Last Updated: January 22, 2024
Privacy Policy for DocGPT
Introduction
Privacy is at the heart of everything we do at eesel. Our extension is Fast Company’s best new apps and has 11k monthly users in companies like Atlassian, Shopify and Intercom. A key reason for our success has been our privacy first approach.
We’re now kicking off GPTs like Docs GPT. You’ll be able to ask any question to the app and it will answer based on your company knowledge like your Google Docs. Here’s a run through privacy related questions related to this.
How is data accessed?
You have full control over what data is made available to the app. The app will read page data you give access to when you sign in via Google OAuth. We use the drive.file scope, which means that you will be able to pick exactly which pages you give access to. In addition, user profile data like name and email is requested to create an account and authorise you with eesel.
How is the data used?
When a question is asked to the app, the page data is the context the GPT bases the responses on. Specifically, when you ask a question, eesel finds relevant Google Docs, Slides, Sheets that are relevant to that question, and then passes this on as context for your ChatGPT, and then crafts a response for you. The app is only an observer of the data you explicitly grant access to, ensuring privacy and control over your data.
How is the data stored?
The data you provide access to is securely stored in a SOC2 Type II certified vector database in the form of embeddings (mathematical representations). These embeddings are crucial for the app to answer questions. When a request is made, the app uses the embeddings to find related pages and conversations, and shares only specific relevant snippets with OpenAI to generate the response.
How long is the data retained?
Data is retained throughout the subscription period and for an additional 30 days after subscription termination. After this period, all associated data is permanently deleted. Data shared with OpenAI is retained for abuse and misuse monitoring for a maximum of 30 days, and then it is deleted.
Is Google user data used or shared?
Google user data like name and email is never shared with any party. It's only used to authenticate and associate your account. Likewise, any access to your page data you provide (like your Google Docs, Slides or Sheets) is never shared with anyone. It is stored in your dedicated database, only for you to chat with.
What security measures have been implemented?
Security is a top priority for us and we have implemented various best practices to ensure data protection. Here are some key measures:
Secure Data storage: We use Pinecone, a SOC2 Type II certified vector database, to store data securely. Our system uses a multi-tenant architecture, ensuring that customer data is isolated from one another.
Encryption and Network Security: We follow several best practices like using Transport Layer Security (TLS) to encrypt all traffic. Network security measures, including firewalls, are implemented to protect against unauthorized access.
Access Controls and Data Handling: Access control is enforced through Identity and Access Management (IAM) mechanisms, ensuring that only authorized personnel can access sensitive data. We have 2FA on all sensitive tools, and handle client ID, secret, and bot tokens with utmost care.
Least Privilege Principle: We only request the necessary scopes and "least privilege" tokens required for the app's functionality. For example, we request messaging access only for Slack channels the bot is explicitly added to, which is crucial for the app to function.
Role-Based Access Control (RBAC): By default, only the admin user, who initially installed the app, has access to configure the app (like add more pages on which the responses are based). We have RBAC mechanisms that allow the admin to grant explicit access permissions to authorized personnel. This ensures that only individuals with the necessary authorization can configure the app.
Security Audits and Penetration Testing: We regularly perform security audits and penetration testing to identify and address any potential vulnerabilities promptly. We can provide a summary of the last internal penetration report on request.
Supplier Management: We conduct risk assessments of suppliers in accordance with our supplier management policy.
We understand that you trust us with your data when you use our app, and we don't take that trust lightly. Feel free to reach out for any clarifications and additional questions.
What does Open AI / ChatGPT do with the data shared?
OpenAI does not use data submitted to train or improve their models. Any data sent is retained for abuse and misuse monitoring purposes for a maximum of 30 days, after which it is deleted. You can read more here.
What subprocessors do you use?
Here is a full list of sub processors: eesel Subprocessor list. OpenAI is the key service we use to power eesel AI.
How can I request access, transfer, or deletion of my data?
You can request access, transfer or deletion of your associated data with eesel by emailing us at hi@eesel.app. We will delete all of your associated data within 30 days of receiving a request.
Is this GDPR compliant?
We strictly adhere to GDPR guidelines, collecting and processing data only when necessary, never transferring or selling user data. We've updated our policy to host data exclusively on EU servers upon request and our subprocessors, OpenAI and Pinecone, are SOC2 Type II certified for robust data security. Here's a full run through of how we are GDPR compliant.
