Trusst AI Resource Centre
  • πŸ‘‹Welcome to the Trusst AI Resource Center.
  • Overview
    • 🌏Why We're Here & What We Do
    • πŸ’‘Problem Statement
    • πŸ”‘Use Cases
    • ✨Capabilities
      • πŸ‘‚Lissten (transcribe & translate)
      • 🀝Trussted Agent (conversational AI)
      • 🌊AI Workflows (alerts, triggers, workflows)
      • πŸ‘€InteractIQ (AI powered Insights)
      • πŸ’¬DataDialog (conversational interface)
      • πŸ—ΊοΈTrusst Based Routing (AI powered Decision Engine)
    • πŸ’³Trusst AI Subscription Fees
  • Product Guides
    • πŸ› οΈDeployment Guide (Trusst AI on AWS)
    • πŸ“–User Guide
    • πŸ”‘Integrating Your Identity Provider
    • πŸ‘₯User Roles & Permissions
    • ♻️Suggested Iteration Cycle
    • ☁️Trusst AI Architecture
    • Network Considerations
    • πŸ”Data Security
    • πŸš΄β€β™‚οΈData Lifecycle Management
    • 🫢Advocating for Responsible AI
    • πŸ”§Testing, Troubleshooting & Health Check
    • Shared Responsibility Model
    • πŸ’Support
    • πŸ“ˆAI Model Training & Testing
    • ❓Frequently Asked Questions
Powered by GitBook
On this page
  • What data will be collected by Trusst AI?
  • How does Trusst AI manage/handle/store/process data?
  • Voice (audio):
  • Text:
  • Documents:
  • How does Trusst AI handle personally identifiable information (PII) or Payment Card Industry (PCI) data?
  • Where does Trusst AI process data?
  • Where will data be stored?
  • Will the Amazon S3 buckets be publicly accessible?
  • How is data secured at rest and in transit?
  • How long will data be stored?
  • How will it be removed?
  • Who will have access to data inputted/outputted into/from Trusst AI?
  • What is the recommended policy of least privilege for all access granted to the solution?
  • What is the purpose and location of each key the user is instructed to create?
  • How are stored secrets such as database credentials maintained in AWS Secrets Manager?
  1. Product Guides

Data Security

This page provides information on data security with the Trusst AI service.

PreviousNetwork ConsiderationsNextData Lifecycle Management

Last updated 9 days ago

What data will be collected by Trusst AI?

Refer to β€œβ€. Trusst AI does not have any access or visibility of your customers data, nor the data inputted/outputted to/from Trusst AI. Trusst AI is deployed into an AWS account owned and managed by you, the customer.

Trusst AI is designed to ingest and process conversational data to produce rich insights into customer engagement touch points. The format of this conversational data can be in the following formats:

  • Audio - streamed or batch ingestion of recordings of conversations, e.g. call recordings, meetings, etc.

  • Text - streamed or batch ingestion of transcripts of conversations, e.g. call transcripts, chat transcripts, bot-transcripts, social feeds, complaints, survey results (verbatim), customer profile data (CRM/CDP), emails etc.

  • Documents - batch ingestion of documents containing data about interactions with customers, e.g. mail, claims documents etc.

How does Trusst AI manage/handle/store/process data?

Dependent on the use case, Trusst AI processes conversational data in the following formats, each of which are handled accordingly:

Voice (audio):

  1. Trusst AI ingests raw audio feeds via real-time or batch process, e.g. , or from the audio source, e.g. CCaaS (contact center) platform or customer cloud storage platform.

  2. Audio is then transcribed/translated using (transcription/translation engine).

  3. Transcribed audio is then stored in (retention is managed by DynamoDB retention policy configured by the customer)

  4. Transcripts are then de-identified to remove personally identifiable information (PII) or Payment Card Industry Data (PCI).

