pooling: where the cloud computing resources are pooled to serve multiple consumers.

Upon the contract termination, what happens to the data?

Data is securely erased/destroyed and returned to the client in a defined time frame when requested.

Are technical measures applied for defense-in-depth techniques (e.g., deep packet analysis, traffic throttling, and black-holing)?

No, we do not have technical measures that provide defense-in-depth for detection and timely response to network-based attacks.

What is the strategy implemented to ensure the availability of the services providing enough processing power, storage space, and network bandwidth?

Systems are autoscaling on Azure cloud, monitoring and alerting in case of unavailabilities.

Is the data encrypted both while in transit from/to the tenant and at rest in the cloud infrastructure?

Yes, for the Unique hosted single tenant at rest Azure generated keys are stored in its own Key Vault. These are HSM-backed (FIPS 140-2 Level 2) 4096-bit RSA keys. The disks are encrypted with FIPS 140-2 compliant AES256 encryption standard.
In transit, it's at least TLS 1.2, TLS 1.3 protocol.

What are the policies and procedures for access?

We have established policies and procedures for permissible storage and access to authorized identities based on rules of least privilege and business necessity.

Are applications and APIs reviewed for security vulnerabilities?

Yes, this is done to address any issues prior to deployment to production.

Is virtualization used in services provided?

Yes, and KPI/SLAs are tracked for reporting. However, we do not have a hypervisor vulnerability management in place.

Is capacity planning conducted to prevent any redirection of contracted capacity to other tenants?

Yes, capacity planning is conducted on an ad-hoc basis when the utilization reaches a threshold limit to prevent any redirection of contracted capacity to other tenants without approval.

For forensic analysis over any security breach of data in the cloud infrastructure, can the following be made available (logs, traces, hard disk images, etc.)

Yes, logs, traces, hard disk images, etc. will be made available for forensic analysis over any security breach of data.

Does Unique have a formal change management process, covering all service changes?

Yes, our SDLC adheres to our formal change management process.

Is the client or its hired third party allowed to conduct penetration testing of the cloud infrastructure hosting the data?

Yes, penetration testing is allowed.

What tests are conducted before releasing applications to production?

We conduct tests such as penetration tests, manual code reviews, SAST scans, DAST scans, and IAST scans before releasing.

Does Unique have a continuous assurance process during the release?

Yes during the release, operations to verify application and infrastructure-level vulnerabilities are patched in a regular manner.

Is there a documented software development lifecycle (SDLC) process and what does it include?

Yes, our (SDLC) program includes performing threat modeling and designing, implementing, and testing application-level controls. It follows industry-recognized security standards and good practices.

Why are JWTs stored in the browser's local storage when it is recommended to store them in cookies?

Not storing the JWT in a cookie prevents a whole class of vulnerabilities with CSRF. On the other hand, it is easier for an attacker to misuse the token in case of a successful XSS attack. To compensate for this issue we created a restrictive CSP to make it impossible for a successful XSS attack to exfiltrate the token to an external domain not already registered in our CSP.

Do you regularly perform static and dynamic code analysis? If so, could you please provide some details on how and how often you do it?

Yes, we do for Github advanced security CodeQL, trivy, and Bug bounty programs for penetration tests.

Does the software contain third-party-developed components?

Yes, and we have implemented controls to test and verify these components.

Are development and production environments segregated, at least on a logical level?

Yes, we have segregated development and production environments.

Are audit logs maintained and reviewed for all program library updates?

Yes, we review and maintain audit logs for all program library updates. In addition, we have security controls in place to secure the audit logs.

Are developers trained in "Secure Code Developing Techniques"?

Yes, we train our developers during the onboarding.

Is a session management methodology used with the application?

Yes.

Is open-source or third-party software tracked specifically for security information?

Yes.

 

Data Protection

How do you process the data? 

All data is encrypted in transit and at rest. We minimize the data we store to only include what is needed. For more details please refer to: Your recording data at Unique | Unique FinanceGPT Help Center

Is personal information accessed, disclosed, processed, transmitted, or retained by third parties across national borders? 

For financial institutions: processing only on OpenAI API in Switzerland. Possible also in Amsterdam, NL, or Paris, FR.

