YOUR DATA, OUR DUTY

Sub-processor Policy

Last updated: May 08, 2024

1. Introduction

This Sub-processor Policy delineates how Optave AI Solutions Inc. (“Optave”, “we”, “us”, “our”) conducts due diligence with regard to its Sub-processors in the delivery of its products and services. It provides insights into who these Sub-processors are, and elaborates on the rigorous measures we adopt to safeguard your data, ensuring its privacy and security.

2. What is a Sub-processor

A Sub-processor is a third-party data processor engaged by Optave, who receives Service Data (which may contain Personal Data) from Optave for Processing on behalf of our Clients and in accordance with our Subscribers’ instructions (as communicated by Optave) and the terms of its written subcontract. Optave engages different types of Sub-processors to perform various functions as explained in the tables below.

3. Due Dilligence

Optave undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed Sub-processors.

4. Contractual Safeguards

Optave generally requires its Sub-processors to sign a Data Processing Agreement (“DPA”) that is at least equivalent to the obligations as those required from Optave (as a Data Processor), including but not limited to the requirements to:

  • Process Personal Data in accordance with data controller’s (i.e., Client’s) documented instructions (as communicated in writing to the relevant Sub-processor by Optave);
  • In connection with their sub-processing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable data protection laws;
  • Provide regular training in security and data protection to personnel to whom they grant access to Personal Data;
  • Implement and maintain appropriate technical and organizational measures (including measures consistent with those to which Optave is contractually committed to adhere insofar as they are equally relevant to the Sub-processor’s Processing of Personal Data on Optave’s behalf) and provide an annual certification that evidences compliance with this obligation. In the absence of such certification Optave reserves the right to audit the Sub-processor;
  • Promptly inform Optave about any actual or potential security breach; 
  • Cooperate with Optave in order to deal with requests from data controllers, data subjects or data protection authorities, as applicable

This policy does not give Optave’s Clients any additional rights or remedies and should not be construed as a binding agreement. The information herein is only provided to illustrate Optave’s engagement process for Sub-processors as well as to provide the actual list of third-party Sub-processors and content delivery networks used by Optave as of the date of this policy (which Optave may use in the delivery and support of its Services).

5. Process to Engage New Sub-processors

Optave will provide notice via this policy of updates to the list of Sub-processors that are utilized or which Optave proposes to utilize to deliver its Services. Optave undertakes to keep this list updated regularly to enable its Clients to stay informed of the scope of sub-processing associated with the Optave Services. 

An Optave Client may object in writing to the Processing of its Personal Data by a newly appointed Sub-processor within thirty (30) days following the update of this policy and such objection shall describe Client’s legitimate reason(s) for objection. If Client does not object during such time period, the new Sub-processor(s) shall be deemed accepted.

If a Client objects to the use of a newly appointed Sub-processor pursuant to the process provided under the DPA, Optave shall have the right to cure the objection through one of the following options (to be selected at Optave’s sole discretion) by either:

(a) instructing the Sub-processor to cease the Processing of Client’s Personal Data; or
(b) allowing Client to terminate any related services agreement with Optave immediately and provide it with a pro rata reimbursement of any sums paid in advance for Services to be provided, but not yet received by Client as of the effective date of termination.

 

The following is an up-to-date list (as of the date of this policy) of the names, entity type, and locations of Optave Sub-processors:

6. Infrastructure Sub-processors – Service Data Storage and Processing

Optave owns or controls access to the infrastructure that Optave uses to host and Process Service Data submitted to the Services, other than as set forth herein. Currently, the Optave production systems used for hosting Service Data for the Services are located in the infrastructure Sub-processor listed below. Client accounts are typically established in one of these regions based on where the Client is located, but may be shifted among locations to ensure performance and availability of the Services. The following table describes the legal entity engaged by Optave in the storage of Service Data. Optave also uses additional services provided by this Sub-processor to Process Service Data as needed to provide the Services.

Entity Name Entity Type Data Hosting Location
Amazon Web Services, Inc.
Cloud Service Provider
United States
7. Service Sub-processors

Optave collaborates with certain third parties, referred to as Service Sub-processors, to deliver specific functionalities within our Services. These Service Sub-processors access and Process Service Data as necessary. Their use is comprehensive and applies to all services offered by Optave.