  5. Redacted transcripts are then used during inference with Trusst AI’s large language models.

  6. Outputs are then stored in and databases and presented to users in the Trusst AI web interface (access controlled by Roles Based Access Control via and), e.g. Trusst AI β€œβ€, or β€œβ€ pages.

Text:

  1. Transcripts are then de-identified to remove personally identifiable information (PII) or Payment Card Industry Data (PCI).

  2. Transcripts are then used during inference with Trusst AI’s large language models.

Documents:

  1. Documents are processed by Trusst AI’s Optical Character Recognition capability to extract relevant context from the documentation.

  2. Context is then used during inference with Trusst AI’s large language models.

How does Trusst AI handle personally identifiable information (PII) or Payment Card Industry (PCI) data?

Before storing data, or processing data with Trusst AI’s large language models, data is de-identified to redact and remove personally identifiable information (PII) or Payment Card Industry (PCI) data.

Where does Trusst AI process data?

Trusst AI is deployed into the customer's AWS account which the customer uses to subscribe to Trusst AI. This is in the AWS region which the customer specifies during deployment. As a result, no data is exposed to any external parties the customer does not provide explicit access to (including Trusst AI). Trusst AI has no visibility or access to any data in the customer's AWS Account.

Where will data be stored?

Will the Amazon S3 buckets be publicly accessible?

No. The deployment of Trusst AI does not create any buckets that are required to be publicly accessible.

How is data secured at rest and in transit?

Stored inputs and outputs to/from Trusst AI are encrypted at rest and in transit.

How long will data be stored?

By default, inputs/outputs to/from Trusst AI are stored indefinitely in your AWS account, and protected by deletion protection. The retention period of stored inputs and outputs to/from Trusst AI can be controlled using configurable retention policies. These can be configured at an AWS account level that apply policies defined by your organization, or otherwise by using Trusst AI’s management interface, where you can specify how long you want to retain Trusst AI specific data.

How will it be removed?

Who will have access to data inputted/outputted into/from Trusst AI?

What is the recommended policy of least privilege for all access granted to the solution?

To optimally secure Trusst AI within your AWS environment, it is crucial to adhere to the principle of least privilege. This approach ensures that permissions are only granted where absolutely necessary, thus minimising potential security risks. Below, we outline the responsibilities and recommended strategies to implement this policy effectively.

Customer Responsibilities

As Trusst AI operates within your AWS account, you hold a pivotal role in enforcing security. It is essential to:

  • Audit Existing Policies: Regularly review and restrict IAM roles and permissions to what is necessary for users and services to perform their intended functions.

  • Secure Endpoints: Ensure that all endpoints interacting with Trusst AI are secured and that access controls are tightly managed.

  • Monitor Activity: Utilise AWS CloudTrail and other monitoring tools to keep a vigilant eye on operations involving Trusst AI, swiftly identifying and addressing any unusual or unauthorised activities.

Trusst AI Commitments

Trusst AI is dedicated to providing a robustly secure application. We take the following measures:

  • Secure Authentication Mechanisms: Trusst AI leverages AWS IAM and Amazon Cognito for authentication, rigorously following AWS best practices to safeguard these interactions.

  • Continuous Security Updates: Our team consistently updates the application to incorporate the latest security measures and respond to emerging threats.

By jointly focusing on these areas, we can ensure that Trusst AI operates securely within your infrastructure, protecting both your data and your operations from potential threats.

What is the purpose and location of each key the user is instructed to create?

How are stored secrets such as database credentials maintained in AWS Secrets Manager?

Here’s how Trusst AI utilises Secrets Manager to maintain and protect stored secrets like Redshift database credentials:

Secure Storage

AWS Secrets Manager encrypts the secrets at rest using encryption keys that you control through AWS Key Management Service (KMS). This means that only encrypted versions of your secrets are stored, safeguarding against unauthorised access.

Access Control

Access to the secrets is strictly controlled using AWS Identity and Access Management (IAM) policies. You can define who can retrieve or manage secrets, ensuring that only authorised applications and users have access.