For others: Speech-to-text (Optional, Frankfurt, DE), tracking (Optional, EU), OpenAI API (Amsterdam, NL). 

Are there documented policies and procedures for cross-border data flows or transfers of client data within the EU and Switzerland? 

Yes, Standard Contractual Clauses (SSC) and DPA (Finma-rs-2008-21-20200101.pdf) for tracking providers. 

Is the voice sample of Unique biometric data?

No, because Unique voice samples cannot allow or confirm the unique identification of a natural person.

How is my data segregated from other customers' data?

If you choose the Platform as a Service deployment option your data is logically separated from other customers. If you have stronger requirements regarding tenant separation the single tenant deployment option completely physically separates your data in your own Azure landing zone from other customers.

Do you logically and physically segregate production and non-production environments?

Yes.

Do you have procedures in place to ensure production data shall not be replicated or used in non-production environments?

Yes.

For your SaaS or PaaS offering, do you provide tenants with separate environments for production and test processes?

Usually not, but can be added if needed.

Is physical and logical user access to audit logs restricted to authorized personnel?

Yes.

Will my data be used to train any models or fine-tune models?

No. No client data will be used without explicit consent in written form from the client.

Does the Azure OpenAI Model learn from my data?

No, Azure OpenAI models never learn from data and Unique has an opt-out available from output checking with Microsoft.

Will my data be sent to “unsafe, third countries”?

No. All data remains in Switzerland for data hosting and processing. If you chose the single tenant or customer tenant deployment option then no client data will leave your dedicated single tenant.

Do you have a data processing agreement in place?

Yes, we do have a DPA: https://www.unique.ch/data-processing-addendum .

Do you have Terms of Use?

Yes, we do have Terms of Use for end users.

Does Microsoft Switzerland share data with Microsoft US (based on the so-called CLOUD Act)?

No, Data is never shared between Microsoft CH and Microsoft US. 

Does the US government have access to the data on Azure CH (based on the CLOUD Act)?

Not directly. The US government can request access to any data outside the US, regardless of where it is stored, based on the CLOUD Act if a judge approves the request.

Did you perform a Transfer Impact Assessment (TIA) for Microsoft Inc. as they are headquartered in the US and there is a risk of lawful access from the US?

Yes, we performed a TIA and the probability of lawful access is close to zero. Details can be shared upon request.

When using Microsoft Azure OpenAI services, is any data shared/stored with OpenAI?

Unique closely partners with Microsoft to offer GenAI solutions in a secured and controlled environment: when working with Unique and using Microsoft Azure OpenAI Services, users are using an enterprise and private instance of OpenAI’s ChatGPT packaged and hosted by Microsoft Switzerland (prompts and answered are not shared with OpenAI nor Microsoft; to be precise: Microsoft processes the data but never stores the data).

Are prompts attributable to specific users or organizations (when no identifying information is included in the prompt)? If not, can you provide evidence of the controls?

Prompts are associated with a specific user (audit logs) via login credentials. If you choose the single tenant or customer tenant deployment option this data will only be stored in the client-specific tenant. 

Do you have controls in place to ensure the foundational model was not trained with prohibited or biased content?

We rely on Microsoft public statements that they will cover costs for IP infringements in case needed (Customer Copyright Commitment Required Mitigations | Microsoft Learn). 

Is the model data de-identified, aggregated, and anonymized?

No. We will integrate your DLP to run on audit logs after user interaction. 

Have you performed any independent audits or validation of AI model outputs?

We perform regular internal tests and compare different models. This has not been part of an external validation report so far. 

Are you a data controller or data processor?

We are acting as a data processor of your data only.

Is data protection for Azure OpenAI preview services less than for GA (General Availability Services)?

  1. In the DPA of Microsoft (Nov 2023 version) it is stated that in preview mode you may employ lesser or different privacy and security measures than those typically present in the Products and Services.

  2. Per client and if agreed, we activated the opt-out for all versions and subscriptions for the client. However, Microsoft reserves the right for preview services to store and access output and prompts for harmful content despite the opt-out for preview services. Read here more.

  3. Some other limitations are that preview services are not covered by the SLA and do not offer European Data Boundary Service. We see these points as not critical. Read more about MS Privacy & Security terms.

