AI Data Privacy and Security FAQ

AI Data Privacy and Security FAQ

  • Is our data used to train your global AI models? No. eForms Mobile does not permit customer data to be used for training or “fine-tuning” the underlying AI models. By utilizing Vertex AI, we leverage Google’s enterprise commitment that customer data is not used to train their foundation models. Google Cloud ensures that all customer data, including prompt inputs and model outputs, remains siloed and is never used to improve Google’s models.

  • How do you ensure data isolation between different tenants when using AI? We invoke AI using Context-Rich Stateless Requests, meaning the AI essentially “forgets” the data immediately after the task is completed. We also employ System Instruction Layering to ensure the AI’s visibility is restricted only to the specific metadata required to complete the immediate request.

     
  • Do you use third-party LLMs (like OpenAI or Anthropic), and if so, how is our data protected there? No, we do not currently use third-party LLMs like OpenAI or Anthropic. eForms Mobile utilizes various Gemini models via Google Vertex AI to provide specialized, task-oriented generative capabilities. We exclusively use “Stable/GA” model versions of Google’s Gemini AI family. However, if you prefer to use another model provider, we will be adding “bring your own AI” (BYOA) functionality in the future.
  • Is our data encrypted and protected while being processed by the AI? Yes. AI capabilities are exposed exclusively through eForms Mobile-hosted APIs, ensuring a secure and controlled bridge between our Azure-based platform and the AI processing environment. Our AI framework operates as a closed loop and does not interact with third-party APIs or the open internet, effectively eliminating data exfiltration risks.
  • Does the AI store any “shadow copies” of the data it processes? No. Aside from short-lived performance caches, AI models do not have persistent or “ambient” access to data hosted on eForms Mobile. Because we invoke AI using stateless requests, no data is retained after the task is completed. Everything your users input and everything you receive back from any of our AI features are owned entirely by you as our customer.
     
  • Where is our data processed (Data Residency)? To maintain strict data sovereignty, we utilize a “Matching Region” architecture across our primary Azure nodes. All traffic from our US, European, and Australian nodes is routed exclusively to Vertex AI instances within those same geographic regions, ensuring all data flow remains within your nominated eForms Mobile region.
  • How does AI usage impact our existing compliance certifications? Vertex AI is Google Cloud’s enterprise-grade machine learning platform, designed with the strict security infrastructure required for professional data handling. Notably, Vertex AI maintains top-tier industry security certifications, including ISO/IEC 27001, SOC 2/3, and HIPAA.
  • How do you prevent the AI from “hallucinating” or providing incorrect information?

    While we cannot entirely prevent hallucinations, we employ several technical safeguards to manage accuracy:

    • We pass all AI responses through strict JSON schemas rather than unpredictable dialogue to ensure structured, fit-for-purpose outputs.
    • Our closed-loop framework reduces the likelihood of hallucinations from unverified external sources.
    • We utilize advanced filtering and features like Google’s Model Armor to detect and block prompt injection patterns or malicious intent before they reach the model.
    • Updates to new model versions are managed through our continuous integration and testing suite to ensure accuracy with our platform’s proprietary schemas before being pushed to production. 
  • How do you handle biases in the AI’s output? By restricting AI to specific functional tasks rather than open-ended, conversational prose, we significantly mitigate the risk of social or algorithmic bias. 
  • What is the “Human-in-the-loop” process for AI-generated outputs? Because AI is a generative technology, it can sometimes misinterpret instructions and nuances. Users should always review AI-generated results for accuracy and completeness. The same input may yield slightly different results at different times due to the nature of AI processing, and past accuracy is not a guarantee of future performance. Therefore, ongoing human oversight remains critical for success. 
  • Can we disable or opt-out of AI features? Yes. eForms Mobile provides administrative controls at the organization level, allowing customers to opt-out and disable AI features for their users as desired. AI access is also aligned with user license tiers, offering paths for those who do not require these features. 
     
  •  

    • Related Articles

    • Security & Infrastructure FAQ

      Please review the attached PDF which contains is a set of system and security questions commonly asked of us. Note that our infrastructure and system design is subject to change, and thus may result in our answers being revised from time to time. All ...

    • Infrastructure, Practices and Security

      eForms Mobile utilises industry standard tools and practices to perform software development, quality assurance, deployment and configuration during daily operations of the eForms Mobile SaaS platform. We also leverage Microsoft’s Azure platform, ...

    • Pro User License

      Our most advanced user license, designed for users leveraging the full power of the platform. Includes all features of the Premium User, including unlimited Form entries, full access to Tasking (job dispatch), and Docs functionality. In addition, ...

    • Vulnerability Scans and Penetration Testing

      Vulnerability Scans (Weekly) We use Intruder.io, which performs a suite of security vulnerability checks (over 148000) against our primary application servers and websites weekly. To give you an idea of what some of the security checks conducted by ...

    • VAT considerations for EU Businesses

      NOTE: This article only applies to businesses based in the EU As we only sell to businesses and we have no EU offices, our company has NOT obtained a Value Added Tax (VAT) number for the European Union. The reason is that VAT should be accounted for ...