Trust at Moveworks

At Moveworks, we understand the importance of building trust in conversational AI, which is why we have made it a priority to create solutions that are reliable, secure, and compliant.

In this page, we will share our approach to building trust in our conversational AI solutions, including our commitment to security, data handling, privacy, and compliance. We are dedicated to providing our customers with the confidence they need to fully leverage the power of conversational AI in their operations.

Security

We understand that building trust in conversational AI technology requires a comprehensive approach to security. To ensure the trustworthiness of our solutions, we implement rigorous security measures throughout the entire product development lifecycle. This includes application security reviews, scanning capabilities (integrated in our CI/CD pipeline), penetration testing, red team exercises, bug bounty program, and as well as security operations capabilities.

When creating Paths, Queries, or Events with Creator Studio, users will set up connections with third-party enterprise applications. As such, We recommends the following considerations to ensure secure deployment -

1. Third-party system access controls: To ensure that only authorized users can access information when integrating Moveworks with a third-party system, users must utilize the access control capabilities provided by it. Access controls and rules should be configured within the third-party system. For example, review setup documents for Workday.

2. Third-party access scope: The third party system should provide the right level of access scope to the service, such that the bot is only allowed to perform intended operations and no more. We recommend choosing the JSON Web Tokens (JWT) or OAuth2 authentication mechanism for the integrations. Review User-Level Access Controls for further details.

3. Ingesting sensitive content: We process user requests and logs the utterances to support dashboard analytics and troubleshooting. If sensitive data is inadvertently entered, it may be logged in Moveworks’ systems, although personally identifiable information (PII) is masked in the requests.

Access Control

Our internal access controls and policies are implemented based on Role-Based Access Control (RBAC), the principle of least privilege, and the need-to-know basis, enabling us to provide restricted access to resources based on the user's job role and responsibilities.

Credential Management

To integrate Creator Studio with third-party services, users must upload credentials to Moveworks which are safeguarded in AWS Secrets Manager.

Data Handling

We understand the importance of data protection and privacy, and we are committed to safeguarding our users' data. We encrypt the data both at rest and in-transit as well as maintain strict access control mechanisms to ensure that user data is processed and stored securely. We also adhere to applicable data protection regulations (see Compliance section below), and our policies and practices ensure that we collect only necessary data for our machine learning systems to function.

When interacting with Moveworks, users have two options for configuring their Paths, Queries, or Events -

  1. Surface a link to an external system in a response, redirecting the user out of the chat window to the third-party application.
  2. Respond with relevant data embedded in the chat response.

Data Encryption

We use AWS S3 buckets as the main customer data store. Dedicated buckets are allocated for each customer and encrypted with unique encryption keys per-customer generated via AWS KMS service. Additionally, data is cached in different databases to facilitate processing by various services. All data is encrypted at rest using AES 256.

Data Residency

Customer data resides in its own region (US, EU or GovCloud) and it does not get transferred. Moveworks AWS infrastructure regions and respective implementations are listed below -

Moveworks AWS infrastructure regions and respective implementations table

Privacy

The privacy of customers and their employees is of utmost importance to Moveworks, which is why we have privacy processes in place to handle the minimum amount of data necessary to perform core functionality. We mask sensitive Personal Identifiable Information (PII) data embedded in user interactions, such as chat conversations and ticket data, and delete data upon request.

Data Minimization

We minimize the amount of data collected from the customer by allowing customers to specify data configurations, such as knowledge source and ITSM integrations. We access the minimum amount of data needed to provide services, including machine learning, analytics, and customer support. As mentioned previously, customer data is highly access-controlled and segregated, so that Moveworks systems, services, and individuals only access data on a need-to-know basis and cross-organization data access is not permitted.

Data Masking and Pseudonymization

Moveworks uses data masking to limit exposure of sensitive data by replacing sensitive and PII data. We mask PII (e.g., names, email addresses, credit card numbers) and sensitive identifiers (e.g., IP) to ensure that all data viewed by humans (for purposes of data annotation or debugging) is redacted to maintain user privacy. Where possible, we replace identifiers such as name and email with randomly-generated universally unique IDs (UUIDs).

Data Retention and Deletion

We only retain customer data and backup copies as long as necessary to provide services. Upon request, we can delete customer data in compliance with applicable privacy laws and regulations (e.g., GDPR, CCPA). Customers can submit a request for their data to be deleted, and Moveworks will securely delete it according to the NIST 800-88 standard.

Compliance

We prioritize compliance with global privacy laws and security standards, and have implemented measures to meet relevant compliance obligations. Customers subject to additional data privacy compliance requirements, can enter into Data Processing Addendums and Business Associate Agreements (BAA) with Moveworks, where applicable.

Security Compliance

ISO/IEC 27001:2013, ISO/IEC 27017:2015, ISO/IEC 27018:2019, SOC 2 Type 2, CSA Star Level 2

CSA Star Level 2 Enhanced Security Controls for Cloud Service Providers

Privacy Compliance

ISO/IEC 27701:2019, SOC 2 Type 2, GDPR, CCPA

Copyright © Moveworks 2023. All right reserved.