Frequently Asked Questions (FAQ)
Prompts
Can one configure custom prompts? | Yes, all prompts can be completely customized. |
|---|---|
Is there a platform available for conducting automatic tests on prompts, including comparing results, etc.? | Yes, we have a benchmarking that automatically tests hundreds of prompts against the data and models that are in the system. |
Is it possible to implement version control for prompts, such as maintaining a development version, publishing a beta version, and continuing to use a previous version? | Yes, it is possible to apply version control to all prompts within the system, allowing for the independent experimentation of new prompts without affecting those that are already operational. This facilitates the development of new prompts and Assistants. |
Can prompts be shared by user-groups? | Yes, prompts can be defined by user-groups. |
Can one get feedback for the prompts? | Yes, there is a feedback mechanism for each answer so the users can give feedback on the quality of the prompts. |
Can one call configured prompts from an API? | Yes, this is possible. |
Is it possible to configure unique disclaimers for each prompt? | Yes, disclaimers for each prompt can be configured by the system's Admin, who has the ability to set disclaimers per user-group. |
How are updates carried out? | Currently, updates are done via API, but a User Interface is expected to be launched in April. |
Is chat history, encompassing questions and answers, stored somewhere, or are only the details of the current chat session retained? If stored, where is this information kept? | The chat history is stored in two places:
Prompts will not be stored on Microsoft Azure as we opted out of abuse monitoring, preventing Microsoft from saving the prompts. |
Large Language Models (LLMs)
What are the LLMs that can be used? | Any provisioned models can be connected to the system via config. For a full overview, please visit: |
Is the availability of Azure OpenAI models restricted to certain regions? | Yes, the availability of Azure OpenAI models is dependent on the deployment region. The specific models available in each region can be checked on the Azure website: https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/models This page is regularly updated, allowing users to see when new models become available in different regions. |
Will Azure retire OpenAI models over time? | Yes, Microsoft does retire OpenAI models over time. Information about model retirements is provided on the Azure page under “Model Retirements.” https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/model-retirements This section includes a table listing the current models, their versions, and the retirement dates. Clients will be informed in advance about any model retirements, as well as new models becoming available in their region. |
What is the difference between model retirement and deprecation communicated by Azure for their provided OpenAI models? | The difference between retirement and deprecation of a model is important to understand:
|
Can models be customized/bring our own models? | Yes, there are already customers who are doing this. |
Is there a platform available for conducting automated tests and comparing results for custom models? | Yes, through benchmarking, it is possible to perform comparisons. There is a documentation for this process: Benchmarking |
How can one train, test, and deploy a model for use with Unique’s solution? | So far, we have not directly trained a model ourselves; instead, our customers have undertaken this task. However, our Data-Science team has provided support and guidance to them throughout the process. |
Does one need to use Azure AI Studio? | There's no need to restrict yourself to Azure AI Studio exclusively. As long as the model can be provisioned, we are capable of integrating it. |
Is it possible to implement version control for models, such as maintaining a development version, publishing a beta version, and continuing to use a previous version? | Yes, within the system, each prompt allows for the selection of the model and its version at will. We practice this on a regular basis, especially with the release of new minor or preview versions from Azure OpenAI. |
Can models be shared by user-groups? | Yes, it can be scoped by user-groups. |
Can models be restricted by | Yes, it can be restricted by user-groups. |
Can token consumption be followed by model or by user-groups? | This feature is currently under development and not available yet. However, an Analytics Framework with downloadable CSV-Reports is already in place and covers these points:
Read more about this here: Analytics A report incl. consumption by assistant/model is planned for Q2 2024. |
Are there several types of prices depending on the models used? | Our pricing model remains fixed, however, the costs of the underlying models set by the LLM provider are subject to change and are transparently communicated back to you. Prices may fluctuate. We offer guidance on which prompts require specific models. |
How is visibility kept on the costs related to the API usage? | We report the costs generated on the Subscription on a monthly basis. In the early days of the project, we can negotiate a faster rhythm. |
Is it possible to set token limits for each model or user group, including actions like sending alerts or shutting down the API? | Yes. |
Is your solution offered on the MS Marketplace? | Unique is currently not offered in the MS Marketplace. |
What tests have been done to select the appropriate LLM models? | We conducted benchmarks using our documents, and our clients performed similar tests. This process helps us select the most suitable models for each prompt or use case. |
Services
