This article explains how data security is protected when you use Comm100 GPT features.

Compliance of Comm100 GPT Features

Agent Assist Summarization

When you use Agent Assist to generate a summary of a ticket or a chat, the content of the ticket or chat is transmitted to the Azure OpenAI Service as a prompt. The Azure OpenAI Service then processes the data and generates the summary, utilizing non-fine-tuned Azure OpenAI models, without employing embedding techniques.

Transmitted Content of Tickets

For a ticket, the content transmitted to the Azure OpenAI Service for summarization includes:

• Text messages, together with the sender name and timestamps. If Credit Card Masking is enabled, credit card numbers in the text message are masked automatically. 
• System messages within the ticket.

The following elements in a ticket are NOT transmitted:

• Images
• Attachments in any format
• Ticket fields
• Contact fields

Transmitted Content of Chats

For a chat, the content transmitted to the Azure OpenAI Service for summarization includes:

• Text messages sent during the chat, together with sender name and timestamps. If Credit Card Masking is enabled, credit card numbers in the text message are masked automatically.
• System messages within the chat.

The following elements in a chat are not transmitted:

• Images
• Attachments in any format
• Chat fields
• Pre-chat form fields
• Session fields
• Custom fields
• Custom variables

Chatbot Generative Answers

If you enable Generative Answer feature for a chatbot, the chatbot will use Azure OpenAI Service to answer the visitor’s question. This feature only works in the Comm100 Live Chat channel.

To use the Generative Answers feature, you need to add Contents as the answer sources for the Chatbot. The Contents, which can be online public webpages or local files, are sent to Azure OpenAI Service for embedding purposes. Comm100 does not fine-tune any GPT models in Azure OpenAI Service.

During a chat, when a visitor asks a question, the chatbot will send data to Azure OpenAI Service as a prompt to generate an answer. The data sent to Azure OpenAI Service includes:

• Text messages sent during the chat, without the sender name or timestamps. If Credit Card Masking is enabled, credit card numbers in the text message are masked automatically.
• The Contents relevant to the visitor’s question.

The following elements in a chat are not transmitted:

• Images
• Attachments in any format
• Chat fields
• Pre-chat form fields
• Session fields
• Custom fields
• Custom variables
• System messages within the chat

If Contents or text messages contain personal data such as the customer’s name, the data are also sent to Azure OpenAI Service

Chatbot Generate Similar Questions for Intents

For Custom Answers, the Chatbot can help you set up intents by generating similar questions for the intent. When you use this feature, the existing questions for the intent are sent to Azure OpenAI Service as a prompt to generate new questions.

Comm100 does not fine-tune any GPT models in Azure OpenAI Service for this feature.

Data Privacy of Azure OpenAI Service

It is important to emphasize that the data transmitted to the Azure OpenAI Service adheres to strict privacy standards and is subjected to the following constraints:

• The data is not accessible to other Comm100 or Microsoft customers.
• OpenAI, Inc. does not have access to the transmitted data.
• The data is not used to improve OpenAI models.
• The data is not used to improve any Comm100 or Microsoft products or services.
• The data is not used for automatically improving Azure OpenAI models for your use in your resource.

Azure OpenAI Service Compliance

Microsoft Azure OpenAI Service is compliant with the following standards:

• CSA STAR Attestation
• ISO 27001:2013
• ISO 27017:2015
• ISO 27018:2019
• ISO 27701:2019
• ISO 9001:2015
• SOC 1, 2, 3
• HIPAA BAA
• Germany C5

How Long will Azure OpenAI Service Store the Data

To reduce the risk of harmful use of the Azure OpenAI Service, the Azure OpenAI Service includes both content filtering and abuse monitoring features. 

Azure OpenAI abuse monitoring detects and mitigates instances of recurring content and/or behaviors that suggest use of the service in a manner that may violate the code of conduct or other applicable product terms. To detect and mitigate abuse, Azure OpenAI stores all prompts and generated content securely for up to thirty (30) days. 

The data store where prompts and completions are stored is logically separated by customer resource (each request includes the resource ID of the customer’s Azure OpenAI resource). A separate data store is located in each region in which the Azure OpenAI Service is available, and a customer’s prompts and generated content are stored in the Azure region where the customer’s Azure OpenAI service resource is deployed, within the Azure OpenAI service boundary. Human reviewers assessing potential abuse can access prompts and completions data only when that data has been flagged by the abuse monitoring system. The human reviewers are authorized Microsoft employees who access the data via point wise queries using request IDs, Secure Access Workstations (SAWs), and Just-In-Time (JIT) request approval granted by team managers. For Azure OpenAI Service deployed in the European Economic Area, the authorized Microsoft employees are located in the European Economic Area.

Where is the Azure OpenAI Service Used by Comm100 Located?

The location of Azure OpenAI Service used by Comm100 varies depending on the domain of your account.

Azure OpenAI Service Data Management

The Azure OpenAI Service is fully controlled by Microsoft; Microsoft hosts the OpenAI models in Microsoft’s Azure environment and the Service does NOT interact with any services operated by OpenAI, Inc. (For example, ChatGPT, or the OpenAI API).

To learn the details about how Azure OpenAI processes and stores data, refer to Microsoft Cognitive Services OpenAI Data Privacy.