Use of OpenAI and Data Protection – Athento

Athento offers integration with OpenAI for different uses within the platform, such as:

The use of OpenAI is voluntary and must be enabled by the client.

OpenAI has several privacy and GDPR certifications, such as SOC2 and 3.

More information can be found in its security center: https://trust.openai.com/.

Features to take into account regarding data protection if you use Athento and Open AI integration in your Athento installation:

Data sent to ChatGPT Team, ChatGPT Enterprise, or the API Platform, unless opted-in, will not be used to train the tool. However, OpenAI may subject any business data sent to OpenAI services through automated content classifiers and security tools to better understand how its services are being used. The classifications created are metadata about the business data, but do not contain any of the business data itself. Business data is only subject to human review on a service-by-service basis.
The rights to the entries made in the OpenAI services belong to the customer. Likewise, the customer owns any output/results it legitimately receives from OpenAI services, to the extent permitted by law.
OpenAI's only rights are to the input and output data necessary to provide its services, comply with applicable law and enforce its policies.

Data retention and deletion

OpenAI may securely retain API inputs and outputs for varying periods (around 30 days) to provide the services and identify abuse. After their respective retention period, API inputs and outputs are removed from the systems, unless OpenAI is legally required to retain them. You can also request zero data retention (ZDR) for eligible endpoints if you have a qualified use case.
Regarding ChatGPT Enterprise: It is possible to define the data retention period. The minimum retention period for workspaces is 90 days. Deleted conversations are removed from ChatGPT systems within 30 days, unless OpenAI is legally required to retain them. Please note that retention enables features such as conversation history, and shorter retention periods may compromise the product experience.

In the following link you can check the sub-loaders that OpenAI makes use of: https://platform.openai.com/subprocessors
In the following link, you will find the OpenAI security portal, where you can see the specifications in all the security fields. https://trust.openai.com/
To help with GDPR compliance, Athento has a Data Processing Addendum with OpenAI for the use of the dedicated enterprise tools (ChatGPT Enterprise, ChatGPT Team and the API).
OpenAI encrypts all data at rest (AES-256) and in transit (TLS 1.2+), and uses strict access controls to limit who can access the data, among other measures.
OpenAI guarantees that they have been audited and certified for SOC 2 Type 2 Compliance.
Finally, it is important to note that for transferring your Personal Data outside the European Economic Area, Switzerland or the United Kingdom, OpenAI relies on the European Commission's adequacy decisions for certain countries and, for other jurisdictions, which do not provide the adequate level of protection, on the Standard Contractual Clauses approved by the European Commission and any applicable country addenda.