37819cd7e5
- Adaptation of DPA and T&Cs - Refer to privacy statement as DPA, not a privacy statement - Startup of enforcing signed DPA and T&Cs - Adaptation of eveai_chat_client to ensure we retrieve correct DPA & T&Cs
648 lines
31 KiB
Markdown
648 lines
31 KiB
Markdown
# Data Protection Agreement Ask Eve AI
|
||
|
||
Ask Eve AI respects the privacy of their Customers, Partners, Users and End
|
||
Users, and is strongly committed to keeping secure any information
|
||
obtained from, for or about each of them. This Data Protection Agreement
|
||
describes the practices with respect to Personal Data that Ask Eve AI
|
||
collects from or about Customers, Partners, Users and End Users when
|
||
they use the applications and services of Ask Eve AI (collectively,
|
||
"Services").
|
||
|
||
## Definitions
|
||
|
||
**Data Controller and Data Processor**: have each the meanings set out in
|
||
the Data Protection Legislation;
|
||
|
||
*Data Protection Legislation:* means the European Union's General Data
|
||
Protection Regulation 2016/679 on the protection of natural persons with
|
||
regard to the processing of personal data and on the free movement of
|
||
such data ("GDPR") and all applicable laws and regulations relating to
|
||
the processing of personal data and privacy and any amendment or
|
||
re-enactment of any of them;
|
||
|
||
*Data Subject:* has the meaning set out in the Data Protection
|
||
Legislation and shall refer, in this Data Processing Agreement to the
|
||
identified or identifiable individual(s) whose Personal Data is/are
|
||
under control of the Data Controller and is/are the subject of the
|
||
Processing by the Data Processor in the context of the Services;
|
||
|
||
*Personal Data*: has the meaning set out in the Data Protection
|
||
Legislation and shall refer, in this Data Processing Agreement to any
|
||
information relating to the Data Subject that is subject to the
|
||
Processing in the context of the Services;
|
||
|
||
*Processing*: has the meaning given to that term in the Data Protection
|
||
Legislation and "process" and "processed" shall have a corresponding
|
||
meaning;
|
||
|
||
*Purposes*: shall mean the limited, specific and legitimate purposes of
|
||
the Processing as described in the Agreement;
|
||
|
||
*Regulators:* means those government departments and regulatory,
|
||
statutory and other bodies, entities and committees which, whether under
|
||
statute, rule, regulation, code of practice or otherwise, are entitled
|
||
to regulate, investigate or influence the privacy matters dealt with in
|
||
agreements and/or by the parties to the agreements (as the case may be);
|
||
|
||
*Sub-Processor:* shall mean the subcontractor(s) listed in Annex 1,
|
||
engaged by the Data Processor to Process Personal Data on behalf of the
|
||
Data Controller and in accordance with its instructions, the terms of
|
||
this Data Processing Agreement and the terms of the written subcontract
|
||
to be entered into with the Sub-Processor;
|
||
|
||
*Third Country:* means a country outside the European Economic Area that
|
||
is not considered by the European Commission as offering an adequate
|
||
level of protection in accordance with Article 44 of the European
|
||
Union's General Data Protection Regulation 679/2016.
|
||
|
||
*Tenant / Customer*: A tenant is the organisation, enterprise or company
|
||
subscribing to the services of Ask Eve AI. Same as Customer, but more in
|
||
context of a SAAS product like Ask Eve AI.
|
||
|
||
*Partner*: Any organisation, enterprise or company that offers services
|
||
or knowledge on top of the Ask Eve AI platform.
|
||
|
||
*Account / User*: A user is a natural person performing activities like
|
||
configuration or testing in Ask Eve AI, working within the context of a
|
||
Tenant. A user is explicitly registered within the system as a member of
|
||
the tenant.
|
||
|
||
*End User*: An end user is every person making use of Ask Eve AI's services,
|
||
in the context of Ask Eve AI services exposed by the tenant
|
||
(e.g. a chatbot). This user is not explicitly registered within the
|
||
system.