How do guardrails work? | The language model operates within a set structure, using only the data provided by the organization to ensure its responses comply with specific standards and do not include external information not given by the company. Furthermore, by including citations in each reply, the origin of the information used in the responses can be traced. |
How is Document ingestion maintained? | We maintain multiple default ingestion pipelines for the different types of files. See the documentation here: File Ingestion |
How long is the retention period for uploaded files? | Clients can configure their retention period for uploaded files how they want. Most of our clients have set it between 2-7 days. |
Are the sources always shared with the users? | Yes, Unique adds references to each answer to indicate to the user where the information is coming from. This happens through the RAG process. |
Can automated workflows be executed? | Yes, we already have customers that use our API to execute workflows autonomously without the intervention of a user. |
How is a continuous feedback loop orchestrated? | As an admin, you can export the user feedback as CSV on demand. There will be monthly meetings with the project lead to analyze the feedback and derive improvement options. |
Can your system integrate with various Identity Providers (IDPs), and does it support seamless user provisioning and login with credentials from external systems? | The IDP can be integrated into our system. Your logins can be used, and users are automatically provisioned. We support the following list: https://zitadel.com/docs/guides/integrate/identity-providers |
How would customized workflows be prepared and released? | If you develop your own assistants that are not coming as part of the default, these assistants need to be deployed. The deployment can be orchestrated by you or us. |
Can one view defined users or applications in the tenant? | Yes, this is possible. |
Is there monitoring and alerting for the network? | Yes. |
Is encryption and integrity protection in place for all external (public) network traffic that potentially carries sensitive information? | Yes. |
Do you use an automated source code analysis tool to detect security defects in code prior to production? | Yes, GH Advanced security and trivy. |
What service hosting models and deployment models are provided as part of Unique services? |
More information here: Install Unique |
Is a website supported, hosted, or maintained that has access to customer systems and data? | Yes. |
Architecture, RAG, Vectors, and more
What technologies are used in the RAG pattern? | For Vectorisation, the embedding model ADA from Azure OpenAI’s is used. To learn more about our Architecture, see here: Architecture OverviewWe use Qdrant to save the vector and the metadata (self-hosted). For saving text, we use Postgres (Azure service). |
Why is vector DB Qdrant being used? | Qdrant performs very well on metadata filtering and similarity search compared to others. This is also needed for ACL |
Do you duplicate data and store a local copy of indexed documents? | Yes, we store the data locally. |
What are the existing connectors? |
|
Can a local (on-premise) vector database be used? | If Unique is deployed on-prem, yes. But in phase 1, it’s a workload we deploy on Azure fully encrypted. |
Do connectors support images, video, and sound indexation? | Currently not, though we are exploring options with GPT-4o Vision. |
How is the lifecycle of indexed documents managed? | The same documents are replaced with the new version. Content owners are responsible for deduplication. |
What are the supported languages? | Unique supports the languages that are listed and offered on Azure: |
Can multiple context sources, like vector databases + custom databases be used? | Yes, this is possible. |
Is there an initial limit on the documents provided? | No, but it’s useful to only index what is truly needed, this makes the quality control easier. Documents are taken in and transformed by our ingestion workers into markdown. Markdown is then broken apart into chunks preserving titles with paragraph connections. And tables with headings so that the ideal context is given to the models at retrieval time. |
Are the sources of information selected automatically? | Yes, this is fully automatic. |
What limitations on documents are there? | Images on documents are not yet included in the ingestion process. |
Can defined users or applications be viewed in the tenant? | Yes, this is possible. |
How can the chatbot in web applications be integrated? | This can be achieved by utilizing Unique's APIs or by employing Iframe-like functionalities for front-end display. |
Can the solution be integrated with Microsoft Dynamic CRM on-premise? | Yes, this is possible. |
Can Semantic Kernel with indexation, prompt, and models be used? | Yes, this is possible. |
Can LangChain be used to interact with indexation, prompts, and models? | Yes, any Python can be used with our APIs/SDK. See details about the APIs/SDK here: Software Development Kit (SDK) |
How long does a typical RAG request take? | Time to streaming the answer is around 3-5 seconds depending on the use case. |
Cloud Computing & Development
What features does the Cloud service offer? | Measured service: to control and optimize resource use by leveraging a metering capability. |
Upon the contract termination, what happens to the data? | Data is securely erased/destroyed according to GDPR, in a defined time frame based on the contract. |
Are technical measures applied for defense-in-depth techniques (e.g., deep packet analysis, traffic throttling, and black-holing)? | No, we do not have technical measures that provide defense-in-depth for detection and timely response to network-based attacks. |
