Data Security
This page provides information on data security with the TrusstGPT service.
Last updated
This page provides information on data security with the TrusstGPT service.
Last updated
Refer to ββ. Trusst AI does not have any access or visibility of your customers data, nor the data inputted/outputted to/from TrusstGPT. TrusstGPT is deployed into an AWS account owned and managed by you, the customer.
TrusstGPT is designed to ingest and process conversational data to produce rich insights into customer engagement touch points. The format of this conversational data can be in the following formats:
Audio - streamed or batch ingestion of recordings of conversations, e.g. call recordings, meetings, etc.
Text - streamed or batch ingestion of transcripts of conversations, e.g. call transcripts, chat transcripts, bot-transcripts, social feeds, complaints, survey results (verbatim), customer profile data (CRM/CDP), emails etc.
Documents - batch ingestion of documents containing data about interactions with customers, e.g. mail, claims documents etc.
Dependent on the use case, TrusstGPT processes conversational data in the following formats, each of which are handled accordingly:
TrusstGPT ingests raw audio feeds via real-time or batch process, e.g. , or from the audio source, e.g. CCaaS (contact center) platform or customer cloud storage platform.
Audio is then transcribed/translated using (transcription/translation engine).
Transcribed audio is then stored in (retention is managed by DynamoDB retention policy configured by the customer)
Transcripts are then de-identified to remove personally identifiable information (PII) or Payment Card Industry Data (PCI).
Redacted transcripts are then used during inference with TrusstGPTβs large language models.
Outputs are then stored in and databases and presented to users in the TrusstGPT web interface (access controlled by Roles Based Access Control via and), e.g. TrusstGPT ββ, or ββ pages.
Transcripts are then de-identified to remove personally identifiable information (PII) or Payment Card Industry Data (PCI).
Transcripts are then used during inference with TrusstGPTβs large language models.
Documents are processed by TrusstGPTβs Optical Character Recognition capability to extract relevant context from the documentation.
Context is then used during inference with TrusstGPTβs large language models.
Before storing data, or processing data with TrusstGPTβs large language models, data is de-identified to redact and remove personally identifiable information (PII) or Payment Card Industry (PCI) data.
TrusstGPT is deployed into the customer's AWS account which the customer uses to subscribe to TrusstGPT. This is in the AWS region which the customer specifies during deployment. As a result, no data is exposed to any external parties the customer does not provide explicit access to (including Trusst AI). Trusst AI has no visibility or access to any data in the customer's AWS Account.
No. The deployment of TrusstGPT does not create any buckets that are required to be publicly accessible.
Stored inputs and outputs to/from TrusstGPT are encrypted at rest and in transit.
By default, inputs/outputs to/from TrusstGPT are stored indefinitely in your AWS account, and protected by deletion protection. The retention period of stored inputs and outputs to/from TrusstGPT can be controlled using configurable retention policies. These can be configured at an AWS account level that apply policies defined by your organization, or otherwise by using TrusstGPTβs management interface, where you can specify how long you want to retain TrusstGPT specific data.
To optimally secure TrusstGPT within your AWS environment, it is crucial to adhere to the principle of least privilege. This approach ensures that permissions are only granted where absolutely necessary, thus minimising potential security risks. Below, we outline the responsibilities and recommended strategies to implement this policy effectively.
As TrusstGPT operates within your AWS account, you hold a pivotal role in enforcing security. It is essential to:
Audit Existing Policies: Regularly review and restrict IAM roles and permissions to what is necessary for users and services to perform their intended functions.
Secure Endpoints: Ensure that all endpoints interacting with TrusstGPT are secured and that access controls are tightly managed.
Monitor Activity: Utilise AWS CloudTrail and other monitoring tools to keep a vigilant eye on operations involving TrusstGPT, swiftly identifying and addressing any unusual or unauthorised activities.
Trusst AI is dedicated to providing a robustly secure application. We take the following measures:
Secure Authentication Mechanisms: TrusstGPT leverages AWS IAM and Amazon Cognito for authentication, rigorously following AWS best practices to safeguard these interactions.
Continuous Security Updates: Our team consistently updates the application to incorporate the latest security measures and respond to emerging threats.
By jointly focusing on these areas, we can ensure that TrusstGPT operates securely within your infrastructure, protecting both your data and your operations from potential threats.
Hereβs how TrusstGPT utilises Secrets Manager to maintain and protect stored secrets like Redshift database credentials:
AWS Secrets Manager encrypts the secrets at rest using encryption keys that you control through AWS Key Management Service (KMS). This means that only encrypted versions of your secrets are stored, safeguarding against unauthorised access.
Access to the secrets is strictly controlled using AWS Identity and Access Management (IAM) policies. You can define who can retrieve or manage secrets, ensuring that only authorised applications and users have access.
AWS Secrets Manager integrates with AWS CloudTrail, which logs every request made to Secrets Manager, including requests to retrieve a secret. This allows you to audit access to your secrets and detect any potential misuse or unauthorised access.
Secrets are replicated across multiple AWS regions when configured, providing redundancy and ensuring availability. You can recover these secrets if needed, contributing to robust disaster recovery practices.
For operational efficiency, AWS Secrets Manager directly integrates with other AWS services. In the case of TrusstGPT, the secrets stored for Redshift credentials can be seamlessly retrieved and used by AWS services that require database access, without exposing the credentials in application code or logs.
By utilising AWS Secrets Manager, TrusstGPT ensures that your Redshift database credentials are managed securely, supporting both the integrity and confidentiality of your data.
TrusstGPT ingests text transcripts (call transcripts, bot-transcripts, social feeds, complaints, survey results etc.) via real-time or batch process, e.g. , or from the text source, e.g. customerβs transcription engine or customer cloud storage platform.
Redacted transcripts are then stored in (retention is managed by DynamoDB retention policy configured by the customer)
Outputs are then stored in and databases and presented to users in the TrusstGPT web interface (access controlled by Roles Based Access Control via and ), e.g. TrusstGPT ββ, or ββ pages.
TrusstGPT ingests documents (claims, internal reports, meeting minutes etc.) via real-time or batch process, e.g. , or from the text source, e.g. customerβs experience management platform (Qualtrics/InMoment etc.) or customer cloud storage platform.
Context from the documents is then stored in (retention is managed by DynamoDB retention policy configured by the customer)
Outputs are then stored in and databases and presented to users in the TrusstGPT web interface (access controlled by Roles Based Access Control via and ),e.g. TrusstGPT ββ, or ββ pages.
Outputs from TrusstGPT are stored in and in the same customer owned AWS account and region which TrusstGPT is deployed into.
Encryption at rest provides enhanced security by encrypting all your data at rest using encryption keys stored in .
Inputs/Outputs to/from TrusstGPT can be removed by access controlled processes within your AWS account. Depending on which data you are looking to delete, e.g. data relating to an individual contact, or all data relating to all contacts, this data can be removed by deleting the individual items, or all items from their respective data stores in and , or deleting the entire application/stacks.
Access to TrusstGPT inputs/outputs are controlled at two top levels, 1. Via at an AWS Account level, restricting access to the individual AWS components of the solution, 2. Via the TrusstGPT Management interface, which restricts access via to create/read/update/delete specific functions using roles based access control.
Trusst AI leverages stringent rule packs within utility to enforce TrusstGPT's compliance with best practices.
An up to date Threat Model which can be imported to is available on .
AWS Redshift Serverless credentials are created during the deployment via AWS CDK. These credentials are written to and used to query the database for analytics in TrusstGPT user interface. These credentials are rotated by Secrets Manager every 30 days.