AI, Security, and Compliance
We know your data is extremely important to you and your business. This resource outlines safeguards, supporting documentation, and compliance links when formal certifications or attestations may be required.
The Vurvey infrastructure is architected to be an enterprise-ready, secure, and high-performance SaaS environment to provide a scalable place for companies to co-create together with their customers. In addition to the security provided by the Vurvey hosting environment, there are additional security measures built into the platform including:
- Single sign-on (SSO)
- Two-factor authentication (2FA)
- Sophisticated user permissions
- Activity stream (for audits)
- History of all changes (for audits)
- Passcodes to secure surveys and presentations
- Data encryption at rest
Encryption and Access
We encrypt communication between customers, creators, and our data centers through strong encryption. Every login and in-app page in Vurvey are secured through SSL. All data is encrypted at rest using AES-256 encryption. In addition, we employ a dedicated network service and firewall to block unauthorized access. In addition to encryption, we enforce access controls for all employees. Vurvey employees are not able to access customer or creator data, unless specifically authorized to do so for support.
Data Compliance
The Vurvey cloud infrastructure is housed in Google data centers. This level of data center security allows Vurvey to be compliant with the highest industry standards.
- ISO/IEC 27001: ISO 27001 provides the requirements for an information security management system (ISMS), specifies a set of best practices, and details the security controls that can help manage information risks.
- ISO/IEC 27017:2015: ISO 27017:2015 provides guidelines for information security controls applicable to the provision and use of cloud services.
- ISO/IEC 27018: ISO 27018 focuses on privacy and security controls for public-cloud service providers that process personally identifiable information (PII).
- SOC 3: The SOC report has been developed based on the Auditing Standards Board of the American Institute of Certified Public Accountants’ (AICPA) Trust Service Criteria (TSC). The SOC 3 is a public report of internal controls over security, availability, processing integrity, and confidentiality.
- CSA Star: CSA Level 1 is the CSA’s Security, Trust and Assurance Registry Program (CSA STAR) is designed to help customers assess and select a cloud service provider. This CSA STAR Level 1 – Customer Assessment Initiative Questionnaire (CAIQ) is a self-assessment that evaluates a cloud provider against CSA’s Cloud Control Matrix.
All Vurvey customers can access our enterprise Trust Center, powered by Vanta.com, that includes detailed controls, third-party audits, and supporting documentation for security and compliance. To gain access, please visit https://trust.vurvey.ai
AI and Your Data
Vurvey includes a suite of artificial intelligence (“AI”) tools that help users analyze, summarize, and generate outputs. We recognize that the use of AI tools and particularly Generative AI tools can increase productivity and innovation, and Vurvey supports the use of AI tools in a safe, ethical, and secure manner. Vurvey utilizes responsible AI practices while protecting and mitigating risks of misuse, legal implications, unethical outcomes, potential biases, inaccuracy, and information security or data security breaches.
- Vurvey AI is a combination of data collection, processing, and user interface.
- The process of generating AI outputs starts with collecting accurate and trustworthy data through consumer responses and/or customer-supplied datasets that may include documents, files, and instructions.
- Datasets are converted into numerical representations, called embeddings, that our machine learning (ML) and AI systems use to understand complex knowledge domains. Together, these create a holistic AI capability which includes agents (multi-step processes) and personas (tones, guidelines).
- The source data, along with the resulting embeddings, and Vurvey AI configurations are all securely stored in the Vurvey platform (hosted within a Virtual Private Network on the Google Cloud Platform).
- Vurvey’s chat-style interface allows workspace users to choose source data (for grounding) along with an agent and persona to a large language model for reasoning. The resulting output can be saved within the workspace if desired.
- Our chat-style interface means users are in control of what data to use and what outputs to produce.
- In addition, the chat-style interface provides a simple feedback feature where users can give results a thumbs up or thumbs down. This information, combined with additional metrics such as precision and recall, is used to reduce the likelihood of hallucinations.
Large Language Models (LLMs)
Vurvey has contracted with Anthropic, Google Cloud, and other third-party providers to use their Large Language Models (LLMs.) These LLMs serve as a “reasoning” engine. Per our service agreements with Anthropic and Google Cloud, the data we interface with the LLMs is not used for training purposes. Any prompts and outputs are automatically deleted on the backend within 28 days of receipt or upon generation.
- We use caution with confidential customer information in AI tools, avoiding submission of sensitive data unless a) explicitly authorized and/or b) we have platform assurances that such data will not be used for training publicly available Large Language Models (LLMs.)
- We do not fine-tune large language models. Fine-tuning alters the parameters and weights of an existing model by supplying labeled data. This has the potential to weaken built-in safety measures as well as leak sensitive data.
- We anonymize all users by generating pseudo-identifiers. Personally identifiable information for users is never shared with the large language model.
- We comply with all customer agreements, policies, and directives in our AI deployments.
EU-U.S. Privacy Shield
Vurvey complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. More information about EU-U.S. Privacy Shield Framework is available here.
General Data Protection Regulation (GDPR)
Vurvey complies with the General Data Protection Regulation regarding processing of personal data of people in the European Union. More information about GDPR is available here.
California Consumer Privacy Act
Vurvey is compliant with the CPRA and CCPA by building robust privacy and security protections into our services and contracts. The California Privacy Rights Act (CPRA) is a data privacy law that amends and expands upon the California Consumer Privacy Act (CCPA). You can find more information about the CCPA on the California Office of the Attorney General’s website.
Secure Data Centers
The Vurvey cloud infrastructure is housed in highly secure, distributed data centers, which use state of the art electronic surveillance and multi-factor access control systems. Data centers are staffed 24 hours a day by trained security guards, and access is authorized strictly on a least privileged basis. Environmental systems in the data centers are designed to be redundant and minimize unforeseen disruptions and all personnel must be screened when leaving areas that contain customer data.
If you have additional questions about our security and compliance policies, please email [email protected]