Data retention policy
Data is retained as per the Gainsight contract/service agreement. Upon Termination of the Service Agreement, data is deleted 30 days after notification is sent and inactive status is set. A 90 day window is designated to account for any backup data retention. For AI Features, OpenAI deletes the data once the query has been fulfilled (Zero Data Retention or ZDR). After processing, the output is accessible only through the client's instance, meaning that only Client Customer Success Managers (CSMs) and Client console administrators can view the data. None of the client data (here, the Slack conversations) will not be used to train the models.
Data archiving and removal policy
Data is retained as per the Gainsight contract/service agreement. Upon Termination of the Service Agreement, data is deleted 30 days after notification is sent and inactive status is set. A 90 day window is designated to account for any backup data retention. We keep daily full backups for 7 days, and weekly fully backups for a max of 4 weeks. Backups are encrypted with AES256 encryption. All logs will be available for 30 Days in our log management tool, SumoLogic. Logs beyond 30 days will be archived in S3 Location for retention of one year. After the duration of one year, the logs would be automatically purged.
Data storage policy
The Customer is in full control over what data comes into Gainsight. Common data sources include customer, contract , telemetry, support tickets, survey and contact data. For minimum functionality we would need to pull accounts, contacts, opportunities, and leads objects data. Encryption-in-transit: HTTPS (TLS 1.2) Encryption-at-rest: AWS default - AES-256 bucket-level encryption applied for each file. Encryption-at-rest: PGP encryption - RSA-4096 applied for each file. The Gainsight CSM suite performs in memory processing of data within Heroku while data storage is handeled in AWS. Common data types will include NPI (Non-Public Information) and PII (Personally Identifiable Information). Note - Gainsight is now currently HIPAA compliant, however, Gainsight does not require PHI. Gainsight does not accept PCI (Payment Card Information) or SPII (Sensitive Personally Identifiable Information).
Data center location(s)
United States
Data hosting details
We have two options where client can leverage AI features
1.We have engaged an Enterprise host service offering with Microsoft that incorporates OpenAI models within the Azure environment. The models were developed by OpenAI but then licensed to Microsoft to run in the Microsoft environment
2.We also have directly contract with OpenAI where directly all the Gainsight AI features process the data in OpenAI environment and once processed data will be returned back to client instance, adhering to host(Zero Data Retention).
App/service has sub-processors
yes
Guidelines for sub-processors
App/service uses large language models (LLM)
yes
LLM model(s) used
GPT-4o, GPT-4 turbo
LLM retention settings
We have enabled ZDR in OpenAI, where all the Gainsight AI features, once they process the data in the OpenAI environment, return the data to the client instance.
LLM data tenancy policy
The model for the Generative AI features used will only be run on Client’s data within a Client instance. No other Gainsight client will have access to other Client’s data. There will be no cross tenant data transfer.
LLM data residency policy
OpenAI processes client data based on server capacity across its global infrastructure, meaning we cannot limit the locations where client data may be processed. We have also completed a Transfer Impact Assessment for non-EU locations. Will share upon req