Is there a documented process to reasonably authenticate or verify an individual's request prior to fulfilling their request for access to their personal information?  

Yes.

Are agreements with third parties who have access to or potential access in place?

Yes, we have a DPA that outlines confidentiality, audit, security, and privacy, including but not limited to incident response, ongoing monitoring limitations on data use, limitations on data sharing, return of data, and secure disposal of privacy data.

Is there a policy or procedure for information handling (storing, processing, and communicating) consistent with its classification that has been approved by management, communicated to appropriate constituents, and assigned an owner to maintain and periodically review? 

Yes.

Do you support the secure deletion (e.g., degaussing/cryptographic wiping) of archived and backed-up data?

Yes.

Is Scoped Data sent or received via physical media? 

No.

Is Scoped Data sent or received electronically? 

Yes.

Is all Scoped Data sent or received electronically encrypted in transit within the network? 

All external channels are TLS 1.2+ encrypted.

Will data be accessed, modified, or stored on mobile devices?

No.

 

Data Storage

Where is client data hosted? 

We work together with Microsoft Switzerland and our data is stored in the Azure Cloud in Switzerland. 

Are there any other locations outside Switzerland where data is stored? 

Not for Swiss Financial Institutions. European Financial Institutions can choose the Netherlands, France, or the UK as their data storage and processing location.

For recording, are there any other locations outside Switzerland where data is stored?

Only if recorded through the app or uploaded manually on the Unique Portal the recording is temporarily (1 hour) stored in Frankfurt, Germany for transcription. Otherwise, no.

Is regulated or confidential customer data stored in a database? 

Yes, we store voice profiles to identify meeting participants. The company can opt out such that the voice print is only used for diarization and not saved.

Are voice profiles kept and used for subsequent calls? What are all other purposes where these voice profiles/prints are used?

Yes, if the company did not opt-out. Voice prints are used:

  • to identify persons in uploaded calls. When opt out, not possible anymore.

  • to manually redo the diarization for a call. When opting out, quality drops but not significantly.

Where is personal data stored for audio and video recordings?

They are stored as media files in the Microsoft Azure Blob Storage.

Where is personal data stored for transcripts and reports?

They are stored at Microsoft Azure AKS, Postgres.

What databases store personal data?

As we use both Postgres and MongoDB, both databases store personal data.

Where are the videos saved that you record?

On Microsoft Azure cloud hosted in Switzerland protected by enterprise security standards of Microsoft. 

Are there backups that are stored on removable media (e.g., disks, tapes, etc.)?

We do not store backups on removable media.

How can companies safely deploy the Unique Moments App on employees' mobile phones without compromising data protection and security?

The Unique Moments App is one of the few apps that support Mobile Device Management (MDM/MAM) via Microsoft Intune. It is listed on the website for Microsoft Intune-protected apps. This means that clients can benefit from Advanced Device Management which simplifies the management of mobile devices securely and efficiently as well as improved App Management and stronger Data Protection with powerful encryption and enforced compliance checks.

 

Data Retention

How long is client data stored?

Data is stored for the duration of the contract or until you delete it. Data backups are stored for an additional 30 days after removal of the data. Logs are stored for a year for compliance and security purposes. 

How long will our inputs/prompts be retained if submitted via the user interface?

Prompts are not stored. All relevant data, including prompts and output, is processed in memory in the model and never stored. Neither Unique nor Microsoft use prompts or any customer data to train the AI model.

How long will our inputs/prompts be retained if submitted via the API?

Prompts are not stored. All relevant data, including prompts and output, is processed in memory in the model and never stored. Neither Unique nor Microsoft use prompts or any customer data to train the AI model.

Are there different data retention policies for the user interface versus the API?

No.

If the personal data of individuals is retained by your organization, are there processes (e.g., mail, phone, electronic) and procedures to enable individuals to view, access, correct, amend, or delete inaccurate information? 

Yes, through self-service. All data can be corrected through the app by all internal participants of a call. 

 

Data Privacy

Has a Data Protection Impact Assessment (DPIA) been undertaken for the processing activities.

Yes.

Have you engaged a third party to assess your organization's privacy compliance?

Yes, ISO 27001 and also SOC 2 Type 1.

Are the services provided by you outsourced or delegated to any third party and if yes, which parts and to whom?

