KnowledgeBot: Compliance and Security Overview

At Brain-Bridges, we prioritize regulatory compliance and data security for our clients. KnowledgeBot is a robust AI-powered assistant designed to work within your secure, on-premises environment, ensuring alignment with key EU and US regulations and industry standards. Here’s how KnowledgeBot supports your organization’s compliance and security needs.

EU Compliance

General Data Protection Regulation (GDPR)

KnowledgeBot is GDPR-compliant by design, integrating directly with your company’s data processing policies and existing infrastructure. Since it operates entirely within your internal network, KnowledgeBot minimizes data exposure by exclusively referencing data stored within your company’s shared drives.

GDPR Compliance Highlights:

• Data Minimization and Retention: KnowledgeBot does not store data directly. Instead, it references data stored in your company’s systems, and any embeddings generated within KnowledgeBot’s vector database are automatically removed if the corresponding documentation is deleted. This approach ensures that KnowledgeBot complies with your organization’s data minimization and retention policies.
• Data Subject Rights: Administrators have full control over data removal from KnowledgeBot’s retrieval-augmented generation (RAG) database. While KnowledgeBot’s LLM remains static (untrained by user interactions), this database management aligns with GDPR rights related to access, deletion, and correction.
• Internal Monitoring and Auditing: The application logs database changes for transparency and supports auditing requirements, with advanced logging features on the roadmap to provide even more detailed tracking capabilities.

EU Artificial Intelligence Act

KnowledgeBot’s design also aligns with the EU AI Act’s focus on transparency and fairness, ensuring users understand and can verify the origins of KnowledgeBot’s responses. As a non-agentic assistant, KnowledgeBot empowers users to access data and citations, while final decisions rest with the user.

AI Act Compliance Highlights:

• Bias and Fairness: Organizations can configure KnowledgeBot’s system prompts in line with their specific policies on bias and fairness. As a non-decision-making assistant, KnowledgeBot avoids high-risk categorization under the AI Act and leaves decision-making authority to users.
• Documentation and Transparency: KnowledgeBot leverages open-source LLMs, such as those from Ollama, which are fully documented and accessible to administrators. Technical documentation on KnowledgeBot’s integration with LLMs and the RAG system is also provided to administrators, ensuring transparency and accountability.

ePrivacy Regulation

Although the ePrivacy Regulation is still under development, KnowledgeBot’s local processing infrastructure respects the confidentiality of company communications, fully contained within your internal network. KnowledgeBot’s setup avoids external data transmission, making it highly secure and compatible with evolving privacy requirements.

US Compliance

California Consumer Privacy Act (CCPA / CPRA)

KnowledgeBot adheres to CCPA and CPRA guidelines by prioritizing data security and user privacy within a local setup. Since KnowledgeBot does not transmit or store personal information outside the company’s network, it significantly reduces compliance risks associated with data sharing.

CCPA/CPRA Compliance Highlights:

• Data Control: Administrators can remove data references as needed, ensuring full control over data persistence. KnowledgeBot’s optional “Feedback Loop” allows users to contribute feedback while providing them with the ability to delete recorded interactions if desired.
• Optional Feedback Loop and Usage Tracking: KnowledgeBot’s feedback tracking is entirely opt-in, and generic usage data may be recorded for reporting purposes. Planned updates will enable users to delete individual chat records, enhancing data control.

FTC AI Guidelines

KnowledgeBot’s design aligns with FTC guidelines on fairness, transparency, and accountability. By utilizing Retrieval-Augmented Generation (RAG) technology, KnowledgeBot provides clear citations for all responses, promoting transparency and traceability.

FTC Compliance Highlights:

• Non-Agentic Assistant: KnowledgeBot is a supportive tool that facilitates access to information and data; it doesn’t make decisions or recommendations, reinforcing user autonomy.
• Bias and Fairness in System Configuration: KnowledgeBot’s system prompt can be customized to reflect your company’s policies on bias and fairness. Additionally, KnowledgeBot encourages users to verify its responses through citations.

Industry Standards

ISO/IEC 27001: Information Security Management

KnowledgeBot is hosted within your company’s secure network, providing strong alignment with ISO 27001 standards for information security management. This local, hosted environment significantly reduces risks associated with unauthorized data access or external threats.

ISO 27001 Compliance Highlights:

• User Authentication and Access Control: KnowledgeBot requires a username and password for login, with role-based access controls (RBAC) restricting data visibility according to user permissions. Single sign-on (SSO) and multi-factor authentication (MFA) are on our roadmap to provide enhanced access control options.
• Incident Response Support: While incident response is primarily the responsibility of your organization, Brain-Bridges offers technical support for responding to unauthorized access or breaches, providing expert guidance as needed.

ISO/IEC 27701: Privacy Information Management

KnowledgeBot’s approach to privacy management is aligned with ISO 27701 standards. The system respects company-level privacy and data retention policies, storing only vectorized references to data rather than raw information. Future roadmap features, such as the “Anonymizer,” will provide users with additional privacy controls.

ISO 27701 Compliance Highlights:

• Data Anonymization: An upcoming feature, the Anonymizer, will allow KnowledgeBot to automatically redact personally identifiable information (PII) from interactions, such as emails or chat logs, to produce anonymized documentation.
• Data Retention Management: KnowledgeBot does not store user data independently but relies on your company’s data retention policies. Embeddings are deleted alongside corresponding documents, ensuring compliance with data minimization principles.

TISAX: Trusted Information Security Assessment Exchange

KnowledgeBot’s design meets the specific security requirements outlined in the TISAX standard, making it suitable for companies in the automotive industry and supply chain who need TISAX compliance. TISAX emphasizes industry-specific data protection and integrity measures beyond those in ISO 27001.

TISAX Compliance Highlights:

• Data Security and Access Control: TISAX requires strict data protection and integrity protocols. KnowledgeBot supports these standards through strong user access controls, role-based permissions, and secure data reference management.
• Documentation and Traceability: KnowledgeBot logs data access activities and can align with TISAX’s detailed reporting and auditing requirements, ensuring companies can meet TISAX standards for information security within their networks.

SOC 2: System and Organization Controls

KnowledgeBot’s secure, on-premises infrastructure aligns with SOC 2 requirements, supporting your organization’s efforts to ensure security, availability, and confidentiality. Since the KnowledgeBot is hosted on your infrastructure, uptime and availability commitments align with your internal policies.

SOC 2 Compliance Highlights:

• Data Integrity and Reliability: KnowledgeBot leverages PostgreSQL with automated integrity checks to prevent data corruption and ensure reliable performance. PostgreSQL’s native capabilities provide a solid foundation for data consistency and operational continuity.
• Uptime and Availability: As KnowledgeBot is an on-premises solution, uptime is managed by your infrastructure team. Brain-Bridges provides full support to assist with technical expertise, ensuring your organization’s infrastructure is optimized for consistent KnowledgeBot performance.

Enhanced Privacy and Transparency

KnowledgeBot leverages the power of Retrieval-Augmented Generation (RAG) to provide clear, verifiable citations, promoting transparency and traceability. As a non-agentic AI assistant, KnowledgeBot respects user autonomy and allows for easy verification of all data references, fostering informed decision-making. Future roadmap features, including advanced logging and the Anonymizer, will continue to enhance privacy, security, and accountability.

For more information on how KnowledgeBot supports regulatory compliance and industry standards, contact us to discuss how we can tailor KnowledgeBot to your company’s unique requirements.