This document complements our DPA, available on our website, and provides an overview of how ViaSay manages AI to ensure data privacy, security, and compliance with GDPR. It outlines our use of Microsoft Azure’s secure EU-based infrastructure, strict data access controls, and encryption measures, as well as the independence of Azure OpenAI services from OpenAI to keep your data fully under your control.

Independence of Azure OpenAI Services

👍

Your data remains entirely within the EU and under your control.

ViaSay uses Microsoft Azure as its AI service provider, ensuring all hosting and deployment occur in France, within the EU. Azure OpenAI services operate independently from OpenAI, guaranteeing:

• Complete data privacy and security.
• No sharing of client data for model training or improvement.

📖

“Your prompts (inputs) and completions (outputs), your embeddings, and your training data:

• are NOT available to other customers._[_Source : D
• are NOT available to OpenAI.
• are NOT used to improve OpenAI models.
• are NOT used to train, retrain, or improve Azure OpenAI Service foundation models.
• are NOT used to improve any Microsoft or 3rd party products or services without your permission or instruction.
• Your fine-tuned Azure OpenAI models are available exclusively for your use.

The Azure OpenAI Service is operated by Microsoft as an Azure service; Microsoft hosts the OpenAI models in Microsoft's Azure environment and the Service does NOT interact with any services operated by OpenAI (e.g. ChatGPT, or the OpenAI API).”

Source: Data, privacy, and security for Azure OpenAI Service

GDPR Compliance

Data Residency and Sovereignty

👍

All services are hosted and deployed in France, within the European Union (EU) Data Zone.

👍

In France, Azure has certified data centers capable of hosting sensitive health data, demonstrating its ability to meet stringent local regulations.

Source : Microsoft Azure is now certified to host sensitive health data in France

Data Encryption

👍

Encrypted data at rest and in transit.

• All data is encrypted both at rest and in transit using FIPS 140-2 compliant 256-bit AES encryption.
• This ensures confidentiality, integrity, and compliance with industry standards.

Data Access and Retention

👍

Data is securely stored and deleted after 30 days to detect abuse.

• Prompts and completions are securely stored for up to 30 days to detect abuse.
• Only authorized Microsoft employees in the EU can access this data under strict controls.

📖

“To detect and mitigate abuse, Azure OpenAI stores all prompts and generated content securely for up to thirty (30) days. (No prompts or completions are stored if the customer is approved for and elects to configure abuse monitoring off, as described below.)”

Source : Microsoft OpenAI service privacy

📖

“The human reviewers are authorized Microsoft employees who access the data via point wise queries using request IDs, Secure Access Workstations (SAWs), and Just-In-Time (JIT) request approval granted by team managers. For Azure OpenAI Service deployed in the European Economic Area, the authorized Microsoft employees are located in the European Economic Area.”

Source : Microsoft OpenAI service privacy_

Eligibility for Zero Data Retention

• For eligible customers, Microsoft provides an option for zero data retention, ensuring that no data is stored beyond its intended use.

📖

“To address these concerns, Microsoft allows customers who meet additional Limited Access eligibility criteria and attest to specific use cases to apply to modify the Azure OpenAI content management features by completing this form.”

Source: Abuse Monitoring