Yes, Microsoft cloud services.

Do you notify your tenants when you make material changes to your privacy policy?

Yes.

What data gets collected for a recording call?

In general, we fetch meeting events from your calendar. We only fetch deal-related data and only data of Unique users and never from the whole organization.

Is personal data collected from the data subject or from any other sources?

No.

How is Customer Identifiable Data (CID) handled at Unique?

  1. CID is pseudonymized, anonymized, or encrypted through technical measures,

  2. additional organizational measures are taken (e.g., careful password management, regulation of scope of access, etc.) and

  3. contractual measures to ensure confidentiality must be implemented (e.g., note in the contract that CID will be processed by data processors abroad, with reference to the measures you have taken to ensure confidentiality in accordance with FINMA requirements).

How do we make sure people do not upload documents they are not allowed to upload?

Uploading documents can be restricted by roles. Furthermore, we encourage you to build your own DLP to prevent ingestion of sensitive data. DLP integration can also be done with us. Refer to: https://unique-ch.atlassian.net/wiki/x/CIDmHQ

Which sub-processors do you work with? 

All mandatory and optional subprocessors are listed in our DPA which can be found here: Trust at Unique.

Does Unique monitor its (sub)processors to ensure that they are in compliance with applicable privacy legislation? How often do you monitor them?

Yes, we monitor them yearly.

Do subcontractors such as backup vendors, hosting providers, etc. have access to customer systems and data or processing facilities?

Subcontractors may have access to the cloud provider (Microsoft Azure).

Has Unique appointed a Data Protection Officer?

Yes (voluntary appointment).

Is there a privacy awareness training program? If yes, how often are the trainings conducted for the employees?

Yes, during onboarding and yearly.

Is there a process in place that enables individuals to exercise their data subject rights (e.g., access, update, or correct their personal data)?

Yes.

If you transfer personal data to a third country, are appropriate safeguards (e.g. Standard Contract Clauses, Binding Corporate Rules) in place?

No, data remains in Switzerland unless agreed otherwise. However, some OpenAI services can come from Europe if agreed.

Is there a breach notification process in place?

Yes.

Does Unique process client personal data as a: controller, joint-controller, or processor?

Processor

Are Cookies used for performance, tracking, analytics, and personalization purposes and can contain non-identifiable/aggregated extracts of such information?

No. Unique does not use any tracking on enterprise tenants, this is only the case on our public SaaS offering.

What security-relevant events are logged on your servers, workstations, firewalls, and switches?

Authentication events, access logs, error logs, risky sign-ins in Entra, audit logs

Is there a designated individual responsible for:
a. the development and implementation of the privacy program?
b. the development of privacy-related policies and procedures?
c. and has the authority to monitor compliance with the organization's privacy policy and procedure.

Yes, the CDO is responsible for all of those.

Is there a documented privacy policy or procedures for the protection of personal information collected, transmitted, processed, or maintained on behalf of the clients? 

Yes, more information can be found here: https://www.unique.ch/privacy

 

Security & Risk

How do you adhere to the data security measures implemented on the data source when querying data in the vector database?

We have dedicated access controls applied to adhere to this.

Is the client notified when unauthorized access to scoped systems and data is confirmed? 

Yes, within 72h as required by GDPR (or other timelines if agreed with the client in the respective contract). 

Is there a process maintained to identify and record any detected or reported unauthorized disclosure of personal information? 

Yes, we have a dedicated data breach notification process.

Do you notify your tenants when you make material changes to your information security policies?

Yes.

Do you review your applications for security vulnerabilities and address any issues prior to deployment to production?

Yes, we conduct automated pentests and Bug bounty programs.

Do you retain security event logs for at least 12 months, and do you monitor them regularly?

Yes, we regularly review these logs and retain them in case we need to investigate a security incident.

Is there a process in place to identify and report privacy incidents including notification to external authorities as required by applicable privacy or cyber security law?  

Yes, this is also part of our data breach notification process.

Session Management: what are the session timeouts for different operations?

Session management is about authentication/authorization, not about internal operations like transcription. All of the timeouts are configurable and we can adjust them to your liking regarding user sessions.

Can we restrict access with MFA or IP filtering?

Yes, both options are possible.