Audit and Monitoring

AWS Secrets Manager integrates with AWS CloudTrail, which logs every request made to Secrets Manager, including requests to retrieve a secret. This allows you to audit access to your secrets and detect any potential misuse or unauthorised access.

Disaster Recovery

Secrets are replicated across multiple AWS regions when configured, providing redundancy and ensuring availability. You can recover these secrets if needed, contributing to robust disaster recovery practices.

Direct Integration

For operational efficiency, AWS Secrets Manager directly integrates with other AWS services. In the case of Trusst AI, the secrets stored for Redshift credentials can be seamlessly retrieved and used by AWS services that require database access, without exposing the credentials in application code or logs.

By utilising AWS Secrets Manager, Trusst AI ensures that your Redshift database credentials are managed securely, supporting both the integrity and confidentiality of your data.

Trusst AI ingests text transcripts (call transcripts, bot-transcripts, social feeds, complaints, survey results etc.) via real-time or batch process, e.g. , or from the text source, e.g. customer’s transcription engine or customer cloud storage platform.

Redacted transcripts are then stored in (retention is managed by DynamoDB retention policy configured by the customer)

Outputs are then stored in and databases and presented to users in the Trusst AI web interface (access controlled by Roles Based Access Control via and ), e.g. Trusst AI β€œβ€, or β€œβ€ pages.

Trusst AI ingests documents (claims, internal reports, meeting minutes etc.) via real-time or batch process, e.g. , or from the text source, e.g. customer’s experience management platform (Qualtrics/InMoment etc.) or customer cloud storage platform.

Context from the documents is then stored in (retention is managed by DynamoDB retention policy configured by the customer)

Outputs are then stored in and databases and presented to users in the Trusst AI web interface (access controlled by Roles Based Access Control via and ),e.g. Trusst AI β€œβ€, or β€œβ€ pages.

Outputs from Trusst AI are stored in and in the same customer owned AWS account and region which Trusst AI is deployed into.

Encryption at rest provides enhanced security by encrypting all your data at rest using encryption keys stored in .

Inputs/Outputs to/from Trusst AI can be removed by access controlled processes within your AWS account. Depending on which data you are looking to delete, e.g. data relating to an individual contact, or all data relating to all contacts, this data can be removed by deleting the individual items, or all items from their respective data stores in and , or deleting the entire application/stacks.

Access to Trusst AI inputs/outputs are controlled at two top levels, 1. Via at an AWS Account level, restricting access to the individual AWS components of the solution, 2. Via the Trusst AI Management interface, which restricts access via to create/read/update/delete specific functions using roles based access control.

Trusst AI leverages stringent rule packs within utility to enforce Trusst AI's compliance with best practices.

An up to date Threat Model which can be imported to is available on .

AWS Redshift Serverless credentials are created during the deployment via AWS CDK. These credentials are written to and used to query the database for analytics in Trusst AI user interface. These credentials are rotated by Secrets Manager every 30 days.

πŸ”
Where is Trusst AI deployed/located
Kinesis Video Stream
Amazon S3
Trusst Lissten
DynamoDB
Amazon DynamoDB
Amazon Redshift Serverless
Amazon Cognito
AWS IAM
InteractIQ
DataDialog
Kinesis Data Stream
Amazon S3
DynamoDB
Amazon DynamoDB
Amazon Redshift Serverless
Amazon Cognito
AWS IAM
InteractIQ
DataDialog
Kinesis Data Stream
Amazon S3
DynamoDB
Amazon DynamoDB
Amazon Redshift Serverless
Amazon Cognito
AWS IAM
InteractIQ
DataDialog
Amazon DynamoDB
Amazon Redshift Serverless
AWS Key Management Service (AWS KMS)
Amazon DynamoDB
Amazon Redshift Serverless
AWS CloudFormation
Amazon IAM
Amazon Cognito
cdk-nag
AWS Cloud Development Kit (AWS CDK)
https://awslabs.github.io/threat-composer/
request
AWS Secrets Manager