|
||
|
||
*Ask Eve AI Platform*: The Ask Eve AI Platform (also referred to as
|
||
"Evie" or "platform") is the combination of software components and
|
||
products, code, configuration and prompts that allow Ask Eve AI to
|
||
perform its activities.
|
||
|
||
*Ask Eve AI Services*: Is the collection of all services on top of the
|
||
Ask Eve AI Platform offered to all users of the platform (Tenants,
|
||
Partners, Users and End Users), including all services exposed by
|
||
Partners on the Ask Eve AI platform.
|
||
|
||
*Partner Services:* Is the collection of all services and applications built on top of
|
||
the Ask Eve AI Platform offered by Partners. This excludes services
|
||
connected through API's to the Ask Eve AI platform or services connected
|
||
to the platform by any other means.
|
||
|
||
## Qualification of Parties
|
||
|
||
2.1 As part of the provision of the Services, Partner and Customer may
|
||
engage Ask Eve AI to collect, process and/or use Personal Data on its
|
||
behalf and/or Ask Eve AI may be able to access Personal Data and
|
||
accordingly, in relation to the Agreement, the Parties agree that Partner
|
||
or Customer is the Data Controller and Ask Eve AI is the Data Processor.
|
||
|
||
2.2 From time to time, Partner or Customer may request Ask Eve AI to
|
||
collect, process and/or use Personal Data on behalf of a third party for
|
||
which Ask Eve AI may be able to access Personal Data and accordingly, in
|
||
relation to the Agreement, the Parties agree that Customer is the Data
|
||
Processor and Ask Eve AI is the Data Sub-Processor.
|
||
|
||
# Data Classification
|
||
|
||
Ask Eve AI classifies data as follows:
|
||
|
||
# Data Protection {#data-protection-1}
|
||
|
||
The Data Processor warrants, represents and undertakes to the Data
|
||
Controller that it shall only process the Personal Data as limited in de
|
||
following paragraphs.
|
||
|
||
**System Data:**
|
||
|
||
Ask Eve AI System Data is the data required to enable Ask Eve AI to:
|
||
|
||
- authenticate and authorise accounts / users
|
||
- authenticate and authorise automated interfaces (APIs, sockets,
|
||
integrations)
|
||
- to invoice according to subscription and effective usage of Ask Eve
|
||
AI's services
|
||
|
||
The following personal information is gathered:
|
||
|
||
1. *Account / User Information*: This information enables a user to log
|
||
into the Ask Eve AI systems, or to subscribe to the system's
|
||
services. It includes name, e-mail address, a secured password and
|
||
roles in the system.
|
||
2. *Tenant / Customer Information*: Although not personal data in the
|
||
strict sense, in order to subscribe to the services provided by Ask
|
||
Eve AI, payment information such as financial details, VAT numbers,
|
||
valid addresses and email information is required.
|
||
|
||
**Tenant Data:**
|
||
|
||
Tenant data is all information that is added to Ask Eve AI by
|
||
|
||
- one of the tenant's registered accounts
|
||
- one of the automated interfaces (APIs, sockets, integrations)
|
||
authorised by the tenant
|
||
- interaction by one of the end users that has access to Ask Eve AI's
|
||
services exposed by the tenant
|
||
|
||
This data is required to enable Ask Eve AI to perform the
|
||
tenant-specific functions requested or defined by the Tenant, such as
|
||
enabling AI chatbots or AI specialists to work on tenant specific
|
||
information.
|
||
|
||
There's no personal data collected explicitly, however, the following
|
||
personal information is gathered:
|
||
|
||
1. *End User Content*: Ask Eve AI collects Personal Data that the End
|
||
User provides in the input to our Services ("Content") as is.
|
||
2. *Communication Information*: If the Customer communicates with Ask
|
||
Eve AI, such as via email, our pages on social media sites or the
|
||
chatbots or other interfaces we provide to our services, Ask Eve AI
|
||
may collect Personal Data like name, contact information, and the
|
||
contents of the messages the Customer sends ("Communication
|
||
Information"). End User personal information may be provided by End
|
||
User in interactions with Ask Eve AI's services, and as such will be
|
||
stored in Ask Eve AI's services as is.
