Framework Intelligence - Data Privacy & Security Overview

We understand that confidentiality and data protection are top priorities when working with sensitive vendor documents. To provide clarity, here’s how Bitsight’s new AI feature manages data privacy and security:

NDA Requirements

Customers do not need to sign an NDA with Bitsight to use this feature. Bitsight includes confidentiality provisions in all of its customer contracts and those terms apply to both content uploaded into and output generated by Framework Intelligence.

Handling of Sensitive Vendor Documents

Documents that are uploaded into Framework Intelligence are processed securely, with strict safeguards in place to prevent unauthorized access.  The process is comparable to how other third-party risk and Governance, Risk, and Compliance (GRC) technologies require document upload for automated assessments.

Many - but not all - NDAs allow for the sharing of confidential information with third-parties that are bound by comparable confidentiality obligations.  That being said, we encourage customers to confirm their existing vendor agreements don’t interfere with their ability to use third-party risk or GRC assessment automation tools before using Framework Intelligence.  

Additionally, when negotiating a new vendor agreement, we recommend including a clause that requires the vendor to allow the use of and cooperate with third-party risk and GRC assessment providers.  This will give you the flexibility to use tools like Framework Intelligence, as well as include managed security services providers, in your vendor assessment processes.        

Access Controls

Only your organization has access to the documents you upload. No other company or third party can view or retrieve them.

Vendor Notification

We recommend notifying vendors in the same way you would when using other third-party risk or GRC platforms that require document review. Since the process is automated, transparent communication to vendors about how their documents will be used can further build trust.

Data Storage & Retention

• Documents are scanned for malware and securely processed.
• They are temporarily stored in encrypted Amazon S3 buckets in standard US regions during analysis.
• Once the AI assessment run is complete, documents are immediately deleted.
• No long-term storage occurs beyond what is outlined in Bitsight’s standard Data Retention Policy.
• Customers are not required to take action for deletion — it is automatic.

AI Training & Use of Data

The AI technology powering this feature is Google Vertex AI, leveraging Gemini models. The content contained in uploaded documents is not used to train the AI engine. The Large Language Model (LLM) processes content only for the purpose of mapping controls and returning evidence-based results. After that step, neither Bitsight nor the underlying LLM provider store the content.