AI Notetaker: Security FAQ

this guide contains frequently asked questions concerning the ai notetaker and security and compliance w hat ai models are used to support ai features? we currently use openai (via openai’s api) and anthropic (via aws bedrock) i s ashby’s ai notetaker compliant with the gdpr? yes ashby ensures that its processing of the personal data of eu and uk residents is fully compliant with all applicable data protection laws, including the gdpr in particular, ashby enters into data processing agreements with customers processing the personal data of eu and uk residents that incorporates the standard contractual clauses (sccs) adopted by the european commission pursuant to its implementing decision (eu) 2021/914 of 4 june 2021, including all modules governing controller to processor transfers of personal data further, ashby has completed a data transfer impact assessment (dtia) that assesses the laws and practices of the us that could impinge on the effectiveness of the sccs as a transfer tool, consistent with the schrems ii ruling by the court of justice of the european union ashby is certified, and maintains its certification, pursuant to the eu u s data privacy framework (dpf), the uk extension to the eu u s dpf, and the swiss u s dpf all transfers of personal data from the eu, uk or switzerland are made pursuant to the dpf or the sccs w ill we need to update our privacy policy or notify candidates explicitly that ai is being used during interviews? customers should consult with their legal and privacy teams to determine their privacy policy, disclosure policy, and consent policy customers should consider in particular their obligations to disclose that interviews are being recorded, obtain applicable consents (e g , “two party” consent requirements in the united states), and honor opt outs in the eu, if candidates interact with an ai assistant, deployers may have transparency obligations under the eu ai act ashby provides in product consent messaging and logging to support these customer obligations w here are video / audio recordings and transcripts stored? are they stored on your servers, third party providers, or another infrastructure? recordings and meeting transcripts are stored on ashby’s servers in the united states recordings are also stored with a third party service provider (that creates the original recording and transcript) for a short period of time so that ashby has an opportunity to transfers files to its own servers after they are created these files are deleted from the third party service provider within 7 days for more details on our storage practices, please refer to our https //trust ashbyhq com/ , which includes a list of ashby subprocessors i s there an option to automatically delete recordings after a certain period? can we configure data retention policies ourselves? yes data retention settings for recordings can be configured directly within the application to conform to your organization's data retention requirements customers with the ai notetaker add on will be able to customize their data retention period for recordings customers should obtain their own legal advice to determine what data retention period should be used w ho has access to the recordings and transcriptions? by default, interviewers will be able to access their own recordings and transcripts for meetings in which they were scheduled to be a participant in order to access recordings and transcripts in which a user was not a participant, the user would be required to have one of the following permissions 1 access to the “can see meeting recordings” permission stripe within the specific scope for a meeting (e g , a specific job, department, or location) or 2\ the “admin private” access role, which includes access to the “can see meeting recordings” permission stripe c an ashby staff or third party vendors view recordings or transcripts? only ashby staff that need access to provide support for and maintain ai notetaker have access to recordings or transcripts h as ashby conducted a data protection impact assessment for this feature? yes, however ashby does not share dpias externally i s there a security whitepaper or dpa addendum specifically covering ai notetaker? ashby’s dpa covers ai notetaker’s recordings of interviews and preparation of related transcripts and summaries c an recordings be deleted upon request? yes the option to delete a specific recording will be available to admin users within ashby soon in the interim, you can email support\@ashbyhq com with any data deletion requests after verifying that the requester has adequate permissions, ashby will execute the deletion on your behalf d o you share recordings with candidates upon request? ashby acts as a service provider/processor for its customers and does not proactively share candidate data with the candidate if a data subject contacts ashby directly, we refer them to the data controller d oes the ai notetaker meet iso 27001, soc 2 type ii, and other audit standards? ashby is audited annually in accordance with soc2 type ii standards the latest reports, along with any bridge letters, can be accessed via the https //trust ashbyhq com/ h ow does ashby comply with the eu ai act and other ai specific laws? eu ai act while the eu ai act classifies as “high risk” ai systems intended to be used for recruitment purposes (including to analyze and filter job applications and to evaluate candidates), ai notetaker falls within certain exceptions, including ai systems “intended to perform a narrow procedural task” or “intended to perform a preparatory task ” ashby will comply with the eu ai act requirements that apply to all ai tools deployed in the eu market, including transparency and accountability requirements state/local laws certain u s laws, such as the nyc local law 144, may apply if the customer uses ai outputs to evaluate candidates or substantially assist hiring decisions these laws may trigger annual bias audit, public notices and candidate disclosure obligations for the customer ai notetaker does not trigger such obligations when used purely for recording/transcription/summarization, but customers must assess how their own use may implicate such laws