|
||
|
||
>
|
||
|
||
> **User Data:**
|
||
|
||
> Ask Eve AI collects information the User may provide to Ask Eve AI,
|
||
> such as when you participate in our events, surveys, ask us to get in
|
||
> contact or provide us with information to establish your identity or
|
||
> age.
|
||
|
||
**Technical Data:**\\
|
||
When you visit, use, or interact with the Services, we receive the
|
||
following information about your visit, use, or interactions ("Technical
|
||
Information"):
|
||
|
||
1. *Log Data:* Ask Eve AI collects information that your browser or
|
||
device automatically sends when the Customer uses the Services. Log
|
||
data includes the Internet Protocol address, browser type and
|
||
settings, the date and time of your request, and how the Customer
|
||
interacts with the Services.
|
||
2. *Usage Data:* Ask Eve AI collects information about the use of the
|
||
Services, such as the types of content that the Customer views or
|
||
engages with, the features the Customer uses and the actions the
|
||
Customer takes, as well as the Customer's time zone, country, the
|
||
dates and times of access, user agent and version, type of computer
|
||
or mobile device, and the Customer's computer connection.
|
||
3. *Interaction Data*: Ask Eve AI collects the data you provide when
|
||
interacting with it's services, such as interacting with a chatbot
|
||
or similar advanced means.
|
||
4. *Device Information:* Ask Eve AI collects information about the
|
||
device the Customer uses to access the Services, such as the name of
|
||
the device, operating system, device identifiers, and browser you
|
||
are using. Information collected may depend on the type of device
|
||
the Customer uses and its settings.
|
||
5. *Location Information:* Ask Eve AI may determine the general area
|
||
from which your device accesses our Services based on information
|
||
like its IP address for security reasons and to make your product
|
||
experience better, for example to protect the Customer's account by
|
||
detecting unusual login activity or to provide more accurate
|
||
responses. In addition, some of our Services allow the Customer to
|
||
choose to provide more precise location information from the
|
||
Customer's device, such as location information from your device's
|
||
GPS.
|
||
6. *Cookies and Similar Technologies:* Ask Eve AI uses cookies and
|
||
similar technologies to operate and administer our Services, and
|
||
improve your experience. If the Customer uses the Services without
|
||
creating an account, Ask Eve AI may store some of the information
|
||
described in this Agreement with cookies, for example to help
|
||
maintain the Customer's preferences across browsing sessions. For
|
||
details about our use of cookies, please read our Cookie Policy.
|
||
|
||
**External Data:**
|
||
|
||
Information Ask Eve AI receives from other sources:
|
||
|
||
Ask Eve AI receives information from trusted partners, such as security
|
||
partners, to protect against fraud, abuse, and other security threats to
|
||
the Services, and from marketing vendors who provide us with information
|
||
about potential customers of our business services.
|
||
|
||
Ask Eve AI also collects information from other sources, like
|
||
information that is publicly available on the internet, to develop the
|
||
models that power the Services.
|
||
|
||
Ask Eve AI may use Personal Data for the following purposes:
|
||
|
||
- To provide, analyse, and maintain the Services, for example to respond
|
||
to the Customer's questions for Ask Eve AI;
|
||
- To improve and develop the Services and conduct research, for example
|
||
to develop new product features;
|
||
- To communicate with the Customer, including to send the Customer
|
||
information about our Services and events, for example about changes
|
||
or improvements to the Services;
|
||
- To prevent fraud, illegal activity, or misuses of our Services, and to
|
||
protect the security of our systems and Services;
|
||
- To comply with legal obligations and to protect the rights, privacy,
|
||
safety, or property of our users or third parties.
|
||
|
||
Ask Eve AI may also aggregate or de-identify Personal Data so that it no
|
||
longer identifies the Customer and use this information for the purposes
|
||
described above, such as to analyse the way our Services are being used,
|
||
to improve and add features to them, and to conduct research. Ask Eve AI
|
||
will maintain and use de-identified information in de-identified form
|
||
and not attempt to reidentify the information, unless required by law.
