Security and privacy FAQ
In this article, we (Talarian, maker of GPT for Work) aim to answer the most frequent questions about the security and privacy measures we implement and our compliance with global regulations like the GDPR. For more details, check the Talarian security portal.
Compliance
Is your organization ISO 27001 certified?
Yes, we are certified under the ISO 27001 standard. The certificate is available through the Talarian security portal.
Do you comply with GDPR and other privacy regulations?
Yes, we comply with GDPR. As a data controller, we process personal data in a fair, transparent and secure way in accordance with our Privacy Policy. As a data processor, we process personal data according to our Data Processing Agreement.
Security
Do you conduct independent third-party security testing?
Yes, we rely on annual third-party security assessments. The resulting reports are available through the Talarian security portal. Also, our infrastructure is hosted on Google Cloud Platform, which undergoes its own independent security audits.
We are certified under the CASA Tier 3 certification for Google, ensuring GPT for Work meets Google’s standards for security and privacy. Additionally, we have completed the Microsoft publisher attestation for the Microsoft 365 App Compliance Program.
Is my data encrypted at rest and in transit?
Yes. We rely on Google's encryption-at-rest mechanism (which is based on the AES algorithm with a key size of 256 bits). Google Cloud Platform’s security infrastructure uses a common cryptographic library called Tink, which includes the FIPS 140-2 validated module (named BoringCrypto) to implement encryption consistently across Google Cloud.
For data in transit, we exclusively use TLS 1.2 and TLS 1.3 to ensure secure transmission. The following data is also encrypted when in use: API keys, bulk tools configuration history (when GPT for Work is used with Google Sheets and Excel spreadsheets) and GPT functions cache (when GPT for Work is used with Google Sheets and cache is enabled).
What measures are in place to prevent unauthorized access to customer data?
We restrict and monitor access to production data on an as-needed basis. We use a robust access control policy with quarterly admin rights reviews. We enforce stringent password security policies and enforce Multi-factor Authentication (MFA) for all our personnel.
How do you ensure secured user identification?
We offer Single Sign-On (SSO) to access GPT for Work with Microsoft 365 (for GPT for Excel Word) or Google Workspace (for GPT for Sheets and GPT for Word). User identification security levels are therefore those provided by either Microsoft or Google.
How do you handle software and hardware vulnerabilities?
With respect to the devices used to develop our application: hardware and software provided to our employees are controlled under a centralized Mobile Device Management (MDM) solution. This allows us to control our fleet and its usage. In this respect, critical software (such as antivirus and vulnerability management solutions) are deployed on personnel’s devices and strictly controlled via our MDM solution.
With respect to the hosting of our application: we rely on the infrastructure provided by Google Cloud Platform (GCP) and on its vulnerability and patch management programs.
Finally, the GPT for Work application is subject to our software development lifecycle (SDLC) process where security by design is key, from the product initiative stage until the product delivery stage. Through our continuous integration and continuous delivery (CI/CD) process, every new piece of application code is subject to state-of-the-art code security scanning (which includes detecting public vulnerabilities and ensuring compliance with frameworks such as OWASP Top10).
How do you ensure data center physical security?
As our application is hosted within data centers provided by Google, the physical security of our infrastructure is managed by Google Cloud Platform. Additional information can be found in Google Cloud Platform’s security documentation available at: https://www.google.com/about/datacenters/data-security/.
Do you have a formal incident response plan?
Yes, as part of our ISO 27001 compliance framework, Talarian has security incident management procedures in place. The customer notification process in the event of a data incident involving personal identifiable information is set forth in our Data Processing Agreement.
Data & Privacy
What permissions are needed to use GPT for Work?
GPT for Work includes add-ons for Google Sheets and Google Docs (GPT for Sheets and Docs) as well as add-ins for Microsoft Excel and Microsoft Word (GPT for Excel Word). GPT for Work requires permissions to interact with these Google and Microsoft applications. Only the authorization scopes necessary for GPT for Work’s performance are requested.
Google permissions for GPT for Sheets and Docs
Authorization scopeWhen you install GPT for Sheets and Docs from the marketplace, you are asked to allow the following:
By clicking 'Allow' or ‘Continue’, you indicate your acceptance of the Terms of Service and Privacy Policy of GPT for Work.