Can we have access to audit logs on resource security configuration?

Yes, audit logs be available upon request.

How can the conversation history be extracted?

You can extract your chat history via API.

Is there a process maintained to remove personal data based on the right to be forgotten if applicable to the services provided?

Yes, there is a process in place.

Is full-disk encryption enabled for all systems that store or process customer data?  

Yes, it is.

Is a documented information security policy in place?

Yes, we have a documented information security policy in place, which is reviewed and approved by senior management at least annually.

Do you allow remote access to the applications storing or processing of client information?

Yes, applications are running on Azure, so all access is remote.

Will access rights be established and limited based on specific business requirements?

Yes.

Are user access rights reviewed periodically? 

Yes.

Where required by access control policy, will access to systems and applications be password protected?

Yes.

Are you able to restrict access to your service based on the client IP address or on an otherwise uniquely identifiable attribute of the accessing machines?

Yes.

Are customer systems and data used in the test, development, or QA environments?

No, they are strictly separated.

Do you have a system for Privileged Access Management (PAM)?

Yes, Azure Entra PIM.

Are user IDs shared? If yes, for what purposes?

Yes, shared user IDs are allowed. We have controls in place to establish accountability against user actions.

Is there a documented access control policy on least privilege and need-to-know principle?

Yes, the policy is reviewed, validated, and approved annually.

Is access to applications, operating systems, databases, and network devices provisioned according to the principle of least privilege?

Yes, it is.

How is the Database Encryption implemented?

Encryption at rest with customer-managed keys, Encryption in transit with TLS >=1.2

Does Unique have controls in place to disable user accounts, within 24 hours, of users who no longer need access e.g. left the company, or transferred to a new role?

Yes, we do.

Is there a vulnerability management policy or program that has been approved by management, communicated to the appropriate constituent, and an owner assigned to maintain and review the policy?

Yes.

Is there a responsible person for compliance and security policies?

Yes, we have an information security individual.

Is there a password policy for systems that transmit, process, or store customer systems and data that has been approved by management, communicated to constituents, and enforced on all platforms and network devices?

Yes.

Are applications used to transmit, process, or store customer data?

Yes.

Does Unique address: employee hiring, employee termination, code of conduct, ethics, and non-disclosure agreements?

Yes, we have a defined policy/procedure to address these.

Is there a documented security awareness training program in place?

Yes, these trainings are provided to employees at the time of joining and regularly thereafter.

Is there a third-party risk management program in place?

Yes, we have a third-party risk management program in place, and risk assessments are conducted by Microsoft at the time of onboarding and periodically thereafter.

Are risk assessments performed?

Yes, risk assessments are performed. However, the risk assessments are not performed on an annual basis.

Is there a formalized risk governance plan and a continuous Risk Assessment program that identifies, quantifies, and prioritizes risks based on the risk acceptance levels relevant to the organization?  

Yes, it is designed according to the ISO 9001, ISO 27001, and SOC 2 standards.

Is there a documented third-party risk management program in place for the selection, oversight, and risk assessment of subcontractors? 

Yes.

Is there a set of information security policies that have been approved by management, published and communicated to constituents? 

Yes, ISMS with Security Manual for Development and operations.

Is there an asset management program approved by management, communicated to constituents and an owner to maintain and review? 

Yes, ISMS asset management.

Do secure code reviews include validation checks for the most critical web application security flaws including cross-site scripting, and SQL injection (e.g., OWASP Top 10 vulnerabilities)?

Yes.

Are identified security vulnerabilities remediated before being promoted to production?

No, CI/CD pipelines are not blocked, and vulnerabilities are remediated according to their severity in the timeline required by the Security Manual for Development and Operations.

What controls are in place to protect your systems?

Antivirus software, Anti-malware software, Firewall, Patch management, Endpoint protection, Least privilege principle, Security Information and Event Management (SIEM) 

Are anti-virus/malware signatures updated at least daily? Is there at least a weekly scheduled full scan of workstations and servers?

Yes, antivirus/malware signatures are updated daily. 

Are all servers configured according to security standards as part of the build process? 

Yes.

Does Unique use AI/GenAI components as part of its cyber defense?

No, we do not use AI/GenAI in our cyber defense.

