Data Privacy of Knowledge Base
# 🤝help
f
Hello, I am working with a potential client looking to build out an internal training bot. They wish to store sensitive personal information about team members within the bot's knowledge base but are querying how this data is stored/processed and is it compliant with EU GDPR and Data Privacy rules. Is there anything that can help me here - I have looked at the privacy statement and doesn't seem too helpful.
d
Any chance you can put it on the roadmap? We have a whole discord full of people just in Germany and most are somewhat hesitant to move forward building anything, it's a blocker for the whole of EU. There are some trigger happy lawyers that check websites and fine everyone for a living (joys of the internet) I can imagine it can be broken down in several smaller steps: - hosting in a datacenter in the eu - a privacy declaration - option to delete customer chats ...
I understand though it might not be in scope
I see none of the big US competitors currently has compliance here and it's a rather big deal. the first one that gets it will probably take the market due to fast saturation (and most us companies will not bother to get it)
f
Hi @dry-nightfall-32769 , It is definitely on our roadmap, I made sure that our team have got the messages 🙂 Thanks for sharing 🙂
d
no worries. I know it's not necessarily in scope (with cause), thank you for taking it under consideration. I thought I provide background on if it is a blocker or a "nice to have" Thank you for investing so much in talking to customers
f
It is a pleasure to talk to our customers 🙂
And thanks for providing the detailed information 🙂
Can I ask you to drop a feature request here: #1111026806254993459 . Or if it is there already, can you click on the 🆙 button?
f
Botpress itself is equipped to handle privacy complaints, requests, are you asking for a way to manage the compliance of your business, like yourself handling conversation erasures and stuff like that?
We are working on a localisation for Europe, However data transfers to the US are not GDPR non-compliant anymore, the adequacy decision allows it: https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721
You can already link a privacy statement in your webchat config, typically the privacy team would adapt to include disclosures specific to the webchat as well as the website or service more broadly
f
@dry-nightfall-32769 tell me what do you think 🙂
d
great news on localiazation! What do the layers think on the other criteria? e.g.,"manage the compliance of your business, like yourself handling conversation erasures and stuff like that" yes. it's not clear to me where chats are stored and how to erase them. To my understanding the "right to be forgotten" is part of being gdpr compliant: https://gdpr.eu/data-privacy/
f
So currently a request would be posted to botpress to "forget" the user
what you are asking is the ability for your own team to manage requests for erasure?
d
the request is to do the remaining mandatory points to be gdpr compliant. I am not a lawyer, so I cannot be certain which ones have to be covered
to my understanding, yes, being able to delete individual conversations might be needed. and perhaps a rolling number of max history kept e.g. 30 or 60 days But a lawyer knows best. From my time in a big european tech company, we had to set a rollover time on logs, remove pii from logging and a few others, but it might be an overkill. Only the mandatory ones are needed
f
Here you can find more details, about some of the measures in place to insure GDPR at botpress: https://botpress.com/legal/data-processing-agreement We also use third party Drata to map out GDPR compliance controls.
d
haha, this gives a 500: https://drata.com/product/gdpr I heard about drata, amazing that you are in the process. Any ETA?
f
a 500? it works on my side
d
ah, client side issue on my side, never mind, should read the error message better do you have a timeline you can share? Thank you already for the feedback
small ping: Would be able to give an estimate on the timeline?
f
Hi @dry-nightfall-32769
nothing is currently missing to administer European data on the service.
We are working on providing more documentation to make it easier for client's privacy teams or security teams to self-serve the information they need
For KBs, information contained is not used to train anything on our side, and our third party OpenAI also does not use the data for training their algorithm according to their API TOS
Happy to jump on a call to run you through any information you might need in the short term, to make sure you are running a service up to your clients requirements.
d
that would be perfect. I will write you directly
h
@freezing-printer-49373 sent you an friends invite to ask you some question about this subject
f
can you reach out to legal@botpress.com
f
@freezing-printer-49373 Has BotPress signed up to the EU-US Data Privacy Framework Program? That way we will know that it's covered by the adequacy decision.
f
for questions on that topic please reach out through the email given above
h
Sent you an email 😀
156 Views