pieter/eveAI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Changes for eveai_chat_client:

Browse Source 
- Modal display of privacy statement & Terms & Conditions
- Consent-flag ==> check of privacy and Terms & Conditions
- customisation option added to show or hide DynamicForm titles
This commit is contained in:
Josako
2025-07-28 21:47:56 +02:00
parent ef138462d9
commit 5e81595622
28 changed files with 1609 additions and 2271 deletions
Download Patch File Download Diff File Expand all files Collapse all files

727
content/privacy/1.0/1.0.0.md
View File

@@ -1,37 +1,726 @@
# Privacy Policy
# Data Protection Agreement Ask Eve AI
## Version 1.0.0
Ask Eve AI respects the privacy of their Customers, Partners, Users and End
Users, and is strongly committed to keeping secure any information
obtained from, for or about each of them. This Data Protection Agreement
describes the practices with respect to Personal Data that Ask Eve AI
collects from or about Customers, Partners, Users and End Users when
they use the applications and services of Ask Eve AI (collectively,
"Services").
*Effective Date: 2025-06-03*
## Definitions
### 1. Introduction
**Data Controller and Data Processor**: have each the meanings set out in
the Data Protection Legislation;
This Privacy Policy describes how EveAI collects, uses, and discloses your information when you use our services.
*Data Protection Legislation:* means the European Union's General Data
Protection Regulation 2016/679 on the protection of natural persons with
regard to the processing of personal data and on the free movement of
such data ("GDPR") and all applicable laws and regulations relating to
the processing of personal data and privacy and any amendment or
re-enactment of any of them;
### 2. Information We Collect
*Data Subject:* has the meaning set out in the Data Protection
Legislation and shall refer, in this Data Processing Agreement to the
identified or identifiable individual(s) whose Personal Data is/are
under control of the Data Controller and is/are the subject of the
Processing by the Data Processor in the context of the Services;
We collect information you provide directly to us, such as account information, content you process through our services, and communication data.
*Personal Data*: has the meaning set out in the Data Protection
Legislation and shall refer, in this Data Processing Agreement to any
information relating to the Data Subject that is subject to the
Processing in the context of the Services;
### 3. How We Use Your Information
*Processing*: has the meaning given to that term in the Data Protection
Legislation and "process" and "processed" shall have a corresponding
meaning;
We use your information to provide, maintain, and improve our services, process transactions, send communications, and comply with legal obligations.
*Purposes*: shall mean the limited, specific and legitimate purposes of
the Processing as described in the Agreement;
### 4. Data Security
*Regulators:* means those government departments and regulatory,
statutory and other bodies, entities and committees which, whether under
statute, rule, regulation, code of practice or otherwise, are entitled
to regulate, investigate or influence the privacy matters dealt with in
agreements and/or by the parties to the agreements (as the case may be);
We implement appropriate security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.
*Sub-Processor:* shall mean the subcontractor(s) listed in Annex 1,
engaged by the Data Processor to Process Personal Data on behalf of the
Data Controller and in accordance with its instructions, the terms of
this Data Processing Agreement and the terms of the written subcontract
to be entered into with the Sub-Processor;
### 5. International Data Transfers
*Third Country:* means a country outside the European Economic Area that
is not considered by the European Commission as offering an adequate
level of protection in accordance with Article 44 of the European
Union's General Data Protection Regulation 679/2016.
Your information may be transferred to and processed in countries other than the country you reside in, where data protection laws may differ.
*Tenant / Customer*: A tenant is the organisation, enterprise or company
subscribing to the services of Ask Eve AI. Same as Customer, but more in
context of a SAAS product like Ask Eve AI.
### 6. Your Rights
*Partner*: Any organisation, enterprise or company that offers services
or knowledge on top of the Ask Eve AI platform.
Depending on your location, you may have certain rights regarding your personal information, such as access, correction, deletion, or restriction of processing.
*Account / User*: A user is a natural person performing activities like
configuration or testing in Ask Eve AI, working within the context of a
Tenant. A user is explicitly registered within the system as a member of
the tenant.
### 7. Changes to This Policy
*End User*: An end user is every person making use of Ask Eve AI's services,
in the context of Ask Eve AI services exposed by the tenant
(e.g. a chatbot). This user is not explicitly registered within the
system.