Are internal systems required to pass through a content filtering proxy prior to accessing the internet?

No, and we do not maintain a blacklist of malicious websites.

Are firewalls in place to enable filtering traffic, logging traffic, inspecting protocols for non-compliance, restricting outbound connections on a need-to-know basis, and potentially incorporating threat intelligence information such as malicious IPs?

No, we do not have such firewalls in place.

Is a documented change management/change control process in place?

Yes, we have this formally documented and enforced.

Are periodic vulnerability, manual penetration, and system security testing performed to determine the adequacy of network and system protection?

Yes.

Do you have the capability to patch vulnerabilities across all of your computing devices, applications, and systems?

Yes.

Are all available high-risk security patches applied and verified on network devices? 

Yes.

Are End User Devices (Desktops, Laptops, Tablets, Smartphones) used for transmitting, processing, or storing customer data?

No.

Do you run vulnerability scans?

Yes.

How do you determine whether your network infrastructure is affected by vulnerabilities that require patching?

Security advisories and MS Defender for Cloud.

At what frequency do you perform external penetration tests against your systems and services?

Monthly.

Does customer data sent or received electronically include protection against malicious code by network virus inspection or virus scan at the endpoint?

No.

For scans performed on incoming and outgoing emails, are there phishing preventions included? 

Yes, an external email warning header and label.

Are unique individual IDs required for user authentication to applications, operating systems, databases, and network devices?

Yes

Is Multi-Factor Authentication enforced and deployed? 

Yes, enforced for every employee at Unique.

 

Compliance

Do you have an AI Governance in place?

Yes, we do have an AI Governance framework. More details can be found here: AI Governance

Is Unique GDPR compliant?

Yes, we are both GDPR and nDSG compliant. We have implemented technical measures such as data minimization as well as organizational measures like compliance and awareness training.

Is the recording of client conversations legally allowed?

Yes, in the European area as long as the caller asks for consent before recording (it is a GDPR requirement) 

How is consent usually given?

There are two ways:

  1. Individuals can be asked at the start of the call if they consent to the recording.

  2. While providing the link to the meeting as a Unique meeting link it will ask the client for consent before participants join the meeting.

Have you implemented backup or recovery mechanisms to ensure compliance with regulatory, statutory, contractual, or business requirements?

Yes.

Is there a process in place to check ongoing compliance with privacy laws/regulation requirements on a regular basis?

Yes.

What logs can we provide around data compliance?

We can provide you with the prompts and responses from the chat upon request.

 

Contract and legal topics

As a SaaS provider, which clauses do you cover for the Unique GenAI services and products?

  • Data Processing Agreement (DPA) (if Unique/Client are subject to data protection law)

  • Use of data by Unique is restricted (Unique does not use client data for AI training etc.; details can be agreed in individual contracts)

  • Cross-border data transfer safeguarded (if personal data is at issue this is a standard compliance requirement)

  • No sale of data to third parties (Unique does not sell any client-related data; also not on an aggregated level)

  • Adequate information security (Unique ensures that client data remains secure and Unique lives up to highest confidentiality promise)

  • Confidentiality obligation

  • Right to use the output

  • Acceptable use policy/Terms of Use

Note: each client contract is discussed individually, and Unique may adjust to your specific settings.

Which clauses does a usual Unique contract cover?

We start with a Master Service Agreement (MAS) as the main body for the contract with the following Annexes (some of them are optional and it will be decided individually client-by-client what is needed):

Annex 1          Description of the Service

Annex 2          Service Level Agreement (SLA)

Annex 3          Statement of Work (SOW)

Annex 4          Remuneration and payment terms

Annex 5          Data Processing Agreement

Annex 6          Banking Secrecy Declaration

Annex 7          Co-Development Collaboration

Annex 8          Terms of Use

Annex 9          Local Agreements

Do you offer co-development agreements?

Yes.

Do you have a specific § on Intellectual Property rights?

Yes.

Do you have a specific § for the deletion of the data after the contract expires?

Yes, following the termination of the contract, Unique will have the customer's data permanently deleted without retaining a copy, except where required by law, or where deletion is not reasonably possible (e.g., backups).

Can the contract be focused on a certain region/country (data localization)?