|
||
|
||
As noted above, Ask Eve AI may use content the Customer provides Ask Eve
|
||
AI to improve the Services, for example to train the models that power
|
||
Ask Eve AI. Read [\**our instructions*\*(opens in a new
|
||
window)\*\*](https://help.openai.com/en/articles/5722486-how-your-data-is-used-to-improve-model-performance) on
|
||
how you can opt out of our use of your Content to train our models.\\
|
||
|
||
1. 1. \#\# Instructions {#instructions-3}
|
||
|
||
Data Processor shall only Process Personal Data of Data Controller on
|
||
behalf of the Data Controller and in accordance with this Data
|
||
Processing Agreement, solely for the Purposes and the eventual
|
||
instructions of the Data Controller, and to the extent, and in such a
|
||
manner, as is reasonably necessary to provide the Services in accordance
|
||
with the Agreement. Data Controller shall only give instructions that
|
||
comply with the Data Protection legislation.
|
||
|
||
2. 1. \#\# Applicable mandatory laws {#applicable-mandatory-laws-3}
|
||
|
||
Data Processor shall only Process as required by applicable mandatory
|
||
laws and always in compliance with Data Protection Legislation.\\
|
||
|
||
3. 1. \#\# Transfer to a third party {#transfer-to-a-third-party-3}
|
||
|
||
Data Processor uses functionality of third party services to realise
|
||
it's functionality. For the purpose of realising Ask Eve AI's
|
||
functionality, and only for this purpose, information is sent to it's
|
||
sub-processors.
|
||
|
||
Data Processor shall not transfer or disclose any Personal Data to any
|
||
other third party and/or appoint any third party as a sub-processor of
|
||
Personal Data unless it is legally required or in case of a notification
|
||
to the Data Controller by which he gives his consent.
|
||
|
||
4. 1. \#\# Transfer to a Third Country {#transfer-to-a-third-country-3}
|
||
|
||
Data Processor shall not transfer Personal Data (including any transfer
|
||
via electronic media) to any Third Country without the prior written
|
||
consent of the Data Controller by exception of the following.
|
||
|
||
The Parties agree that Personal Data can only be transferred to and/or
|
||
kept with the recipient outside the European Economic Area (EEA) in a
|
||
country that not falls under an adequacy decision issued by the European
|
||
Commission by exception and only if necessary to comply with the
|
||
obligations of this Agreement or when legally required. Such transfer
|
||
shall be governed by the terms of a data transfer agreement containing
|
||
standard contractual clauses as published in the Decision of the
|
||
European Commission of June 4, 2021 (Decision (EU) 2021/914), or by
|
||
other mechanisms foreseen by the applicable data protection law.
|
||
|
||
The Data Processor shall prior to the international transfer inform the
|
||
Data Controller about the particular measures taken to guarantee the
|
||
protection of the Personal Data of the Data Subject in accordance with
|
||
the Regulation.
|
||
|
||
\\
|
||
|
||
5. 1. \#\# Data secrecy {#data-secrecy-3}
|
||
|
||
The Data Processor shall maintain data secrecy in accordance with
|
||
applicable Data Protection Legislation and shall take all reasonable
|
||
steps to ensure that:
|
||
|
||
> \(1\) only those Data Processor personnel and the Sub-Processor
|
||
> personnel that need to have access to Personal Data are given access
|
||
> and only to the extent necessary to provide the Services; and
|
||
|
||
> \(2\) the Data Processor and the Sub-Processor personnel entrusted
|
||
> with the processing of, or who may have access to, Personal Data are
|
||
> reliable, familiar with the requirements of data protection and
|
||
> subject to appropriate obligations of confidentiality and data secrecy
|
||
> in accordance with applicable Data Protection Legislation and at all
|
||
> times act in compliance with the Data Protection Obligations.