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.
*Ask Eve AI Platform*: The Ask Eve AI Platform (also referred to as
"Evie" or "platform") is the combination of software components and
products, code, configuration and prompts that allow Ask Eve AI to
perform its activities.
### 8. Contact Us
*Ask Eve AI Services*: Is the collection of all services on top of the
Ask Eve AI Platform offered to all users of the platform (Tenants,
Partners, Users and End Users), including all services exposed by
Partners on the Ask Eve AI platform.
If you have any questions about this Privacy Policy, please contact us at privacy@askeveai.be.
*Partner Services:* Is the collection of all services and applications built on top of
the Ask Eve AI Platform offered by Partners. This excludes services
connected through API's to the Ask Eve AI platform or services connected
to the platform by any other means.
## Qualification of Parties
2.1 As part of the provision of the Services, Partner and Customer may
engage Ask Eve AI to collect, process and/or use Personal Data on its
behalf and/or Ask Eve AI may be able to access Personal Data and
accordingly, in relation to the Agreement, the Parties agree that Partner
or Customer is the Data Controller and Ask Eve AI is the Data Processor.
2.2 From time to time, Partner or Customer may request Ask Eve AI to
collect, process and/or use Personal Data on behalf of a third party for
which Ask Eve AI may be able to access Personal Data and accordingly, in
relation to the Agreement, the Parties agree that Customer is the Data
Processor and Ask Eve AI is the Data Sub-Processor.
# Data Classification
Ask Eve AI classifies data as follows:
# Data Protection {#data-protection-1}
The Data Processor warrants, represents and undertakes to the Data
Controller that it shall only process the Personal Data as limited in de
following paragraphs.
**System Data:**
Ask Eve AI System Data is the data required to enable Ask Eve AI to:
- authenticate and authorise accounts / users
- authenticate and authorise automated interfaces (APIs, sockets,
integrations)
- to invoice according to subscription and effective usage of Ask Eve
AI's services
The following personal information is gathered:
1. *Account / User Information*: This information enables a user to log
into the Ask Eve AI systems, or to subscribe to the system's
services. It includes name, e-mail address, a secured password and
roles in the system.
2. *Tenant / Customer Information*: Although not personal data in the
strict sense, in order to subscribe to the services provided by Ask
Eve AI, payment information such as financial details, VAT numbers,
valid addresses and email information is required.
**Tenant Data:**
Tenant data is all information that is added to Ask Eve AI by
- one of the tenant's registered accounts
- one of the automated interfaces (APIs, sockets, integrations)
authorised by the tenant
- interaction by one of the end users that has access to Ask Eve AI's
services exposed by the tenant
This data is required to enable Ask Eve AI to perform the
tenant-specific functions requested or defined by the Tenant, such as
enabling AI chatbots or AI specialists to work on tenant specific
information.
There's no personal data collected explicitly, however, the following
personal information is gathered:
1. *End User Content*: Ask Eve AI collects Personal Data that the End
User provides in the input to our Services ("Content") as is.
2. *Communication Information*: If the Customer communicates with Ask
Eve AI, such as via email, our pages on social media sites or the
chatbots or other interfaces we provide to our services, Ask Eve AI
may collect Personal Data like name, contact information, and the
contents of the messages the Customer sends ("Communication
Information"). End User personal information may be provided by End
User in interactions with Ask Eve AI's services, and as such will be
stored in Ask Eve AI's services as is.
>
> **User Data:**
> Ask Eve AI collects information the User may provide to Ask Eve AI,
> such as when you participate in our events, surveys, ask us to get in
> contact or provide us with information to establish your identity or
> age.
>
>
> \
**Technical Data:**\
When you visit, use, or interact with the Services, we receive the
following information about your visit, use, or interactions ("Technical
Information"):
1. *Log Data:* Ask Eve AI collects information that your browser or
device automatically sends when the Customer uses the Services. Log
data includes the Internet Protocol address, browser type and
settings, the date and time of your request, and how the Customer
interacts with the Services.
2. *Usage Data:* Ask Eve AI collects information about the use of the
Services, such as the types of content that the Customer views or
engages with, the features the Customer uses and the actions the
Customer takes, as well as the Customer's time zone, country, the
dates and times of access, user agent and version, type of computer
or mobile device, and the Customer's computer connection.
