Human-First AI that gives you control.

We currently use three providers for our Gainsight AI features: IBM watsonx , Microsoft Azure for its GPT APIs, and Open AI.

• Prior to onboarding each of these vendors, our Privacy Team performed a thorough Data Protection Impact Assessment (DPIA) and our Security Team performed a thorough vendor security review as part of third-party risk management.
• Before implementation, subprocessor notices are sent to all of our customers providing them with an objection window. If a customer objects to the use of a vendor, we will use a different subprocessor or turn off the features that are dependent on that vendor from the backend. The only way to re-activate these features is for your Privacy/Legal Team to reach out to our Privacy Team.
• We ensure that our vendors are GDPR compliant, and your data is processed in accordance with GDPR. In alignment with GDPR, EU customers AI features will only be processed using Microsoft Azure and data will only be processed on EU servers.
• All data processed by any of these vendors will be subject to a data retention policy and your data is NOT stored outside of Gainsight. The abuse monitoring data retention policy within Microsoft Azure and OpenAI has been turned off for Gainsight.

• Our initial Security review includes a thorough understanding of the feature itself and how the Gainisght environment connects to the vendor AI ecosystem.
• Any new features built internally, and those for which we share the data with another provider, need to undergo security review and approval before going into production.
• All communication with our AI features is API-based communication, and our security team has performed all security checks as part of our API integration. Only whitelisted APIs will be able to communicate with AI vendors.
• Data encryption protocols are in place both for data at rest and in transit.
• Rigorous security reviews are done to ensure we have masking in place before sharing data with our vendors.
• All other security controls such as rate-limiting, monitoring for throttling and segmentation are included as part of our security measures.

• All AI features are currently turned off by default. Customer’s administrators must activate each feature before we process any data. This is our commitment to data security and transparency.
• Customer data will NOT be used to train any LLMs – either by Gainsight, or our vendors.
• Robust multi-tenancy systems in Gainsight extend to AI. Your data is never used outside of the context of your tenant, for any cross-customer use cases. If we were to do so in the future, explicit consent for participation would be required.
• All emails and phone numbers are masked before data is shared with any of our vendors.
• A DPIA is performed for each and every feature that we launch, to ensure that the data is completely secure.

• Can you please explain the exact personal data that will be processed?
  All these features will make use of a subset of the personal data stored within your Gainsight instance. Since Gainsight integrates with your CRM, this data can include names, job titles, and business contact information (such as physical addresses) of your customers and prospects. Additionally, it can include the names and titles of Gainsight users. It’s worth noting that email addresses and phone numbers are intentionally excluded from processing, as they are concealed or masked for privacy and security reasons. Additional data points may include contents of emails, customer notes and customer-level data from a client’s CRM.
• How will the data be used?
  All of our generative AI features will solely use your personal data to deliver the specific feature to you. This data is not shared with other clients or other vendors (like OpenAI), and we do not expect this data to be used to train any AI language models (if that changes then we would send out an additional notice to you).
• How do you prevent data leaks from one customer to another when getting an answer from the LLM?
  The model for the Generative AI features will only be run on Client’s data within a Client instance. No other Gainsight client will have access to Client’s data.
• Why are the AI feature toggles grayed out in my instance?
  You may not have the ability to turn the feature on from your instance if your privacy and/or legal team sent in an objection to our subprocessor notice. If you would like access, your privacy and/or legal team will need to rescind the objection by emailing privacy@gainsight.com, referring to the prior objection,  and specifically mentioning it is being rescinded.