|
||
|
||
6. 1. \#\# Appropriate technical and organizational measures {#appropriate-technical-and-organizational-measures-3}
|
||
|
||
Data Processor has implemented (and shall comply with) all appropriate
|
||
technical and organizational measures to ensure the security of the
|
||
Personal Data, to ensure that processing of the Personal Data is
|
||
performed in compliance with the applicable Data Protection Legislation
|
||
and to ensure the protection of the Personal Data against accidental or
|
||
unauthorized access, alteration, destruction, damage, corruption or loss
|
||
as well as against any other unauthorized or unlawful processing or
|
||
disclosure ("Data Breach"). Such measures shall ensure best practice
|
||
security, be compliant with Data Protection Legislation at all times and
|
||
comply with the Data Controller's applicable IT security policies.
|
||
|
||
Data Controller has also introduced technical and organizational
|
||
measures, and will continue to introduce them to protect its Personal
|
||
Data from accidental or unlawful destruction or accidental loss,
|
||
alteration, unauthorized disclosure or access. For the sake of clarity,
|
||
the Data Controller is responsible for the access control policy,
|
||
registration, de-registration and withdrawal of the access rights of the
|
||
Users or Consultant(s) to its systems, for the access control,
|
||
registration, de-registration and withdrawal of automation access codes
|
||
(API Keys), and is also responsible for the complete physical security
|
||
of its environment.
|
||
|
||
7. 1. \#\# Assistance and co-operation {#assistance-and-co-operation-3}
|
||
|
||
The Data Processor shall provide the Data Controller with such
|
||
assistance and co-operation as the Data Controller may reasonably
|
||
request to enable the Data Controller to comply with any obligations
|
||
imposed on it by Data Protection Legislation in relation to Personal
|
||
Data processed by the Data Processor, including but not limited to:
|
||
|
||
> \(1\) on request of the Data Controller, promptly providing written
|
||
> information regarding the technical and organizational measures which
|
||
> the Data Processor has implemented to safeguard Personal Data;\\
|
||
|
||
> \(2\) disclosing full and relevant details in respect of any and all
|
||
> government, law enforcement or other access protocols or controls
|
||
> which it has implemented, but only in so far this information is
|
||
> available to the Data Processor;
|
||
|
||
> \(3\) notifying the Data Controller as soon as possible and as far as
|
||
> it is legally permitted to do so, of any access request for disclosure
|
||
> of data which concerns Personal Data (or any part thereof) by any
|
||
> Regulator, or by a court or other authority of competent jurisdiction.
|
||
> For the avoidance of doubt and as far as it is legally permitted to do
|
||
> so, the Data Processor shall not disclose or release any Personal Data
|
||
> in response to such request served on the Data Processor without first
|
||
> consulting with and obtaining the written consent of the Data
|
||
> Controller; and
|
||
|
||
> \(4\) notifying the Data Controller as soon as possible of any legal
|
||
> or factual circumstances preventing the Data Processor from executing
|
||
> any of the instructions of the Data Controller.
|
||
|
||
> \(5\) notifying the Data Controller as soon as possible of any request
|
||
> received directly from a Data Subject regarding the Processing of
|
||
> Personal Data, without responding to such request. For the avoidance
|
||
> of doubt, the Data Controller is solely responsible for handling and
|
||
> responding to such requests.
|
||
|
||
> \(6\) notifying the Data Controller immediately in writing if it
|
||
> becomes aware of any Data Breach and provide the Data Controller, as
|
||
> soon as possible, with information relating to a Data Breach,
|
||
> including, without limitation, but only insofar this information is
|
||
> readily available to the Data Processor: the nature of the Data Breach
|
||
> and the Personal Data affected, the categories and number of Data
|
||
> Subjects concerned, the number of Personal Data records concerned,
|
||
> measures taken to address the Data Breach, the possible consequences
|
||
> and adverse effect of the Data Breach .
|
||
|
||
> \(7\) Where the Data Controller is legally required to provide
|
||
> information regarding the Personal Data Processed by Data Processor
|
||
> and its Processing to any Data Subject or third party, the Data
|
||
> Processor shall support the Data Controller in the provision of such
|
||
> information when explicitly requested by the Data Controller.