What is the strategy implemented to ensure the availability of the services providing enough processing power, storage space, and network bandwidth? | Systems are autoscaling on Azure cloud, monitoring and alerting in case of unavailabilities. |
Is the data encrypted both while in transit from/to the tenant and at rest in the cloud infrastructure? | Yes, for the Unique hosted single tenant at rest Azure generated keys are stored in its own Key Vault. These are HSM-backed (FIPS 140-2 Level 2) 4096-bit RSA keys. The disks are encrypted with FIPS 140-2 compliant AES256 encryption standard. |
What are the policies and procedures for access? | We have established policies and procedures for permissible storage and access to authorized identities based on rules of least privilege and business necessity. |
Are applications and APIs reviewed for security vulnerabilities? | Yes, this is done to address any issues prior to deployment to production. |
Is virtualization used in services provided? | Yes, and KPI/SLAs are tracked for reporting. However, we do not have a hypervisor vulnerability management in place. |
Is capacity planning conducted to prevent any redirection of contracted capacity to other tenants? | Yes, capacity planning is conducted on an ad-hoc basis when the utilization reaches a threshold limit to prevent any redirection of contracted capacity to other tenants without approval. |
For forensic analysis over any security breach of data in the cloud infrastructure, can the following be made available (logs, traces, hard disk images, etc.) | Yes, logs, traces, hard disk images, etc. will be made available for forensic analysis over any security breach of data. |
Does Unique have a formal change management process, covering all service changes? | Yes, our SDLC adheres to our formal change management process. |
Is the client or its hired third party allowed to conduct penetration testing of the cloud infrastructure hosting the data? | Yes, penetration testing is allowed. |
What tests are conducted before releasing applications to production? | We conduct tests, such as manual code reviews, SAST scans, DAST scans, and IAST scans before releasing. |
Does Unique have a continuous assurance process during the release? | Yes during the release, operations to verify application and infrastructure-level vulnerabilities are patched in a regular manner. |
Is there a documented software development lifecycle (SDLC) process and what does it include? | Yes, our (SDLC) program includes performing threat modeling and designing, implementing, and testing application-level controls. It follows industry-recognized security standards and good practices. |
Why are JWTs stored in the browser's local storage when it is recommended to store them in cookies? | Not storing the JWT in a cookie prevents a whole class of vulnerabilities with CSRF. On the other hand, it is easier for an attacker to misuse the token in case of a successful XSS attack. To compensate for this issue we created a restrictive CSP to make it impossible for a successful XSS attack to exfiltrate the token to an external domain not already registered in our CSP. |
Do you regularly perform static and dynamic code analysis? If so, could you please provide some details on how and how often you do it? | Yes, we do for Github advanced security CodeQL, trivy, and Bug bounty programs for penetration tests. |
Does the software contain third-party-developed components? | Yes, and we have implemented controls to test and verify these components. |
Are development and production environments segregated, at least on a logical level? | Yes, we have segregated development and production environments. |
Are audit logs maintained and reviewed for all program library updates? | Yes, we review and maintain audit logs for all program library updates. In addition, we have security controls in place to secure the audit logs. |
Are developers trained in "Secure Code Developing Techniques"? | Yes, we train our developers during the onboarding and offer mandatory Secure coding trainings for developers, conducted by experts in this field at least annually. |
Is a session management methodology used with the application? | Yes. |
Is open-source or third-party software tracked specifically for security information? | Yes. |
Data Protection
How do you process the data? | All data is encrypted in transit and at rest. We minimize the data we store to only include what is needed. For more details please refer to: https://help.unique.app/en/articles/72879-your-data-at-unique |
Is personal information accessed, disclosed, processed, transmitted, or retained by third parties across national borders? | Sub-Processors will be defined in our DPA, depending on the clients needs. Usually, for Swiss Financial institutions, data processing only happens in Switzerland and never leaves the country unless explicitly allowed by the client. For clients in the UK, US, or Singapore, it is possible to restrict data processing to your country. |
Is the voice sample of Unique biometric data? | No, because Unique voice samples cannot allow or confirm the unique identification of a natural person. |
How is my data segregated from other customers' data? | If you choose the platform as a service deployment option your data is logically separated from other customers. If you have stronger requirements regarding tenant separation the single tenant deployment option completely physically separates your data in your own Azure landing zone from other customers. |
Do you logically and physically segregate production and non-production environments? | Yes. |
Do you have procedures in place to ensure production data shall not be replicated or used in non-production environments? | Yes. |