3. *Interaction Data*: Ask Eve AI collects the data you provide when
interacting with it's services, such as interacting with a chatbot
or similar advanced means.
4. *Device Information:* Ask Eve AI collects information about the
device the Customer uses to access the Services, such as the name of
the device, operating system, device identifiers, and browser you
are using. Information collected may depend on the type of device
the Customer uses and its settings.
5. *Location Information:* Ask Eve AI may determine the general area
from which your device accesses our Services based on information
like its IP address for security reasons and to make your product
experience better, for example to protect the Customer's account by
detecting unusual login activity or to provide more accurate
responses. In addition, some of our Services allow the Customer to
choose to provide more precise location information from the
Customer's device, such as location information from your device's
GPS.
6. *Cookies and Similar Technologies:* Ask Eve AI uses cookies and
similar technologies to operate and administer our Services, and
improve your experience. If the Customer uses the Services without
creating an account, Ask Eve AI may store some of the information
described in this Agreement with cookies, for example to help
maintain the Customer's preferences across browsing sessions. For
details about our use of cookies, please read our Cookie Policy.
**External Data:**
Information Ask Eve AI receives from other sources:
Ask Eve AI receives information from trusted partners, such as security
partners, to protect against fraud, abuse, and other security threats to
the Services, and from marketing vendors who provide us with information
about potential customers of our business services.
Ask Eve AI also collects information from other sources, like
information that is publicly available on the internet, to develop the
models that power the Services.
Ask Eve AI may use Personal Data for the following purposes:
- To provide, analyse, and maintain the Services, for example to respond
to the Customer's questions for Ask Eve AI;
- To improve and develop the Services and conduct research, for example
to develop new product features;
- To communicate with the Customer, including to send the Customer
information about our Services and events, for example about changes
or improvements to the Services;
- To prevent fraud, illegal activity, or misuses of our Services, and to
protect the security of our systems and Services;
- To comply with legal obligations and to protect the rights, privacy,
safety, or property of our users or third parties.
Ask Eve AI may also aggregate or de-identify Personal Data so that it no
longer identifies the Customer and use this information for the purposes
described above, such as to analyse the way our Services are being used,
to improve and add features to them, and to conduct research. Ask Eve AI
will maintain and use de-identified information in de-identified form
and not attempt to reidentify the information, unless required by law.
As noted above, Ask Eve AI may use content the Customer provides Ask Eve
AI to improve the Services, for example to train the models that power
Ask Eve AI. Read [**our instructions**(opens in a new
window)**](https://help.openai.com/en/articles/5722486-how-your-data-is-used-to-improve-model-performance) on
how you can opt out of our use of your Content to train our models.\
1. 1. ## Instructions {#instructions-3}
Data Processor shall only Process Personal Data of Data Controller on
behalf of the Data Controller and in accordance with this Data
Processing Agreement, solely for the Purposes and the eventual
instructions of the Data Controller, and to the extent, and in such a
manner, as is reasonably necessary to provide the Services in accordance
with the Agreement. Data Controller shall only give instructions that
comply with the Data Protection legislation.
2. 1. ## Applicable mandatory laws {#applicable-mandatory-laws-3}
Data Processor shall only Process as required by applicable mandatory
laws and always in compliance with Data Protection Legislation.\
3. 1. ## Transfer to a third party {#transfer-to-a-third-party-3}
Data Processor uses functionality of third party services to realise
it's functionality. For the purpose of realising Ask Eve AI's
functionality, and only for this purpose, information is sent to it's
sub-processors.
Data Processor shall not transfer or disclose any Personal Data to any
other third party and/or appoint any third party as a sub-processor of
Personal Data unless it is legally required or in case of a notification
to the Data Controller by which he gives his consent.
4. 1. ## Transfer to a Third Country {#transfer-to-a-third-country-3}
Data Processor shall not transfer Personal Data (including any transfer
via electronic media) to any Third Country without the prior written
consent of the Data Controller by exception of the following.
