Skip to main content
🎉 Check out our latest April Release 🎉 Here

Search

Welcome to Whistic Support

Whistic AI & Security

  • Updated

How Whistic is leveraging and securing AI in our platform

Whistic has released AI-powered capabilities on top of AWS Bedrock framework to benefit companies automating third-party risk management as well as companies managing customer trust on Whistic. Capabilities Whistic employs include:

  • Text Comparison: Whistic currently has one call to Bedrock used to import custom questionnaires and parse the data for further processing in AWS Bedrock. 
  • All other AI features (Smart Search, Vendor Insights, SOC 2 Summary, etc.) leverage AWS Bedrock. Bedrock supports a variety of models by reputable developers (e.g., Anthropic, Cohere, Stability, Amazon, etc.) that leverage the AWS platform to keep all processing and storage under the same roof without sacrificing flexibility of performance or accuracy.

Whistic’s use case for Bedrock functionality is designed to power Whistic utilizing API integrations, rather than directly incorporating their products into ours. This allows us to disrupt the traditional workflows surrounding third-party risk management without having to accept compromises to our product functionality, or the privacy and security of the platform.

AI Security

At Whistic, we understand that there are a number of concerns related to the security and integrity of data consumed by AI models and systems. Maintaining the security and integrity of our customers’ data is mission critical. Adding AI to any product, like adding any additional functionality or service, increases the attack surface as well as adding complexity which can increase vulnerabilities. Whistic has added additional controls, testing and assurances in order to mitigate this risk. You can read more about these in our AI Security FAQ.

AI Security FAQ

We also know when it comes to AI there are lots of questions. If you have a question that isn’t addressed below, don’t hesitate to reach out to us at security@whistic.com.

  1. Does Whistic use Open AI in its features? 
    No, not currently. 

  2. Can I turn off AI data processing in my Whistic instance?
    Yes. We believe these features are the future of third-party risk management and customer trust, and will add significant value to your business. However, we also know there will be some customers who aren’t ready to adopt AI inside of Whistic just yet. As a result, AI capabilities in Whistic are individually configurable.

  3. Will my Whistic data or my vendors’ data be absorbed into AWS?
    Data submitted through Whistic’s AI features is not used to train the underlying models or improve AWS’s service offering.

  4. How do we know the Bedrock is secure?
    The AWS Bedrock undergoes annual third-party penetration testing, which identifies security weaknesses before they can be exploited by malicious actors. AWS is SOC 2 Type 2 certified and has demonstrated compliance with both CCPA and GDPR. We have completed a security  assessment to ensure we are confident of their security maturity and posture.

  5. Can you demonstrate that my data isn’t shared with AWS Bedrock or other customers?
    Whistic has been hosted in AWS from the start of our company, and we have maintained agreements with them throughout the duration of our relationship to ensure processing and storage are done in a manner consistent with our requirements. In other words, AWS does not use our data (or your data) for any other purpose than to host and deliver the Whistic application and power our AI features.
     
  6. How is my data protected in this new world?
    You can learn more about AWS Bedrock’s security here. In short, it is only usable with Transport Layer Security (TLS) or Encryption in Transit Active. Whistic always secures your data inside of our infrastructure using industry best practices for both data in transit (TLS 1.2) and data at rest (AES-256) configured within AWS.

  7. What about Data Privacy? How have you designed your capabilities to address data privacy regulations and concerns?
    Whistic is GDPR, CCPA, and CPRA-compliant based on our requirements under each standard. We are also SOC 2 Type 2 certified and have our ISO 27001 certification. Our use of AWS has been architected so that it does not affect our privacy posture and is in line with industry best practices.

  8. I heard that EU privacy lawyers are challenging ChatGPT’s compliance with GDPR regulations. Is that true and how does it impact Whistic?
    Some EU privacy lawyers are raising a challenge that ChatGPT breaches the rules of GDPR both in the way it consumes data and how it infers conclusions based on that data. This is not applicable to Whistic as we are not using ChatGPT in our product nor are we using this functionality or service via API.

  9. How sure are you of the accuracy of query responses?
    Whistic uses industry-standard similarity measures to maximize the accuracy of our matches.  As a result of this, we constantly monitor and adjust our match thresholds to ensure customers receive the best possible results. Ultimately, our users have the flexibility to accept or disregard the match results that are returned to them.

  10. Do you sell to or allow AWS to store or train their models on customer data?
    No. Whistic has active an Enterprise Agreement with AWS, which enforces customer data ownership (you continue to own your data) and restricts their access to any data we send them specifically for the purpose of powering our AI features. The models are not trained on customer data shared under Enterprise plans or via API, nor do they retain any rights to any data sent to them from the Whistic platform.

  11. If you don’t allow AWS Bedrock to train their models on my data, how are the models trained?
    Whistic does not train AI models using customer data as AWS Bedrock retains ownership and responsibility for the models we use to power our AI features, and we do not allow these providers to train using Whistic customer data. By gathering user feedback and with in-house testing, we tune prompts to more accurately interpret user requests and to improve the specificity of the responses.