|
||
|
||
4. \# Audit {#audit-1}
|
||
|
||
At the Data Controller's request the Data Processor shall provide the
|
||
Data Controller with all information needed to demonstrate that it
|
||
complies with this Data Processing Agreement The Data Processor shall
|
||
permit the Data Controller, or a third-party auditor acting under the
|
||
Data Controller's direction, (but only to the extent this third-party
|
||
auditor cannot be considered a competitor of the Data Processor), to
|
||
conduct, at the Data Controller's cost (for internal and external
|
||
costs), a data privacy and security audit, concerning the Data
|
||
Processor's data security and privacy procedures relating to the
|
||
processing of Personal Data, and its compliance with the Data Protection
|
||
Obligations, but not more than once per contract year. The Data
|
||
Controller shall provide the Data Processor with at least thirty (30)
|
||
days prior written notice of its intention to perform an audit. The
|
||
notification must include the name of the auditor, a description of the
|
||
purpose and the scope of the audit. The audit has to be carried out in
|
||
such a way that the inconvenience for the Data Processor is kept to a
|
||
minimum, and the Data Controller shall impose sufficient confidentiality
|
||
obligations on its auditors. Every auditor who does an inspection will
|
||
be at all times accompanied by a dedicated employee of the Processor.
|
||
|
||
4. \# Liability {#liability-1}
|
||
|
||
Each Party shall be liable for any suffered foreseeable, direct and
|
||
personal damages ("Direct Damages") resulting from any attributable
|
||
breach of its obligations under this Data Processing Agreement. If one
|
||
Party is held liable for a violation of its obligations hereunder, it
|
||
undertakes to indemnify the non-defaulting Party for any Direct Damages
|
||
resulting from any attributable breach of the defaulting Party's
|
||
obligations under this Data Processing Agreement or any fault or
|
||
negligence to the performance of this Data Processing Agreement. Under
|
||
no circumstances shall the Data Processor be liable for indirect,
|
||
incidental or consequential damages, including but not limited to
|
||
financial and commercial losses, loss of profit, increase of general
|
||
expenses, lost savings, diminished goodwill, damages resulting from
|
||
business interruption or interruption of operation, damages resulting
|
||
from claims of customers of the Data Controller, disruptions of
|
||
planning, loss of anticipated profit, loss of capital, loss of
|
||
customers, missed opportunities, loss of advantages or corruption and/or
|
||
loss of files resulting from the performance of the Agreement.
|
||
|
||
[]{#anchor}[]{#anchor-1}[]{#anchor-2}[]{#anchor-3}If it appears that
|
||
both the Data Controller and the Data Processor are responsible for the
|
||
damage caused by the processing of Personal Data, both Parties shall be
|
||
liable and pay damages, in accordance with their individual share in the
|
||
responsibility for the damage caused by the processing.
|
||
|
||
[]{#anchor-4}[]{#anchor-5}[]{#anchor-6}In any event the total liability
|
||
of the Data Processor under this Agreement shall be limited to the cause
|
||
of damage and to the amount that equals the total amount of fees paid by
|
||
the Data Controller to the Data Processor for the delivery and
|
||
performance of the Services for a period not more than twelve months
|
||
immediately prior to the cause of damages. In no event shall the Data
|
||
Processor be held liable if the Data Processor can prove he is not
|
||
responsible for the event or cause giving rise to the damage.
|
||
|
||
4. \# Term {#term-1}
|
||
|
||
This Data Processing Agreement shall be valid for as long as the
|
||
Customer uses the Services.
|
||
|
||
After the termination of the Processing of the Personal Data or earlier
|
||
upon request of the Data Controller, the Data Processor shall cease all
|
||
use of Personal Data and delete all Personal Data and copies thereof in
|
||
its possession unless otherwise agreed or when deletion of the Personal
|
||
Data should be technically impossible.
|
||
|
||
4. \# Governing law -- jurisdiction {#governing-law-jurisdiction-1}
|
||
|
||
This Data Processing Agreement and any non-contractual obligations
|
||
arising out of or in connection with it shall be governed by and
|
||
construed in accordance with Belgian Law.
|
||
|
||
Any litigation relating to the conclusion, validity, interpretation
|
||
and/or performance of this Data Processing Agreement or of subsequent
|
||
contracts or operations derived therefrom, as well as any other
|
||
litigation concerning or related to this Data Processing Agreement,
|
||
without any exception, shall be submitted to the exclusive jurisdiction
|
||
of the courts of Gent, Belgium.