The Parties agree that Personal Data can only be transferred to and/or
kept with the recipient outside the European Economic Area (EEA) in a
country that not falls under an adequacy decision issued by the European
Commission by exception and only if necessary to comply with the
obligations of this Agreement or when legally required. Such transfer
shall be governed by the terms of a data transfer agreement containing
standard contractual clauses as published in the Decision of the
European Commission of June 4, 2021 (Decision (EU) 2021/914), or by
other mechanisms foreseen by the applicable data protection law.
The Data Processor shall prior to the international transfer inform the
Data Controller about the particular measures taken to guarantee the
protection of the Personal Data of the Data Subject in accordance with
the Regulation.
\
5. 1. ## Data secrecy {#data-secrecy-3}
The Data Processor shall maintain data secrecy in accordance with
applicable Data Protection Legislation and shall take all reasonable
steps to ensure that:
> \(1\) only those Data Processor personnel and the Sub-Processor
> personnel that need to have access to Personal Data are given access
> and only to the extent necessary to provide the Services; and
> \(2\) the Data Processor and the Sub-Processor personnel entrusted
> with the processing of, or who may have access to, Personal Data are
> reliable, familiar with the requirements of data protection and
> subject to appropriate obligations of confidentiality and data secrecy
> in accordance with applicable Data Protection Legislation and at all
> times act in compliance with the Data Protection Obligations.
6. 1. ## Appropriate technical and organizational measures {#appropriate-technical-and-organizational-measures-3}
Data Processor has implemented (and shall comply with) all appropriate
technical and organizational measures to ensure the security of the
Personal Data, to ensure that processing of the Personal Data is
performed in compliance with the applicable Data Protection Legislation
and to ensure the protection of the Personal Data against accidental or
unauthorized access, alteration, destruction, damage, corruption or loss
as well as against any other unauthorized or unlawful processing or
disclosure ("Data Breach"). Such measures shall ensure best practice
security, be compliant with Data Protection Legislation at all times and
comply with the Data Controller's applicable IT security policies.
Data Controller has also introduced technical and organizational
measures, and will continue to introduce them to protect its Personal
Data from accidental or unlawful destruction or accidental loss,
alteration, unauthorized disclosure or access. For the sake of clarity,
the Data Controller is responsible for the access control policy,
registration, de-registration and withdrawal of the access rights of the
Users or Consultant(s) to its systems, for the access control,
registration, de-registration and withdrawal of automation access codes
(API Keys), and is also responsible for the complete physical security
of its environment.
7. 1. ## Assistance and co-operation {#assistance-and-co-operation-3}
The Data Processor shall provide the Data Controller with such
assistance and co-operation as the Data Controller may reasonably
request to enable the Data Controller to comply with any obligations
imposed on it by Data Protection Legislation in relation to Personal
Data processed by the Data Processor, including but not limited to:
> \(1\) on request of the Data Controller, promptly providing written
> information regarding the technical and organizational measures which
> the Data Processor has implemented to safeguard Personal Data;\
> \(2\) disclosing full and relevant details in respect of any and all
> government, law enforcement or other access protocols or controls
> which it has implemented, but only in so far this information is
> available to the Data Processor;
> \(3\) notifying the Data Controller as soon as possible and as far as
> it is legally permitted to do so, of any access request for disclosure
> of data which concerns Personal Data (or any part thereof) by any
> Regulator, or by a court or other authority of competent jurisdiction.
> For the avoidance of doubt and as far as it is legally permitted to do
> so, the Data Processor shall not disclose or release any Personal Data
> in response to such request served on the Data Processor without first
> consulting with and obtaining the written consent of the Data
> Controller; and
> \(4\) notifying the Data Controller as soon as possible of any legal
> or factual circumstances preventing the Data Processor from executing
> any of the instructions of the Data Controller.
> \(5\) notifying the Data Controller as soon as possible of any request
> received directly from a Data Subject regarding the Processing of
> Personal Data, without responding to such request. For the avoidance
> of doubt, the Data Controller is solely responsible for handling and
> responding to such requests.
> \(6\) notifying the Data Controller immediately in writing if it
> becomes aware of any Data Breach and provide the Data Controller, as
> soon as possible, with information relating to a Data Breach,
> including, without limitation, but only insofar this information is
> readily available to the Data Processor: the nature of the Data Breach
> and the Personal Data affected, the categories and number of Data
> Subjects concerned, the number of Personal Data records concerned,
> measures taken to address the Data Breach, the possible consequences
> and adverse effect of the Data Breach .