Yes, Unique can store (and process) customer data exclusively in the geographical regions agreed with the customer, including for the purposes of customer support, security operations, and abuse control. Data localization may be available only for certain services (e.g. if the client chooses to work with Microsoft, then only certain regions are available for Azure OpenAI Services).

How does Unique ensure that you comply with AI Regulations?

Unique’s services, products, and activities are in compliance with AI regulations applicable to both Unique and the customer, including [in any event/if applicable] the EU AI Act.

Does Unique adhere to the EU AI Act?

Yes, we have performed a conformity assessment for each use case. In addition, we are in the process of obtaining a legal opinion from an external lawyer to also have an independent assessment.

Does Unique use watermarking for AI-generated content?

Yes, this can be customized and Unique can agree with the client on the content of watermarking (e.g. which user message will appear), frequency (how often is the user reminded), and also customize watermarking requirements of the client.

Is there a specific § in the contract on audit trails/logging?

Yes, Unique enables the customer to fully document, by way of logs, the input, the output, and other uses of its services, products, or activities. Such logs are immutable. Logs can be provided via an API on a user level. Via API, the customer gets access to the logs and can retain them for at least one year or any other period defined on the customer side.

How does Unique ensure the explainability of GenAI Services?

Unique provides the customer with the necessary documentation and other information to permit the customer to reasonably understand (i) how the AI components used in or by the services, products, and activities work and (ii) why, in principle, the AI has generated the output or made the decision it has made (which requires an understanding of the basic logic of the AI and the data it relies upon when applying it). Please also refer to AI Governance and https://unique-ch.atlassian.net/wiki/x/AQDJIw.

Does Unique cover a Human-in-the-loop / Human Oversight concept when providing GenAI services to clients?

Yes, Unique offers services and features for customers to be able to maintain human oversight. We are also actively collaborating with customers to further advance human oversight across various use cases for setting the appropriate risk levels and control measures.

In addition, users are actively encouraged to review GenAI-generated output (see Terms of Use).

How does Unique ensure Abuse Monitoring?

For most of Unique’s clients, we will work with Microsoft and Azure OpenAI Services. In this case, prompts will not be stored on Microsoft Azure as we opted out for abuse monitoring, preventing Microsoft from saving the prompts.

Unique and the customer can agree on how and who (either done by Unique or the customer) they monitor the services, the use of the products, or the activities for potential abusive use by their users. See also https://unique-ch.atlassian.net/wiki/spaces/PUB/pages/501645320.

Do you do content filtering?

Azure OpenAI Service includes a content filtering system that is aimed at detecting and preventing harmful content. The content filtering system detects and takes action on specific categories of potentially harmful content in both input prompts and output completions.

Content filtering happens without storing the prompts. Also, abuse monitoring by Microsoft where they store prompts for 30 days and manually review is deactivated.

More information from Microsoft: https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/content-filter?tabs=warning%2Cpython-new

 

Recording

How is the bot communicating with Teams/Zoom/Google Meet?

It is joining the call as a meeting participant and recording the audio and video.

What is the output of the bot recording the meeting?

Recording of the meeting as video/audio, transcript, and statistics.

What happens if there is an interruption in the internet connection during a recording?

If there is no internet connection during a recording, the app does not upload anything. Once the device goes back online and the user opens the app, the upload process starts. If a recording fails, it is still stored on the phone, but the user has the option to delete it.

What happens if the app is closed unexpectedly during a recording?

The recording is immediately stopped and processed for uploading once the app is back in a consistent state.

Will there be a push notification or any other notification if there is an interruption in the recording?

We currently do not have push notifications implemented, but we have a short onboarding message that instructs users to go back to the app if something happens. We are also working on implementing a pause functionality for recordings.

What happens as soon as the recording is stopped?

The audio file is transferred to the Unique Azure platform and the file is deleted on the phone.

Is the audio file protected on the phone and only usable with the Unique App?

Yes.

What happens if a transfer to the Unique Azure platform gets interrupted (no connection, failure, no battery, and other cases)

The audio files are stored on the Smartphone.

Can a failed transfer be deleted in the Azure Unique Application?

A failed transfer can be deleted from the phone (failed means it did not reach out to Azure Unique Application, so there is no need for deletion there).

