Commercial Data Protection in Wald.ai

When organizations and employees utilize generative AI services, it is crucial to comprehend how these services manage user and chat data. Given that employee chats may contain sensitive data, Wald is specifically engineered to safeguard this information, as outlined below:

Wald protects enterprises from leaking sensitive information to public AI assistants.


1. Authentication and Access Control:
  • Wald utilizes the company's single sign-on (SSO) for authentication, allowing access only through users' work accounts.
  • Tenant and user identity information is tokenized at the commencement of a chat session. This information serves solely to verify user eligibility for Wald access. Search queries triggered by prompts remain unlinked to users or organizations.

2. Data Retention Practices:
  • Wald refrains from retaining prompts or responses from users' access to AI assistants. These are maintained for a brief caching period for runtime purposes only. Upon closure of the browser, resetting the chat topic, or session timeout, Wald discards all prompts and responses.
  • Sanitized prompts devoid of enterprise and user id as well as any sensitive data that are sent to the public AI Assistant will be retained by Wald for a time period determined by the enterprise for quality review by Wald.

3. Encryption Measures:

Wald.ai does not have access to any enterprise or user specific data.

  • User Level: Chat history of the user within session memory, and redacted content for reinsertion in output, is kept encrypted with a key controlled by the individual user only. This ensures that without the user getting involved, nobody can access this content, even if it leaks due to a vulnerability in Wald's servers.
  • Admin Level: Prompt and log storage for approval workflow, and optionally for any compliance needs, are kept encrypted with a key controlled by admins of the customer enterprise only. Even Wald admins, or any other employees of Wald, do not have access to this key, and hence the underlying data that is kept encrypted with it.
  • Enterprise Level: Any company-specific private content, that should only be accessible to employees of that company, is kept encrypted with an enterprise specific key. This ensures that all enterprise data is inaccessible to anybody outside the enterprise, and also kept isolated from data of other enterprise customers of Wald.

4. Organizational Data Usage:
  • Wald solely relies on data generated from public AI assistants and lacks access to organizational resources or content within the enterprise.
  • Wald may leverage public information on the organization's website or provided by the enterprise directly to Wald to associate products and brands that are connected to the organization for inference purposes.

5. Wald as the Data Controller:
  • Wald acts as the data controller for enterprises, with data leaving the organization boundary in an encrypted form. This data is discarded by Wald after a short caching period for runtime purposes.

6. Security Measures

Wald shall maintain appropriate administrative, physical and technical safeguards for the security, confidentiality and integrity of user data to protect against security incidents. Wald may review and update its security measures from time to time, provided that any such updates will not materially diminish the overall security of the Services during the Customer's then current subscription period.


7. Security Incident Communications:

Wald shall provide Customer timely information about the Security Incident, including, to the extent available, the nature and consequences of the Security Incident, the measures taken and/or proposed by Wald to mitigate or contain the Security Incident, the status of Wald's investigation, a contact point from which additional information may be obtained, and the categories and approximate number of data records concerned. Notwithstanding the foregoing, Customer acknowledges that because Wald personnel may not have visibility to the content of user data, Wald may not be able to provide information as to the particular nature of the data, or where applicable, the identities, number or categories of affected Data Subjects. Communications by or on behalf of Wald with Customer in connection with a Security Incident shall not be construed as an acknowledgment by Wald of any fault or liability with respect to the Security Incident.


8. Customer Audit Rights:

Audits shall be available to Customer (i) upon Wald's notice to Customer of a Security Incident, (ii) as required by a supervisory authority under applicable Data Protection Laws, or (iii) if neither (i) or (ii) above apply, then no more than once annually. Upon receipt of a written audit request, Wald shall provide Customer, the requesting supervisory authority, or Customer's appropriately qualified third-party representative (collectively, "Auditor"), access to its Reports, books, and/or records. If the requested audit is in response to Wald's notice of a Security Incident or a request made by a supervisory authority, then Wald shall permit the scope of the audit to include onsite access at Wald's offices if necessary to demonstrate Wald's compliance with its obligations under this DPA.

Audits shall be performed upon a minimum of 30 days advance written notice and in a manner that is least disruptive to Wald employees, operations, and the delivery of Services to customers. Wald and Customer shall mutually determine in advance the details of the audit, including reasonable start date, scope, duration, security and confidentiality controls applicable to the audit. Auditor costs and expenses in connection with any audit shall be borne exclusively by the Customer.

The Reports, audit, and any information arising from any audit are deemed to be Wald's confidential information. An Auditor may be required to execute a separate confidentiality agreement with Wald prior to any review of Reports or an audit of Wald.


9. Return or Deletion of Data:

Customers may retrieve or delete all user data stored by Wald upon expiration or termination of the contract. Any data not deleted by Customer shall be deleted by Wald promptly upon the later of (i) 90 days after expiration or termination of the Agreement and (ii) expiration of any posttermination "retrieval period" set forth in the Agreement. Notwithstanding the foregoing, Wald shall not be required to delete user data to the extent Wald is required by applicable law or order of a governmental or regulatory body to retain the data. Where Wald is required to retain data as set forth in the preceding sentence, then Wald will notify Customer of such requirement, to the extent legally permitted.

This strategy underscores our commitment to providing a secure and privacy-conscious environment for organizations leveraging Wald.