> \(7\) Where the Data Controller is legally required to provide
> information regarding the Personal Data Processed by Data Processor
> and its Processing to any Data Subject or third party, the Data
> Processor shall support the Data Controller in the provision of such
> information when explicitly requested by the Data Controller.
4. # Audit {#audit-1}
At the Data Controller's request the Data Processor shall provide the
Data Controller with all information needed to demonstrate that it
complies with this Data Processing Agreement The Data Processor shall
permit the Data Controller, or a third-party auditor acting under the
Data Controller's direction, (but only to the extent this third-party
auditor cannot be considered a competitor of the Data Processor), to
conduct, at the Data Controller's cost (for internal and external
costs), a data privacy and security audit, concerning the Data
Processor's data security and privacy procedures relating to the
processing of Personal Data, and its compliance with the Data Protection
Obligations, but not more than once per contract year. The Data
Controller shall provide the Data Processor with at least thirty (30)
days prior written notice of its intention to perform an audit. The
notification must include the name of the auditor, a description of the
purpose and the scope of the audit. The audit has to be carried out in
such a way that the inconvenience for the Data Processor is kept to a
minimum, and the Data Controller shall impose sufficient confidentiality
obligations on its auditors. Every auditor who does an inspection will
be at all times accompanied by a dedicated employee of the Processor.
4. # Liability {#liability-1}
Each Party shall be liable for any suffered foreseeable, direct and
personal damages ("Direct Damages") resulting from any attributable
breach of its obligations under this Data Processing Agreement. If one
Party is held liable for a violation of its obligations hereunder, it
undertakes to indemnify the non-defaulting Party for any Direct Damages
resulting from any attributable breach of the defaulting Party's
obligations under this Data Processing Agreement or any fault or
negligence to the performance of this Data Processing Agreement. Under
no circumstances shall the Data Processor be liable for indirect,
incidental or consequential damages, including but not limited to
financial and commercial losses, loss of profit, increase of general
expenses, lost savings, diminished goodwill, damages resulting from
business interruption or interruption of operation, damages resulting
from claims of customers of the Data Controller, disruptions of
planning, loss of anticipated profit, loss of capital, loss of
customers, missed opportunities, loss of advantages or corruption and/or
loss of files resulting from the performance of the Agreement.
[]{#anchor}[]{#anchor-1}[]{#anchor-2}[]{#anchor-3}If it appears that
both the Data Controller and the Data Processor are responsible for the
damage caused by the processing of Personal Data, both Parties shall be
liable and pay damages, in accordance with their individual share in the
responsibility for the damage caused by the processing.
[]{#anchor-4}[]{#anchor-5}[]{#anchor-6}In any event the total liability
of the Data Processor under this Agreement shall be limited to the cause
of damage and to the amount that equals the total amount of fees paid by
the Data Controller to the Data Processor for the delivery and
performance of the Services for a period not more than twelve months
immediately prior to the cause of damages. In no event shall the Data
Processor be held liable if the Data Processor can prove he is not
responsible for the event or cause giving rise to the damage.
4. # Term {#term-1}
This Data Processing Agreement shall be valid for as long as the
Customer uses the Services.
After the termination of the Processing of the Personal Data or earlier
upon request of the Data Controller, the Data Processor shall cease all
use of Personal Data and delete all Personal Data and copies thereof in
its possession unless otherwise agreed or when deletion of the Personal
Data should be technically impossible.
4. # Governing law -- jurisdiction {#governing-law-jurisdiction-1}
This Data Processing Agreement and any non-contractual obligations
arising out of or in connection with it shall be governed by and
construed in accordance with Belgian Law.
Any litigation relating to the conclusion, validity, interpretation
and/or performance of this Data Processing Agreement or of subsequent
contracts or operations derived therefrom, as well as any other
litigation concerning or related to this Data Processing Agreement,
without any exception, shall be submitted to the exclusive jurisdiction
of the courts of Gent, Belgium.
