Handling sensitive information
Many applications built on AI21 need to handle sensitive user information, such as names, email addresses, passwords, bank account numbers, and health information. However, you should take special care to understand what types of sensitive information can or should not be passed into AI21 endpoints. AI21 makes a best effort to protect data, but information passed into our endpoints may be used for debugging or model improvements.
Here's how to handle some different categories of user information:
- Personally identifiable information (PII): This includes information such as names, addresses, or social security numbers that can positively identify a person. Consider when you might need to redact this information before sending into an endpoint. In some cases sending PII to our endpoints might not be a problem, but if you are implementing a service that a given user might not want to be associated with (for example, a drug treatment chatbot), you should redact any PII from your API calls, because the app name is retained along with the data sent in to the API.
- Sensitive personal information (SPI): This includes information such as credit card numbers, passwords, and bank account numbers. SPI should never be passed into AI21 endpoints; instead, collect and use that information in a separate, secure channel (such as a dedicated secure form) rather than asking a chatbot to parse it out of a conversation.
- Confidential information: This includes information such as personal health conditions or non-public legal history. This information can be sent to an endpoint when it can't be associated with a specific person; for example, within a health insurance that determines whether a specific procedure is covered or not, based on the health insurer's policies. In such a case, you can pass the details to the API, but be sure to omit any PII that can tie a specific case to a specific person.
There are many categories of sensitive information and many laws out there governing how you must handle it, such as the California Consumer Privacy Act and the GDPR (in Europe). Please take the time to understand the different categories of sensitive information on your own system and how to protect your system and your customers.
Updated 5 months ago