For your SaaS or PaaS offering, do you provide tenants with separate environments for production and test processes? | Usually not, but can be added if needed. |
Is physical and logical user access to audit logs restricted to authorized personnel? | Yes. |
Will my data be used to train any models or fine-tune models? | No. Client data will never be used, as we do not train or fine-tune any LLMs. |
Does the Azure OpenAI Model learn from my data? | No, Azure OpenAI models never learn from data and Unique has an opt-out available from output checking with Microsoft. |
Will my data be sent to “unsafe, third countries”? | No. All data remains in Switzerland or your desired country for data hosting and processing. If you chose the single tenant or customer tenant deployment option then no client data will leave your dedicated tenant. |
Do you have a data processing agreement in place? | Yes, we do have a DPA: https://www.unique.ch/data-processing-addendum. |
Do you have Terms of Use? | Yes, we do have Terms of Use for end users. |
Does Microsoft Switzerland share data with Microsoft US (based on the so-called CLOUD Act)? | No, data is never shared between Microsoft CH and Microsoft US. |
Does the US government have access to the data on Azure CH (based on the CLOUD Act)? | Not directly. The US government can request access to any data outside the US, regardless of where it is stored, based on the CLOUD Act if a judge approves the request. |
Did you perform a Transfer Impact Assessment (TIA) for Microsoft Inc. as they are headquartered in the US and there is a risk of lawful access from the US? | Yes, we performed a TIA and the probability of lawful access is close to zero. Details can be shared upon request. |
When using Microsoft Azure OpenAI services, is any data shared/stored with OpenAI? | Unique closely partners with Microsoft to offer GenAI solutions in a secured and controlled environment: when working with Unique and using Microsoft Azure OpenAI Services, users are using an enterprise and private instance of OpenAI’s ChatGPT packaged and hosted by Microsoft Switzerland (prompts and answered are not shared with OpenAI nor Microsoft; to be precise: Microsoft processes the data but never stores the data). |
Are prompts attributable to specific users or organizations (when no identifying information is included in the prompt)? If not, can you provide evidence of the controls? | Prompts are associated with a specific user (audit logs) via login credentials. If you choose the single tenant or customer tenant deployment option this data will only be stored in the client-specific tenant. |
Do you have controls in place to ensure the foundational model was not trained with prohibited or biased content? | We rely on Microsoft public statements that they will cover costs for IP infringements in case needed (Customer Copyright Commitment Required Mitigations | Microsoft Learn). |
Is the model data de-identified, aggregated, and anonymized? | No. We will integrate your DLP to run on audit logs after user interaction. |
Have you performed any independent audits or validation of AI model outputs? | We perform regular internal tests and compare different models. This has not been part of an external validation report so far. |
Are you a data controller or data processor? | We are acting as a data processor of your data only. |
Is data protection for Azure OpenAI preview services less than for GA (General Availability Services)? |
|
Is there a documented process to reasonably authenticate or verify an individual's request prior to fulfilling their request for access to their personal information? | Yes. |
Are agreements with third parties who have access to or potential access in place? | Yes, we have a DPA that outlines confidentiality, audit, security, and privacy, including but not limited to incident response, ongoing monitoring limitations on data use, limitations on data sharing, return of data, and secure disposal of privacy data. |
Is there a policy or procedure for information handling (storing, processing, and communicating) consistent with its classification that has been approved by management, communicated to appropriate constituents, and assigned an owner to maintain and periodically review? | Yes. |
Do you support the secure deletion (e.g., degaussing/cryptographic wiping) of archived and backed-up data? | Yes. |
Is Scoped Data sent or received via physical media? | No. |
Is Scoped Data sent or received electronically? | Yes. |
Is all Scoped Data sent or received electronically encrypted in transit within the network? | All external channels are TLS 1.2+ encrypted. |
Will data be accessed, modified, or stored on mobile devices? | No. |
Data Storage
Where is client data hosted? | The location of hosting client data can be chosen by the client. |
Are there any other locations outside Switzerland where data is stored? | Not for Swiss Financial Institutions. European Financial Institutions can choose the Netherlands, France, or the UK as their data storage and processing location. The same applies for US or Singapore. |
Is regulated or confidential customer data stored in a database? | Yes, we store voice profiles to identify meeting participants. The company can opt out such that the voice print is only used for diarization and not saved. |
Are voice profiles kept and used for subsequent calls? What are all other purposes where these voice profiles/prints are used? | Yes, if the company did not opt-out. Voice prints are used:
|
Where is personal data stored for audio and video recordings? | They are stored as media files in the Microsoft Azure Blob Storage for Single and Multi Tenant deployment. |
Where is personal data stored for transcripts and reports? | They are stored at Microsoft Azure AKS, Postgres. |
© 2025 Unique AG. All rights reserved. Privacy Policy – Terms of Service