# Annex1
# Sub-Processors
The Data Controller hereby agrees to the following list of
Sub-Processors, engaged by the Data Processor for the Processing of
Personal Data under the Agreement:
+-------------+--------------------------------------------------------+
| | |
+=============+========================================================+
| **Open AI** | |
+-------------+--------------------------------------------------------+
| Address | OpenAI, L.L.C., |
| | |
| | 3180 18th St, San Francisco, |
| | |
| | CA 94110, |
| | |
| | United States of America. |
+-------------+--------------------------------------------------------+
| Contact | OpenAI's Data Protection team |
| | |
| | dsar@openai.com |
+-------------+--------------------------------------------------------+
| Description | Ask Eve AI accesses Open AI's models through Open AI's |
| | API to realise it's functionality. |
| | |
| | Services are GDPR compliant. |
+-------------+--------------------------------------------------------+
| | |
+-------------+--------------------------------------------------------+
+---------------+------------------------------------------------------+
| | |
+===============+======================================================+
| **StackHero** | |
+---------------+------------------------------------------------------+
| Address | Stackhero |
| | |
| | 1 rue de Stockholm |
| | |
| | 75008 Paris |
| | |
| | France |
+---------------+------------------------------------------------------+
| Contact | support@stackhero.io |
+---------------+------------------------------------------------------+
| Description | StackHero is Ask Eve AI's cloud provider, and hosts |
| | the services for PostgreSQL, Redis, Docker, Minio |
| | and Greylog. |
| | |
| | Services are GDPR compliant. |
+---------------+------------------------------------------------------+
| **** | |
+---------------+------------------------------------------------------+
+----------------+-----------------------------------------------------+
| | |
+================+=====================================================+
| **A2 Hosting** | |
+----------------+-----------------------------------------------------+
| Address | A2 Hosting, Inc. |
| | |
| | PO Box 2998 |
| | |
| | Ann Arbor, MI 48106 |
| | |
| | United States |
+----------------+-----------------------------------------------------+
| Contact | [*+1 734-222-4678*](tel:+1(734)222-4678) |
+----------------+-----------------------------------------------------+
| Description | A2 hosting is hosting our main webserver and |
| | mailserver. They are all hosted on European servers |
| | (Iceland). It does not handle data of our business |
| | applications. |
| | |
| | Services are GDPR compliant. |
+----------------+-----------------------------------------------------+
| **** | |
+----------------+-----------------------------------------------------+
# Annex 2
# []{#anchor-7}Technical and organizational measures
# 1. Purpose of this document
This document contains an overview of the technical and operational
measures which are applicable by default within Ask Eve AI. The actual
measures taken depend on the services provided and the specific customer
context. Ask Eve AI guarantees it has for all its services and sites the
necessary adequate technical and operational measures included in the
list below following a Data Protection Impact Assessment (DPIA).
These measures are designed to:
1. ensure the security and confidentiality of Ask Eve AI managed data,
information, applications and infrastructure;
2. protect against any anticipated threats or hazards to the security
and integrity of Personal Data, Ask Eve AI Intellectual Property,
Infrastructure or other business-critical assets;
3. protect against any actual unauthorized processing, loss, use,
disclosure or acquisition of or access to any Personal Data or other
business-critical information or data managed by Ask Eve AI.
Ask Eve AI ensures that all its Sub-Processors have provided the
necessary and required guarantees on the protection of personal data
they process on Ask Eve AI's behalf.
Ask Eve AI continuously monitors the effectiveness of its information
safeguards and organizes a yearly compliance audit by a Third Party to
provide assurance on the measures and controls in place.
# 2. Technical & Organizational Measures
Ask Eve AI has designed, invested and implemented a dynamic
multi-layered security architecture protecting its endpoints, locations,
cloud services and custom-developed business applications against
today's variety of cyberattacks ranging from spear phishing, malware,
viruses to intrusion, ransomware and data loss / data breach incidents
by external and internal bad actors.
This architecture, internationally recognized and awarded, is a
combination of automated proactive, reactive and forensic quarantine
measures and Ask Eve AI internal awareness and training initiatives that
creates and end-to-end chain of protection to identify, classify and
stop any potential malicious action on Ask Eve AI's digital
infrastructure. Ask Eve AI uses an intent-based approach where
activities are constantly monitored, analysed and benchmarked instead of
relying solely on a simple authentication/authorization trust model.
