Co-pilot FAQs

1. How does SecurityPal Copilot compare to the SecurityPal Concierge Service?

While SecurityPal Concierge is a fully managed end-to-end service for delivering completed questionnaires in any format, SecurityPal Copilot is an affordance for customers to self-serve small sets of questions. SecurityPal Copilot relies on a robust and accurate Knowledge Library, which the SecurityPal team manages by virtue of the SecurityPal Concierge Service.

2. How does SecurityPal Copilot use OpenAI?

SecurityPal Copilot uses OpenAI's API to generate answers to the questions it receives. When prompting the generative AI model, the following information is included in the content sent to OpenAI's API:

• the question,
• the company's name,
• select Knowledge Library sources relevant to the question, and
• any additional instruction provided.

3. Does OpenAI use the data we send to their API?

NO. Per the OpenAI terms of use, the content sent to their API is not used by OpenAI to develop or improve their services. 

From Section 3(c) of OpenAI's Terms of Use:

“We do not use Content that you provide to or receive from our API ("API Content") to develop or improve our Services.”

4. How much of your data is used by Open AI?

Every time Copilot is asked a question, the application generates a prompt using the question, a few relevant Q&A pairs (currently 4), and your company's name. This prompt forms the input to the API call to OpenAI. That API generates the answer (using that input prompt), which SecurityPal processes and then displays to the end user.

5. What data guarantees does SecurityPal provide when using Copilot regarding confidentiality, storing information, etc?

SecurityPal has reviewed a CAIQ provided by OpenAI as well as their SOC 2 Type 2 report. Open AI has sufficient controls in place and maintains the confidentiality of the data provided.

6. Does Open AI have access to our knowledge library?

No, Open AI does not have access to the full Knowledge Library. See the questions [How much of our data is used by Open AI?] for how each prompt uses a few Q&A pairs to generate an answer.

7. Who owns the generated content from the Copilot feature? Would Open AI make a claim to this information?

OpenAI does not own this data and cannot make a claim to it. See 3(a) of https://openai.com/policies/terms-of-use :

You may provide input to the Services (“Input”), and receive output generated and returned by the Services based on the Input (“Output”). Input and Output are collectively “Content.” As between the parties and to the extent permitted by applicable law, you own all Input. Subject to your compliance with these Terms, OpenAI hereby assigns to you all its rights, title, and interest in and to Output. This means you can use Content for any purpose, including commercial purposes such as sale or publication if you comply with these Terms.

8. Is the data stored in perpetuity in Open AI? Are the answers persistent?

Per Open AI’s CAIQ, they maintain data for 30 days: Prompt and completion data is by default retained for 30 days. SecurityPal can also process ad hoc deletion requests.

9. Is it possible to limit the copilot feature to certain roles within SecurityPal?

Currently, we allow all roles (Viewer, Editor, and Admin) the ability to use Copilot. This is consistent with how all roles are allowed to search and view the Knowledge Libraries.

10. The feature flag says "Your content is not used by Open AI to develop or improve their services" but is the data used by Open AI for any other reason?

To our knowledge, no. Open AI specifically also calls out not using this data for marketing purposes.

11. Can the Copilot feature pull data from the uploaded policy documents?

SecurityPal Copilot does not do this as of right now. This request is something that we are considering adding in the future.