|
||
|
||
# Annex1
|
||
|
||
# Sub-Processors
|
||
|
||
The Data Controller hereby agrees to the following list of
|
||
Sub-Processors, engaged by the Data Processor for the Processing of
|
||
Personal Data under the Agreement:
|
||
|
||
|
||
# Annex 2
|
||
|
||
# []{#anchor-7}Technical and organizational measures
|
||
|
||
# 1. Purpose of this document
|
||
|
||
This document contains an overview of the technical and operational
|
||
measures which are applicable by default within Ask Eve AI. The actual
|
||
measures taken depend on the services provided and the specific customer
|
||
context. Ask Eve AI guarantees it has for all its services and sites the
|
||
necessary adequate technical and operational measures included in the
|
||
list below following a Data Protection Impact Assessment (DPIA).
|
||
|
||
These measures are designed to:
|
||
|
||
1. ensure the security and confidentiality of Ask Eve AI managed data,
|
||
information, applications and infrastructure;
|
||
2. protect against any anticipated threats or hazards to the security
|
||
and integrity of Personal Data, Ask Eve AI Intellectual Property,
|
||
Infrastructure or other business-critical assets;
|
||
3. protect against any actual unauthorized processing, loss, use,
|
||
disclosure or acquisition of or access to any Personal Data or other
|
||
business-critical information or data managed by Ask Eve AI.
|
||
|
||
Ask Eve AI ensures that all its Sub-Processors have provided the
|
||
necessary and required guarantees on the protection of personal data
|
||
they process on Ask Eve AI's behalf.
|
||
|
||
Ask Eve AI continuously monitors the effectiveness of its information
|
||
safeguards and organizes a yearly compliance audit by a Third Party to
|
||
provide assurance on the measures and controls in place.
|
||
|
||
# 2. Technical & Organizational Measures
|
||
|
||
Ask Eve AI has designed, invested and implemented a dynamic
|
||
multi-layered security architecture protecting its endpoints, locations,
|
||
cloud services and custom-developed business applications against
|
||
today's variety of cyberattacks ranging from spear phishing, malware,
|
||
viruses to intrusion, ransomware and data loss / data breach incidents
|
||
by external and internal bad actors.
|
||
|
||
This architecture, internationally recognized and awarded, is a
|
||
combination of automated proactive, reactive and forensic quarantine
|
||
measures and Ask Eve AI internal awareness and training initiatives that
|
||
creates and end-to-end chain of protection to identify, classify and
|
||
stop any potential malicious action on Ask Eve AI's digital
|
||
infrastructure. Ask Eve AI uses an intent-based approach where
|
||
activities are constantly monitored, analysed and benchmarked instead of
|
||
relying solely on a simple authentication/authorization trust model.
|
||
|
||
4. 1. \#\# General Governance & Awareness {#general-governance-awareness-3}
|
||
|
||
As a product company, Ask Eve AI is committed to maintain and preserve
|
||
an IT infrastructure that has a robust security architecture, complies
|
||
with data regulation policies and provides a platform to its employees
|
||
for flexible and effective work and collaboration activities with each
|
||
other and our customers.
|
||
|
||
Ask Eve AI IT has a cloud-first and cloud-native strategy and as such
|
||
works with several third-party vendors that store and process our
|
||
company data. Ask Eve AI IT aims to work exclusively with vendors that
|
||
are compliant with the national and European Data Protection
|
||
Regulations. Transfers of Personal Data to third-countries are subject
|
||
to compliance by the third-country Processor/Sub-Processor with the
|
||
Standard Contractual Clauses as launched by virtue of the EU Commission
|
||
Decision 2010/87/EU of 5 February 2010 as updated by the EU Comission
|
||
Decision (EU) 2021/914 of 4 June 2021, unless the third country of the
|
||
Processor/Sub-Processor has been qualified as providing an adequate
|
||
level of protection for Personal Data by the European Commission, (a.o.