  12. Is the Whistic AI model optimized through fine-tuning, adapter tuning, etc.
     (except prompt engineering)?
    Whistic relies on state-of-the-art models developed by industry leaders and hosted securely on AWS Bedrock, where we ensure that our customer’s data is secure and not used for unauthorized training. Our primary vector for improving AI responses involves upgrading our models as the industry improves and improving our prompts to increase the accuracy and specificity of responses. In the future, our approach could evolve to include fine-tuning or the like, but if that happens, it will continue to be limited by the bounds of our commitment to customer privacy and security.

  13. Do we need an updated NDA or contractual language to reflect our usage of Whistic’s AI features?
     This depends on your organization’s needs. The general answer is “No” since AI features, the data you process in those features, and the security measures we have in place for these features are commensurate with those in the overall Whistic platform agreement. If you wish to discuss supplementary documentation, please reach out to your CSM.

  14. We don’t have Whistic AI-enabled but are still seeing the option to Enable Smart Search and are still getting answers. Did Whistic enable AI on our account without permission?
     No. Some Whistic AI features, such as Smart Search, are supported by non-AI capabilities native to the Whistic platform. This allows users to ask questions and see related source documents without the use of AI and enables all Whistic users to improve their VRM processes without requiring AI processing. Users that have AI features enabled have a broader, more powerful, and more robust set of features available.

  15. Do the underlying LLMs have one or multiple instances when processing our data?
     Does the same instance that processes our data process other companies’ data too?
     No, each customer interaction with an LLM gets its own session, meaning while the same model is used for a given feature, separate instances are used to prevent the commingling of data and enforce data protection configurations.
  16. How can I assess Whistic’s and other vendors’ use of AI?
    Great question! Your needs are unique, and while there are no one-size-fits-all resources, Whistic has several questionnaires already built into our platform to help assess AI-related risks, including: 
    • CapAI Assessment
    • NIST AI Risk Management Framework (RMF)
    • ISO 23053
    • ISO 42001
  17. Our organization signed an NDA that restricts us from sharing our vendor’s SOC 2.
     Does that mean we can’t use Whistic to store or summarize that document?
     Whistic Terms of Service apply to the entire platform, including any new AI capabilities. It is highly unlikely that the use of Whistic AI features violates the terms of any NDAs, unless you agreed to specific clauses that prohibit the use of AI-supported software. We develop AI features with Privacy and Security in mind. We never share your data, your customers’ data, or your vendors' data with any parties for any reason other than to provide our services to you.

Product Descriptions

  1. Product Use Case
    Whistic facilitates risk assessments of third-party vendors. Customers can send and manage questionnaire requests to prospective vendors. They can add notes and contacts, assign risk ratings and process owners, and review documentation and certifications. Users of the Platform can complete questionnaires for their internal security programs and can keep these responses in reserve for their customers. Additionally, reports can be generated with configurable filters and downloaded to share with internal stakeholders and risk owners.

    Whistic enables companies to proactively engage potential customers. This is achieved by compiling completed questionnaires, audit and certification results, and other supporting documents and sharing them with prospective customers early in the sales process. Whistic customers can also create a non-disclosure agreement (NDA) and require recipients to accept the NDA in the Whistic Platform prior to accessing profile content.

    The Whistic Platform is a proprietary system that showcases participating companies to both buyers and sellers. Companies looking to assess companies and buy their services can access information about potential vendors in the Trust Catalog. They can conduct risk assessments, often without requiring correspondence with the vendor company. Companies selling their services may proactively add completed questionnaires, certifications, and documents to the Trust Catalog, which demonstrates their commitment to security prior to prospective customers formally requesting security documentation.
  2. Please describe the purpose of using AI / Generative AI as part of the use case (see above)
    Whistic AI assists in Third Party Risk Management (TPRM) processes by significantly reducing the time spent on manual tasks, such as:
      • Searching for answers to questions in security documentation
      • Answering security questionnaires
      • Summarizing lengthy documents (ie. SOC 2 reports) and extracting key details
      • Leveraging available documentation to quickly assess how closely a vendor aligns to a selected security framework, and automatically identifying areas of non-compliance or that need additional review
      • Auto-generating dynamic questionnaires to solicit the information that AI could not answer, reducing the time spent waiting for the vendor to answer lengthy security questionnaires and in back-and-forth exchanges
      • Searching for security answers simultaneously across a group of vendors

Acting as a copilot in the assessment process, Whistic AI provides additional tools that allow the user to inspect and audit the accuracy of the answers it provides, and to edit those answers if needed. These include:

      • A confidence score that indicates whether the available sources provide sufficient information to fully answer the question and whether any other factors (such as contradictory sources) should lower the user’s confidence in the answer
      • A detailed answer explanation of how AI arrived at the answer 
      • A prioritized list of the most relevant sources related to that question, and links so the user can easily navigate into the source documents to view the relevant information in context.
      • An editable history of questions asked and answers provided that can be used to help improve AI answers for your organization over time.

Related to