EchoSpan AI Tools: Security and Privacy Overview

EchoSpan's AI-enabled features (Insights Toolkit and InsightScout) are designed to seamlessly integrate with our existing secure, enterprise-grade architecture. They are implemented in a way that prioritizes data security, privacy, and compliance while delivering advanced functionality to our customers.

Below is an overview of how we implement AI within the platform, and the security and privacy controls in place.

How AI is implemented in the EchoSpan platform

1. EchoSpan's AI tools are fully embedded into the EchoSpan platform. Customers do not interact with a separate or third-party portal all AI features are accessed securely through the same authenticated interface used for the core EchoSpan services.
2. AI-powered functionality (e.g., feedback writing assistant, performance journal summaries) is powered by secure, server-side API calls to a trusted AI service provider (currently OpenAI).
3. Data transmitted to the AI provider is limited to the minimum necessary context to fulfill the specific function requested (e.g., text of feedback comments to improve or summarize).
4. The platform maintains all standard session controls, role-based access, and audit logging when AI features are used.

Security & privacy controls

We adhere to industry best practices for data security and privacy, including the following specific measures for our AI components:

1. Data minimization: Only the specific text inputs necessary to generate the AI output are transmitted to the AI service. No user account credentials, PII beyond what is provided in the input text, or broader dataset contents are sent.
2. Storage limitation: Data sent to the AI provider is not stored by them beyond what is required to generate the response. EchoSpan does not use the AI provider's data storage or training features. Inputs and outputs are retained only within the EchoSpan application according to the customer's normal retention settings.
3. No model training on customer data: EchoSpan's implementation explicitly opts out of having customer data used by the AI provider to train or improve their models.
4. Encryption: All data transmitted between EchoSpan and the AI provider is encrypted in transit using TLS 1.2+.
5. Access controls: Only authenticated, authorized users within your EchoSpan account can invoke AI features. AI functionality is scoped to your own account's data and cannot access data outside of your account.

Documentation & ongoing oversight

We can provide client IT teams with more formalized security documentation upon request, summarizing EchoSpan's overall platform security posture and AI-specific controls. Please let us know if your IT team has additional detailed questions or requires assistance completing a security questionnaire.

For further reference, EchoSpan maintains compliance with leading data privacy regulations, including GDPR and CCPA, and our network systems operate in accordance with SOC 2 principles.