|
||
EU-U.S. Data Privacy Framework).
|
||
|
||
Ask Eve AI has an extensive IT policy applicable to any employee or
|
||
service provider that uses Ask Eve AI platforms or infrastructure. This
|
||
policy informs the user of his or her rights & duties and informs the
|
||
user of existing monitoring mechanisms to enforce security and data
|
||
compliance. The policy is updated regularly and an integrated part of
|
||
new employee onboarding and continuous training and development
|
||
initiatives on internal tooling and cyber security;
|
||
|
||
Ask Eve AI IT has several internal policies on minimal requirements
|
||
before an application, platform or tool can enter our application
|
||
landscape. These include encryption requirements, DLP requirements,
|
||
transparent governance & licensing requirements and certified support
|
||
contract procedures & certifications;
|
||
|
||
These policies are actively enforced through our endpoint security, CASB
|
||
and cloud firewall solutions. Any infraction on these policies is met
|
||
with appropriate action and countermeasures and may result in a complete
|
||
ban from using and accessing Ask Eve AI's infrastructure and platforms
|
||
or even additional legal action against employees, clients or other
|
||
actors;
|
||
|
||
## 9.2. Physical Security & Infrastructure
|
||
|
||
Ask Eve AI has deployed industry-standard physical access controls to
|
||
its location for employee presence and visitor management.
|
||
|
||
Restricted environments including network infrastructure, data center
|
||
and server rooms are safeguarded by additional access controls and
|
||
access to these rooms is audited. CCTV surveillance is present in all
|
||
restricted and critical areas.
|
||
|
||
Fire alarm and firefighting systems are implemented for employee and
|
||
visitor safety. Regular fire simulations and evacuation drills are
|
||
performed.
|
||
|
||
Clean desk policies are enforced, employees regularly in contact with
|
||
sensitive information have private offices and follow-me printing
|
||
enabled.
|
||
|
||
Key management governance is implemented and handled by Facilities.
|
||
|
||
1. 1. \#\# Endpoint Security & User Accounts {#endpoint-security-user-accounts-3}
|
||
|
||
All endpoints and any information stored are encrypted using
|
||
enterprise-grade encryption on all operating systems supported by Ask
|
||
Eve AI.
|
||
|
||
Ask Eve AI has implemented a centrally managed anti-virus and malware
|
||
protection system for endpoints, email and document stores.
|
||
|
||
Multifactor Authentication is enforced on all user accounts where
|
||
possible.
|
||
|
||
Conditional Access is implemented across the entire infrastructure
|
||
limiting access to specific regions and setting minimum requirements for
|
||
the OS version, network security level, endpoint protection level and
|
||
user behavior.
|
||
|
||
Only vendor supplied updates are installed.
|
||
|
||
Ask Eve AI has deployed a comprehensive device management strategy to
|
||
ensure endpoint integrity and policy compliance.
|
||
|
||
Access is managed according to role-based access control principles and
|
||
all user behavior on Ask Eve AI platforms is audited.
|
||
|
||
1. 1. \#\# Data Storage, Recovery & Securing Personal Data {#data-storage-recovery-securing-personal-data-3}
|
||
|
||
> Ask Eve AI has deployed:
|
||
|
||
- An automated multi-site encrypted back-up process with daily integrity
|
||
reviews.
|
||
- The possibility for the anonymization, pseudonymization and encryption
|
||
of Personal Data.
|
||
- The ability to monitor and ensure the ongoing confidentiality,
|
||
integrity, availability and resilience of processing systems and
|
||
services.
|
||
- The ability to restore the availability and access to Personal Data in
|
||
a timely manner in the event of a physical or technical incident.
|
||
- A logical separation between its own data, the data of its customers
|
||
and suppliers.
|
||
- A process to keep processed data accurate, reliable and up-to-date.
|
||
- Records of the processing activities.
|
||
- Data Retention Policies
|
||
|
||
1. 1. \#\# Protection & Insurance {#protection-insurance-3}
|
||
|
||
Ask Eve AI has a cyber-crime insurance policy. Details on the policy can
|
||
be requested through the legal department.
|