| Authorization Scopes | Why does GPT for Work need it |
|---|---|
| See your primary Google Account email address | Required to identify the user and fetch their associated metadata. |
| See your personal info, including any personal info you've made publicly available | |
| View and manage documents that this application has been installed in | Allows GPT for Work to fetch the user-selected Google Docs content in accordance with requests launched by the user on the application. Also allows GPT for Work to insert data in Google Docs in response to a user's request. |
| View and manage spreadsheets that this application has been installed in | Allows GPT for Work to fetch the user-selected Google Sheets data in accordance with requests launched by the user on the application. Also allows GPT for Work to insert data in Google Sheets in response to a user's request. |
| Connect to an external service | Required to allow GPT for Work add-on to send/retrieve information from its backend. Even if this authorization is described as an 'external service', it still stays within the Google environment because GPT for Work is hosted on Google Cloud Platform. |
| Display and run third-party web content in prompts and sidebars inside Google applications | Required to display GPT for Work sidebars inside Google Sheets and Google Docs. |
When you enable the 'Safe Mode' or the 'Bulk Tools' functionalities, you are asked to allow the following:
| Authorization Scopes | Why does GPT for Work need it |
|---|---|
| See, edit, create, and delete all your Google Sheets spreadsheets | Allows GPT for Work to write results from AI providers into the user’s spreadsheets in response to an asynchronous user request (through functions safe mode or bulk tool runs). There is unfortunately no way to limit that scope to specific spreadsheets with the way that the Google Sheets API works. However, GPT for Work never reads from or writes to spreadsheets you didn’t launch the add-on in. |
At any point in time, you can review the permissions you have granted for GPT for Sheets and Docs.
Microsoft Permissions for GPT for Excel Word
Authorization scopeWhen you install GPT for Excel Word from the marketplace, you are asked to allow the following:
By clicking Accept, you indicate your acceptance of the Terms of Service and Privacy Policy of GPT for Work.
| Scope | Why does GPT for Work need it |
|---|---|
| User's email address | Required to identify the user and fetch their associated metadata. |
| User basic profile information (including name, surname, preferred username) | |
| OpenID (user's unique identifier and token) | |
| offline_access | Required to keep the user signed-in. The offline_access scope allows GPT for Work to receive refresh tokens from the Microsoft identity platform token endpoint. |
At any point in time, you can review the permissions you have granted for GPT for Excel Word.
How is my data processed?
Here are some details as to the customer data used by GPT for Work, and which of this data is being stored on GPT for Work’s infrastructure (i.e., Google Cloud Platform).
User identification
This includes the following stored data: username, account email address, basic profile information, GoogleID or MicrosoftID (as applicable). No other user identification data is stored.
Documents, Inputs, Outputs and Configurations
First, let’s introduce three key concepts used in this paragraph:
- Documents mean the spreadsheets (Google Sheets or Microsoft Excel) and documents (Google Docs or Microsoft Word) in which the GPT for Work extension is used;
- Inputs are the information you submit through GPT for Work. This includes:
- the prompts and custom instructions you give (e.g. generating text, summarizing data or analyzing content). When using the 'Bulk Tools' functionality in Google Sheets or Excel, you can configure these prompts and instructions and these configurations are saved in your history for easy reuse (Configurations); and
- the portion of the Documents you submit along with these prompts and instructions (e.g. relevant cells of your spreadsheets and parts of your documents); and
- Outputs are the results generated by AI providers based on your Inputs.
Here is how GPT for Work uses your Documents, Inputs, Outputs and Configurations:
Documents- GPT for Work does not read or store any data from your Documents that you do not use as an Input in your prompt.
- GPT for Work sends your Inputs to the relevant AI provider’s API and writes the resulting Outputs in your Document.
- If you use a model with your own API key, GPT for Work does not log any of the Inputs submitted or Outputs received. By using your own API key, your AI provider usage (e.g. data retention, rate limits, cost, moderation) is bound by the terms you negotiated with your AI provider.
- If you use a model without your own API key, we log all the Inputs and Outputs for support purposes for a duration of 30 days. We also store them for product improvement purposes (excluding the training of any language model) for no longer than 1 year. Outputs and Inputs are finally stored for 5 years to comply with applicable law, enforce our terms and policies and keep our Service safe and can only be accessed on an ad hoc basis by the specific staff members who are responsible for ensuring such goals.
- In Google Sheets only, and only if cache is enabled, Inputs and Outputs of executions made through GPT functions are cached encrypted for a short period of time (30 days) to prevent unexpected costs and loss of data due to Google Sheets automated recalculations. This caching occurs regardless of whether you use a model with or without your own API key.
- When you use the 'Bulk Tools' functionality in Google Sheets or Excel, your bulk tools Configurations are securely stored in encrypted form for a limited period (90 days) to support the history feature.
- Examples of data that may be contained in Configurations include your desired translation glossary (if you are using the 'translate' tool) or your tailored classification instructions (if you are using the 'classify/categorize' tool).