Could you provide a diagram of the data flow between the audio recording and Azure’s AI speech service?

Here is a nostalgic diagram that shows the data flows of the state machine with speech:

 

Company & ESG

Description of type of service

Generative AI software (FinanceGPT)

Are software applications provided and what type? 

Yes, cloud-hosted SaaS (Software as a Service) as well as Enterprise version cloud hosted in customer tenant.

How many employees are currently employed?

Around 50 mostly based in Zurich, Switzerland

Is Unique part of a business group?

No

Is Unique privately held?

Yes, it is.

What is the Company Register Number?

CHE-168.949.432

Do you offer 24/7 support?

No

What certifications (e.g., audit, quality, data protection) does Unique comply with?

ISO 9001, ISO 27001, SOC 2 Type 1, ISAE 3402, FINMA outsourcing circular 2018/3 report.

Read here more:https://unique-ch.atlassian.net/wiki/x/BABSHQ
Certificates and reports can be provided upon request.

Does your Company have any technical certifications?

Microsoft Cybersecurity Certification.

Pursuant to local laws, regulations, ethics, and contractual constraints, are all employment candidates, contractors, and involved third parties subject to background verification?

Yes, debt and criminal records are checked.

Are background screenings of applicants performed in line with local laws and regulations for data protection? (e.g. criminal checks, credit checks, academic qualification, reference checks)

Yes, we only conduct a subset of background checks listed on employees, contractors, and third parties.

Do you have documented information security baselines for every component of your infrastructure (e.g., hypervisors, operating systems, routers, DNS servers, etc.)?

Yes, we have a general guideline but not per listed components.

Are there procedures to ensure compliance of intellectual property with all legislative, regulatory, and contractual requirements?

Yes, Privileged access management, Master Service Agreement, and SLA.

Are there any other services already provided by the Service Provider?

Yes, meeting recording and transcription service.

Are personnel trained and provided with awareness programs at least once a year?

Yes.

Is there an anti-corruption/anti-bribery policy in place?

Yes.

What regulatory frameworks does Unique have in place?

nDSG, GDPR

Is there a documented incident management policy in place?

Yes, we have covered information security-related incidents, which are reviewed and approved annually.

Is an escalation matrix defined in the incident management policy? 

Yes, we have. In addition, timely reports are produced and distributed to relevant stakeholders are notified.

Is business impact analysis (BIA) conducted to identify critical functions/processes, SPOFs (Single Points of Failures), and the associated recovery requirements?

No, it is not conducted.

Is there a risk-based Business Continuity and Disaster Recovery (BC/DR) program in place?

Yes, we have this documented program in place.

Is there a formal BC/DR training and awareness program in place for employees responsible for BC/DR activities?

No, we do not have this in place for employees.

Environmental

 

Has Unique had any environmental regulatory issues, breaches, non-compliances, or fines?

No.

Are there any material claims or judgments against Unique? 

No.

Have any of your 3rd party vendors suffered a data loss or security breach within the last 3 years? 

No.

Does Unique monitor and meet reporting requirements on greenhouse gases (GHG)?

No.

Does Unique have and adhere to an environmental policy that sets out clear commitments (and/or targets) to improve its footprint?

Yes.

Social

 

Did Unique have any significant workplace incidents, accidents, or near misses?

No.

Does Unique have a diversity & inclusion policy?

Yes, it is outlined in our Code of Conduct.

Has Unique been subject to enforcement actions by regulators for breaches of relevant health and safety regulations?

No.

Does Unique have a functional health and safety management system?

No.

Does Unique publish a Corporate Social Responsibility (CSR)/Sustainability report?

No.

Governance

 

Does Unique have and abide by a code of conduct or values statement to guide company conduct with honesty and integrity?

Yes, it is outlined in our Code of Conduct.

Did Unique appoint ESG responsibles at the board, executive, or leadership level?

No.

Has Unique been involved in any illegal practices (e.g. corruption, fraud, bribery…)?

No.

Does Unique have defined ESG KPIs based on materiality? 

No, we have ESG guidelines but no KPIs have been defined so far.


Author

@Daylan Araz @Michael Dreher @Sina Wulfmeyer @Tom Hobbs

  

© 2024 Unique AG. All rights reserved. Privacy PolicyTerms of Service