4. 1. ## General Governance & Awareness {#general-governance-awareness-3}
As a product company, Ask Eve AI is committed to maintain and preserve
an IT infrastructure that has a robust security architecture, complies
with data regulation policies and provides a platform to its employees
for flexible and effective work and collaboration activities with each
other and our customers.
Ask Eve AI IT has a cloud-first and cloud-native strategy and as such
works with several third-party vendors that store and process our
company data. Ask Eve AI IT aims to work exclusively with vendors that
are compliant with the national and European Data Protection
Regulations. Transfers of Personal Data to third-countries are subject
to compliance by the third-country Processor/Sub-Processor with the
Standard Contractual Clauses as launched by virtue of the EU Commission
Decision 2010/87/EU of 5 February 2010 as updated by the EU Comission
Decision (EU) 2021/914 of 4 June 2021, unless the third country of the
Processor/Sub-Processor has been qualified as providing an adequate
level of protection for Personal Data by the European Commission, (a.o.
EU-U.S. Data Privacy Framework).
Ask Eve AI has an extensive IT policy applicable to any employee or
service provider that uses Ask Eve AI platforms or infrastructure. This
policy informs the user of his or her rights & duties and informs the
user of existing monitoring mechanisms to enforce security and data
compliance. The policy is updated regularly and an integrated part of
new employee onboarding and continuous training and development
initiatives on internal tooling and cyber security;
Ask Eve AI IT has several internal policies on minimal requirements
before an application, platform or tool can enter our application
landscape. These include encryption requirements, DLP requirements,
transparent governance & licensing requirements and certified support
contract procedures & certifications;
These policies are actively enforced through our endpoint security, CASB
and cloud firewall solutions. Any infraction on these policies is met
with appropriate action and countermeasures and may result in a complete
ban from using and accessing Ask Eve AI's infrastructure and platforms
or even additional legal action against employees, clients or other
actors;
## 9.2. Physical Security & Infrastructure
Ask Eve AI has deployed industry-standard physical access controls to
its location for employee presence and visitor management.
Restricted environments including network infrastructure, data center
and server rooms are safeguarded by additional access controls and
access to these rooms is audited. CCTV surveillance is present in all
restricted and critical areas.
Fire alarm and firefighting systems are implemented for employee and
visitor safety. Regular fire simulations and evacuation drills are
performed.
Clean desk policies are enforced, employees regularly in contact with
sensitive information have private offices and follow-me printing
enabled.
Key management governance is implemented and handled by Facilities.
1. 1. ## Endpoint Security & User Accounts {#endpoint-security-user-accounts-3}
All endpoints and any information stored are encrypted using
enterprise-grade encryption on all operating systems supported by Ask
Eve AI.
Ask Eve AI has implemented a centrally managed anti-virus and malware
protection system for endpoints, email and document stores.
Multifactor Authentication is enforced on all user accounts where
possible.
Conditional Access is implemented across the entire infrastructure
limiting access to specific regions and setting minimum requirements for
the OS version, network security level, endpoint protection level and
user behavior.
Only vendor supplied updates are installed.
Ask Eve AI has deployed a comprehensive device management strategy to
ensure endpoint integrity and policy compliance.
Access is managed according to role-based access control principles and
all user behavior on Ask Eve AI platforms is audited.
1. 1. ## Data Storage, Recovery & Securing Personal Data {#data-storage-recovery-securing-personal-data-3}
> Ask Eve AI has deployed:
- An automated multi-site encrypted back-up process with daily integrity
reviews.
- The possibility for the anonymization, pseudonymization and encryption
of Personal Data.
- The ability to monitor and ensure the ongoing confidentiality,
integrity, availability and resilience of processing systems and
services.
- The ability to restore the availability and access to Personal Data in
a timely manner in the event of a physical or technical incident.
- A logical separation between its own data, the data of its customers
and suppliers.
- A process to keep processed data accurate, reliable and up-to-date.
- Records of the processing activities.
- Data Retention Policies
1. 1. ## Protection & Insurance {#protection-insurance-3}
Ask Eve AI has a cyber-crime insurance policy. Details on the policy can
be requested through the legal department.