A selection of FAQs raised about the data security and privacy concerns for our AI course creator tool
AI-Specific Protections
Q: Is customer-uploaded data used to train or fine-tune any AI models (LLMs or otherwise)?
A: No, customer-uploaded data is not used to train or fine-tune AI models.
Architectural Security
Q: What layers of encryption are used to protect data at rest and in transit?
A: Sensitive customer data is encrypted at rest in our datastores. Secure data transmission protocols are used to encrypt confidential data when transmitted over public networks.
Q: What internal access controls are in place to restrict access to customer-uploaded data?
A: We adhere to an Access Control Policy.
Q: Are audit logs maintained for access to customer data? Are these logs available for review?
A: Yes, audit logs are maintained. Logs can be retrieved on a case-by-case basis.
Q: Are different environments (e.g., production, development, testing) segregated? How is data isolated between them?
A: Yes, we use separate environments and databases for testing and production.
Compliance Evidence
Q: Do you have current certifications such as SOC 2, ISO 27001?
A: Yes, our provider has a SOC 2 Type 1 certification and are currently undergoing the audit for SOC 2 Type 2. More details can be found here.
Q: Are you compliant with GDPR requirements?
A: We comply with GDPR rules.
Q: Can you provide recent third-party audit reports or security assessments upon request?
A: Yes, these can be provided upon request.
Q: Do you have a Data Processing Agreement (DPA) or similar documentation available?
A: Yes, a DPA is available.
Data Retention / Temporal Controls
Q: How long is customer-uploaded data retained by your systems by default?
A: Data is retained indefinitely unless removal is requested.
Q: Is there an option for customers to request deletion of their data? If so, how is this handled?
A: Nvolve can assist a user with deleting any specific pieces of data.
Data Security
Q: How do you ensure secure data processing and storage?
A: We adhere to a Data Management Policy, which can be provided upon request.
Q: Where is the data stored once it is received by your system? Are there any geographic restrictions or preferences?
A: Data relating to the AI course creator is stored in Oregon, USA.
Q: What measures are in place to detect and respond to data breaches?
A: We have an Incident Response Plan and a Business Continuity and Disaster Recovery Plan in place.
Data Storage
Q: Where is data stored (e.g., cloud, on-premises)? Please provide details, regions, etc.
A: All data is stored in the cloud, we utilise AWS S3 buckets for file storage and DB is in Render, all are stored in Oregon, USA region.
Q: What backup procedures are in place to ensure data integrity and availability?
A: We offer point-in-time recovery, allowing restoration to any point in the last 7 days.
Monitoring / Incident Response
Q: Do you implement continuous monitoring of data security and privacy metrics?
A: Yes, we use Vanta to monitor data security and privacy metrics.
Q: Do you have an incident response plan to address data breaches promptly?
A: Yes, our Incident Response Plan can be provided upon request.
Privacy
Q: What types of data are collected when a customer uploads documentation via our platform?
A: Uploaded documents are converted into a format parsable by the LLM. No PII is sent to the LLM only content.
Q: Is any personally identifiable information (PII) stored or processed by your system?
A: No, our Headless integration via API does not require PII to identify users.
Q: Do you have a published privacy policy we can review and share with our customers?
A: Yes, our privacy policy is available on request.
Third-Party Risk
Q: Is customer data shared with any third-party services or subprocessors? If so, please list them.
A: We do not share PII with third parties. Uploaded documents are shared with an LLM (Google Gemini).
Q: Do you vet and monitor subprocessors for data security and privacy compliance?
A: Yes, we vet and monitor subprocessors.
Q: Are there contractual agreements in place with all subprocessors outlining their obligations regarding data handling and protection?
A: No, such agreements are not currently in place.