March 28, 2024

Your data, your control: Vanta’s AI commitments to customers

Written by

Jadee Hanson

CISO

Jeremy Epling

Chief Product Officer

Reviewed by

Accelerating security solutions for small businesses
‍

Tagore offers strategic services to small businesses.

A partnership that can scale
‍

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors
‍

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

Summary: Vanta does not train AI models on customer data. We inform our customers the first time we’re about to leverage AI to deliver a product feature in Vanta. You can manage your AI settings at app.vanta.com/settings.

‍

Vanta is built on the foundation of trust. Our mission is to secure the internet and protect consumer data, and our ambitions in a world of AI are no different. Our commitment to the safe and responsible use of AI within Vanta guides our roadmap and frameworks, with privacy, security, transparency, and accuracy at the core of our work.

‍

Since we announced Vanta AI in October 2023, security teams of all sizes have begun to use it to accelerate their security and compliance workflows. One Vanta customer was able to reduce the time they spent completing vendor security reviews by 75% using Vanta AI. Tasks that were previously impossible to automate can now be performed reliably in minutes, enabling security and compliance teams to prove trust and manage risk more efficiently and confidently than ever before. Many of our customers are just starting to uncover all the possibilities afforded by AI.

‍

While we've already seen success from our customers, we know the future of AI is far from set. Regardless of where AI takes us, our approach to ethical and safe AI practices remain unchanged. To build upon Vanta's AI principles, this post outlines the steps we're taking to safeguard customer data, define data sharing models, and ensure customers have control over their data.

‍

Our approach

Vanta does not train AI models on your data. This means we do not use customer data to train AI models to make decisions or predictions. To ensure our AI products are useful and working as intended, we regularly monitor their usage and outputs, as we do with all Vanta products.

‍

Looking under the hood, Vanta AI uses a combination of self-hosted models as well as those available from industry-leading third-party platforms. Vanta uses secure APIs to communicate with these platforms and maintains a formal Data Processing Agreement (DPA) with each, which provides that they will not train their models on any data Vanta shares with them.

‍

Your data, your control

To ensure our customers have a choice in how AI is used in our products, Vanta AI operates in an informed consent model. We inform you the first time we're about to leverage AI to deliver a product feature and give you the opportunity to disable AI features product-wide in your instance of Vanta. This means you are in control of how you leverage AI in the product.

‍

Should you choose to disable all AI features in your Vanta instance, your data will not be used as part of any Vanta AI feature, nor will it be passed through to any of the third-party AI platforms we rely on. This setting can be accessed at any time in Vanta by navigating to Settings > Advanced, where you can directly enable or disable Vanta AI globally in your Vanta environment.

‍

Our goal is to help customers leverage AI to increase productivity and transform the way you run an end-to-end trust management program. At the same time, you’ll have control of your data and choice of how you use AI features in our product so you can adopt an AI strategy with Vanta that matches your own.

‍

Our commitments

Vanta keeps you in control of how your data are used for AI systems. Vanta does not train models on customer data today. Should this change, we will provide our customers with advanced notice so that you can stay in control of how your information is used. In addition, if Vanta incorporates other third-party models in the future, we will always require a formal DPA that stipulates no customer data will ever be used to train their models.

‍

Vanta commits to leading by example on AI security and compliance. At Vanta, we’re customer zero of our own AI systems. Our teams leverage our AI features in their day-to-day work so that we can supplement our customer feedback with our own internal feedback. This means faster iterations and higher quality AI products into the hands of our customers. Vanta’s Security team has ISO 42001 on our internal 2024 compliance roadmap, and we’re using our own ISO 42001 solution — released today — to prepare for certification. In addition, we’ve integrated best practices from the NIST AI RMF where applicable, and we’re monitoring the EU AI Act and expect to follow its requirements upon release.

‍

We’re committed to continuing the safe and effective deployment of AI within Vanta—and to ensuring that Vanta AI is developed with trust and responsibility at its core to benefit Vanta and our customers.

‍

Access Review Stage	Content / Functionality
Across all stages	Easily create and save a new access review at a point in time View detailed audit evidence of historical access reviews
Setup access review procedures	Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems	Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta. Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS) Upload access files from non-integrated systems View and select systems in-scope for the review
Review, approve, and deny user access	Select the appropriate systems reviewer and due date Get automatic notifications and reminders to systems reviewer of deadlines Automatic flagging of “risky” employee accounts that have been terminated or switched departments Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section Track progress of individual systems access reviews and see accounts that need to be removed or have access modified Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners	Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access	Focused view of accounts flagged for access changes for easy tracking and management Automated evidence of remediation completion displayed for integrated systems Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results	Auditor can log into Vanta to see history of all completed access reviews Internals can see status of reviews in progress and also historical review detail