Sub-Processor Notification – OpenAI
September 27, 2023
Update: Notification of new sub-processor
Dear Betterworks Customers and Partners,
In order to continue delivering the excellent service you have come to expect from using our application platform and services, we have decided to engage OpenAI, LLC as a sub-processor for opt-in services. We anticipate this engagement will commence October 18, 2023 (“Effective Date”).
Because this vendor may process your organization’s “personal data” (as defined under applicable data protection law (GDPR, CPRA, et al.)), and in connection with the services and products that Betterworks provides, this communication shall serve as notification that OpenAI will be added as a new sub-processor for opt-in services.
About OpenAI
OpenAI is widely recognized as one of the world’s leading artificial intelligence (AI) research and deployment companies, and their mission is to ensure that artificial general intelligence (AGI) benefits all of humanity. OpenAI provides generative learning models and is most known for their ChatGPT and API platforms. The provider is an American-based Software-as-a-Service (SaaS) cloud provider that is committed to building trust in OpenAI and their platforms by protecting customer data, models, and products. They have strategically established data centers throughout the United States. By engaging OpenAI, the following benefits are expected to be realized:
- Build interactive chatbots and virtual assistants
- Generate embeddings for text classification, search, and clustering
- Summarize, synthesize, and answer questions about large amounts of text
- Fine-tune and train on custom data to improve performance
For more information about the OpenAI product, please refer to: https://openai.com/.
For specific information about OpenAI security and compliance, please refer to: https://openai.com/security.
For detailed information about OpenAI privacy practices, please refer to: https://openai.com/policies/privacy-policy.
Our Engagement with OpenAI
Betterworks will be using OpenAI’s GPT-3.5 API platform to build interactive chatbots and virtual assistants in order to improve performance management experiences. The use of these services will be optional to US-based customers and are not required for the continued use of the Betterworks platform. OpenAI will have access to user content and text-based inquiries which may include personal data, only if opted-in. All information is considered confidential and will be maintained in accordance with the terms of our sub-processing agreement and our agreement with you.
Betterworks has undertaken appropriate due-diligence to ensure the processing of customer data aligns with Betterworks security and privacy requirements. Based on this review, Betterworks is satisfied that OpenAI can meet the obligations for the security of personal data and will abide by the following (in addition to all applicable legal requirements):
- Shall only process personal information in accordance with Betterworks instructions.
- Shall ensure that all personnel who access personal information are bound by confidentiality obligations.
- Shall conduct regular awareness and training in relation to data protection and information security.
- Shall implement and maintain appropriate technical and organizational measures.
- Shall promptly notify Betterworks of any suspected or confirmed security breaches.
- Shall cooperate fully with Betterworks in addressing requests from data subjects or supervisory authorities.
However, as it relates to “Privacy,” Betterworks cannot confirm compliance with applicable privacy laws and practices. OpenAI claims to have commitments to privacy, and while the company does provide a privacy policy on their website, compliance has not been validated. The provided SOC 2 report covers only the “Security” category of the AICPA Trusted Services Criteria (TSC). Evidence has not been provided that demonstrates the review or attestation by an external third-party auditor related to privacy compliance. FOR THIS REASON (AND BECAUSE THE SERVICES ARE OPT-IN), CUSTOMERS ARE CHOOSING TO USE THE OPENAI OPT-IN SERVICES AT THEIR OWN RISK.
Further Information
Betterworks does not require you to take any action pertaining to this notification. OpenAI is expected to provide data processing services as of the “Effective Date” mentioned above. Under our agreement with you, and in accordance with data protection law, you have the right to object to the use of any new sub-processor. However, you must do so within twenty-one (21) days of this notice.
*In the case of opt-in services, the right to object shall be considered “in effect” by the refusal to opt-in to services.
If you have any other questions, please reach out to us at security@betterworks.com and we will be glad to assist you with your request.