Metadata relating to your Documents
GPT for Work stores the following additional data from your Document:
- Google Sheets: spreadsheets ID (identifier of the spreadsheet), sheet IDs (identifier of the sheet within a specific spreadsheet), sheet name;
- Excel workbooks: link to the specific Excel workbook on which GPT for Work is running;
- Google Docs: Google Doc ID; and
- Word documents: link to the specific Word document on which GPT for Work is running.
Usage metadata
These are data events corresponding to the different actions of GPT for Work users (e.g., user clicking on the ‘Run’ button).
API Keys
If you set up API keys for AI providers, they will be stored encrypted in transit, at rest and at work in Google Cloud Platform.
Subscription data
This includes the following stored data: current plan details, transaction details (amount, invoice ID and payment date), details of the invoiced person or company (customer email and customer ID). We do not store payment card credentials on Talarian’s infrastructure and always rely on Stripe, a third-party PCI-DSS-compliant payment processor, for payment card processing.
Is my data used by GPT for Work to train models?
No. Whether you use a model with or without your own API key, Talarian does not use your Inputs and Outputs to train language models. Also, according to their terms as of December 15, 2024, the AI provider APIs we rely on currently do not use your Inputs and Outputs to train their models.
To check the AI provider’s models available with or without your own API key, please see our list of supported models.
Who owns Inputs and Outputs?
As between you and us, you retain all rights in your Inputs and Outputs. More details are available in GPT for Work terms of service.
What do you do with my API Key, when I use it within GPT for Work extensions?
If you set up API keys for AI providers, they will be stored encrypted in transit, at rest and at work in Google Cloud Platform.
Do you store payment card information?
We don't store payment card credentials. Payments are processed through Stripe (https://stripe.com/en-fr). They are a PCI Service Provider Level 1 organization. Using Stripe means we don't need to store your payment card credentials.
You can read more about security at Stripe here: https://stripe.com/docs/security/stripe.
Where is my data located?
The Google Cloud Platform datacenters on which your data is stored are located in the United States - us-central1 region (Iowa). More details on Google Cloud Platform’s region are available here.
Do you sell any of my data?
No, we never sell data.
Do you use third-party service providers?
Yes. GPT for Work relies on or interacts with several service providers in order to operate. They fall within 2 different categories:
Talarian’s third-party service providers
These are service providers with which we hold a contractual relationship. They help us with various services including cloud hosting, generative AI provision or support ticket management.
Whenever we share data with these service providers, we make sure that they use it in compliance with data protection legislation, and that the personal data processing they carry out is covered by a specific data processing contract. They are of two sorts:
Talarian’s subprocessorsThey process personal data for which we are a processor, following our instructions. This processing is carried out as part of the services you have subscribed to. You will find details of our subprocessors in our Data Processing Agreement.
| Service Provider | Purpose |
|---|---|
| Google LLC or any of its affiliates | Data hosting, Generative AI* |
| Zendesk, Inc. | Support |
| OpenAI OpCo, LLC or any of its affiliates | Generative AI* |
| Anthropic, PBC or any of its affiliates | Generative AI* |
| Perplexity, Inc. | Generative AI* |
| Functional Software, Inc. (d/b/a Sentry) | Error Monitoring |
| Retool, Inc. | Admin dashboards for customer support |
They process data for which we act as the controller, and therefore act as processors.
| Service Provider | Purpose |
|---|---|
| SalesForce, Inc. | CRM |
| Sendinblue, SAS (d/b/a Brevo) | Transactional and marketing email |
| Slack Technologies Limited | Internal communication tool |
| Google Ireland Limited (Google Workspace) | Collaboration tool |
| Microsoft Corporation (Microsoft Clarity) | Front end analytics |
Other third-party service providers
These are third-party service providers with which you hold directly a contractual relationship. These can be of various types, notably:
- AI providers that you use by creating and setting up their own API keys. The full list of available AI providers which can be used via your own API keys are set forth in section 'With an API Key' of the following page: https://gptforwork.com/help/supported-models.
- Payment processor. Payments are processed through Stripe (https://stripe.com/en-fr), which is a PCI Service Provider Level 1 organization. By purchasing GPT for Work you accept to be bound by the Stripe terms and conditions (https://stripe.com/en-fr/legal/consumer).
Can I have my data deleted?
Yes, you can.
As long as your GPT for Work account is active, we retain your data in accordance with our Privacy policy and Data Processing Agreement. Upon deletion of your GPT for Work account, we may archive your data only for a specified period of time in accordance with our internal data retention policy, and in any case no longer than legally permitted.
To request all your data to be deleted following deletion of your GPT for Work account, submit your request via our contact form and write 'Data Deletion request' as the subject line.
Deleting your data will interrupt GPT for Work’s functionality. Signing up again with the same Google or Microsoft account will not restore the deleted data.
How can I send you a privacy complaint?
For privacy complaints, you can reach us at: legal@talarian.io.