ChatGPT for Confluence privacy FAQ
Privacy is at the heart of everything we do at eesel. Our extension is Fast Company’s top new apps of 2022 and has 11k monthly users in companies like Atlassian, Shopify and Intercom. A key reason for our success has been our privacy first approach.
We’re now kicking off an app for Confluence and Slack. You’ll be able to ask any question to the app and it will answer based on your company knowledge. Here’s a run through privacy related questions. For any clarifications, simply email email@example.com.
What data does the app read and why?
You maintain full control over the data the app can access. Here's how it operates:
Access to Page data: The browser extension reads the page title and content of tabs when you explicitly initiate an import. It doesn't read any other page data. Instead of giving full API access to Google Docs, Notion, Confluence, and so on, you can specifically decide which pages the app can read. This page data is critical to generate accurate responses to your queries.
Access to Slack Conversation data: If you choose to enable this, the app for Slack reads messages from channels where it has been explicitly added. It cannot access messages from any public or private channel where it hasn't been explicitly been invited. This Slack conversation data is critical to generate accurate responses to your queries.
In both instances, the app is only an observer of the data you explicitly grant access to, ensuring privacy and control over your data.
How is the data stored?
The data you provide access to is securely stored in a SOC2 Type II certified vector database in the form of embeddings (mathematical representations). These embeddings are crucial for the app to answer questions. When a request is made, the app utilizes the embeddings to find related pages and conversations, and shares only specific relevant snippets with OpenAI to generate the response.
How long is the data retained?
Data is retained throughout the subscription period and for an additional 30 days after subscription termination. After this period, all associated data is permanently deleted. Data shared with OpenAI is retained for abuse and misuse monitoring for a maximum of 30 days, and then it is deleted.
What security measures have been implemented?
Security is a top priority for us and we have implemented various best practices to ensure data protection. Here are some key measures:
Secure Data Storage: We use Pinecone, a SOC2 Type II certified vector database, to store data securely. Our system uses a multi-tenant architecture, ensuring that customer data is isolated from one another.
Encryption and Network Security: We follow several best practices like using Transport Layer Security (TLS) to encrypt all traffic. Network security measures, including firewalls, are implemented to protect against unauthorized access.
Access Controls and Data Handling: Access control is enforced through Identity and Access Management (IAM) mechanisms, ensuring that only authorized personnel can access sensitive data. We have 2FA on all sensitive tools, and handle client ID, secret, and bot tokens with utmost care.
Least Privilege Principle: We only request the necessary scopes and "least privilege" tokens required for the app's functionality. For example, we request messaging access only for Slack channels the bot is explicitly added to, which is crucial for the app to function.
Role-Based Access Control (RBAC): By default, only the admin user, who initially installed the app, has access to configure the app (like add more pages on which the responses are based). We have RBAC mechanisms that allow the admin to grant explicit access permissions to authorized personnel. This ensures that only individuals with the necessary authorization can configure the app.
Security Audits and Penetration Testing: We regularly perform security audits and penetration testing to identify and address any potential vulnerabilities promptly. We can provide a summary of the last internal penetration report on request.
Supplier Management: We conduct risk assessments of suppliers in accordance with our supplier management policy.
We understand that you trust us with your data when you use our app, and we don't take that trust lightly. Feel free to reach out for any clarifications and additional questions.
What subprocessors do you use?
Here is a full list of sub processors: eesel Subprocessor list. OpenAI is a key service we use to power the app.
What does Open AI / ChatGPT do with the data shared?
OpenAI does not use data submitted to train or improve their models. Any data sent is retained for abuse and misuse monitoring purposes for a maximum of 30 days, after which it is deleted. You can read more here.
What scopes does the app for Slack request and why?
Read access for channels eesel is added to: eesel reads messages for channels it gets added to in order to answer the questions you have. This is critical to the value that the app provides.
General info about your workspace: eesel reads basic information about your Slack workspace (like channel names, teammate names) in order to give more relevant answers based on who asks the question / where the question is asked.
Access to message as @eesel: eesel needs to respond to questions that are asked .
Is this GDPR compliant?
We strictly adhere to GDPR guidelines, collecting and processing data only when necessary, never transferring or selling user data. We've updated our policy to host data exclusively on EU servers upon request and our subprocessors, OpenAI and Pinecone, are SOC2 Type II certified for robust data security. Here's a full run through of how we are GDPR compliant.
How can I request access, transfer, or deletion of my data?
You can request access, transfer or deletion of your associated data with eesel by emailing us at firstname.lastname@example.org. We will delete all of your associated data within 30 days of receiving a request.