If a Client avails of any Optave service, such as the Optave Agent Assist or Recommendation Assistant, the Service Sub-processors engaged for these services adhere to the guidelines and obligations set forth in this policy. Definitions for the terms used to refer to the applicable services can be found in the Service-Specific Supplemental Terms. For reference, such definitions are as follows:

Entity Name Purpose and Data Processed Data Hosting Location
OpenAI, L.L.C.
OpenAI, L.L.C. (“OpenAI”) provides services to support generative artificial intelligence functionality within the Optave Services, including, but not limited to, automated summarization of conversations, sentiment analysis, risk checks, anonymization, text completion and other functionalities we refer as “Superpowers”. OpenAI Processes the Service Data contained within the content of Clients’ interactions and from different integrations related to our services, for example Support Agent interactions through CRM’s. This service is required for the usage of our Services.
No hosting of Service Data
Cohere Inc.
Cohere Inc. (“Cohere”) provides reranking services to enhance the order of retrieval results for Retrieval-Augmented Generation (RAG) within the Optave Services. This service fine-tunes the sequence of generated responses, ensuring that the most relevant and contextually appropriate suggestions are prioritized. Cohere processes the Service Data contained within the content of Clients’ interactions and from various integrations related to our services, such as communications managed through CRM systems. This specialized service is essential for optimizing the functionality and effectiveness of our Services.
No hosting of Service Data
Microsoft Azure
Microsoft Azure (“Azure”) hosts infrastructure services that facilitate the execution of OpenAI API calls within the Optave Services. This includes providing a secure and scalable environment for data processing and storage, which supports functionalities such as automated summarization, sentiment analysis, and other AI-driven tasks. Azure processes the Service Data contained within the content of Clients’ interactions and from various integrations related to our services, such as CRM systems. This hosting service is fundamental for the reliable and efficient use of our Services, ensuring high availability and robust performance.
No hosting of Service Data
Salesforce Inc.
Salesforce.com Inc. (“Salesforce”) provides a Customer Relationship Management (CRM) platform that integrates with the Optave Services to enhance client interaction management. This integration allows for seamless access and synchronization of client data, supporting functionalities such as customer support, sales tracking, and personalized client communications. Salesforce processes the Service Data contained within the interactions managed through its CRM, which is vital for the effective utilization and operational efficiency of our Services. This integration ensures that client data is effectively managed and utilized to optimize client engagement and service delivery.
No hosting of Service Data
8. Supplemental information for Korean Residents
Thirdy Party Details Purpose and Use Shared / Transferred Personal Data Retention Period
Amazon Web Services, Inc. / USA / AWS Korea Privacy Email: [email protected]
To provide, maintain, protect, and improve the cloud storage and computing services required for operating the customer support system, and to ensure the availability, integrity, and confidentiality of customer and user data. Also, to offer a robust infrastructure that facilitates efficient and scalable data processing, storage, and backup.
– Contact information, including email address, number, username. – User submitted content (to the extent that it contains personally identifiable attributes). – IP and/or browser/device data – Session data and online activity (such as content viewed, how you interacted with our website(s), pages visited, searches and/or reservations facilitated or made.
Personal data is held only for the period necessary for processing. It is deleted or anonymized afterward.
Microsoft Azure / USA / [email protected] / One Microsoft Way, Redmond, WA, United States.
To host infrastructure and services that support the execution of OpenAI’s API calls within Optave Services. Microsoft Azure provides a secure and scalable platform for storing and processing data, facilitating functionalities such as automated response generation, sentiment analysis, and other AI-driven operations. This robust infrastructure ensures high availability, performance, and reliability of the services, contributing to the efficient management of customer interactions.
Contact information, including email addresses and possibly phone numbers. User interaction data, including session data, activities on the platform such as responses generated, and usage patterns. User-submitted content, which may include personally identifiable information as part of the interactions processed through the AI services.
Personal data is held only for the period necessary for processing. It is deleted or anonymized afterward.
OpenAI OpCo, LLC / USA / [email protected] / 3180 18th Street, San Francisco, CA, United States.
To provide, maintain, and improve the generative AI services that facilitate customer support operations. It helps in the automated generation of responses, user engagement, and conversation analysis for improved service delivery. The data is also used for training and refining the AI model, improving its understanding of languages and the ability to generate appropriate responses.
– Contact information, including email address, number, username. – User submitted content (to the extent that it contains personally identifiable attributes). – Session data and online activity (such as content viewed, how you interacted with our website(s), pages visited, searches and/or reservations facilitated or made.
Personal data is held only for the period necessary for processing. It is deleted or anonymized afterward.
Cohere Inc. / Canada / [email protected] / 171 John Street, Suite 200, Toronto, ON Canada M5T 1X3
To enhance the relevance and accuracy of response generation within customer support services through advanced reranking technology. Cohere’s services assist in optimizing the order of suggested responses, improving the quality and contextuality of customer interactions. The data is additionally utilized for ongoing development and enhancement of the AI models, increasing their efficiency in processing and reranking responses.
Contact information, including email addresses and usernames. User-submitted content, particularly inputs that are processed to refine response ordering. Interaction data such as queries submitted, responses generated, and user feedback on the relevance and accuracy of the responses.
Personal data is held only for the period necessary for processing. It is deleted or anonymized afterward.