We understand the value of the organization's information integrity and availability, that is why Konverso pays special attention to information security management. Our team strives to ensure the robust protection of both our intellectual property and clients' data. This document describes the features and processes put in place in Konverso to best protect the application data.
Konverso is a French startup creating virtual agents (chatbots). Our virtual agents provide clients with the first level support: answering employees' questions on technical or HR issues.
In 2020 the global analyst firms ranked Konverso as one of the top 10 IVA vendors.
Website: https://www.konverso.ai/
Support: support@konverso.ai
Data Protection Officer: dpo@konverso.ai
Phone number: +33 (0)1 41 10 83 53
Address: 98 route de la Reine — 92100 Boulogne Billancourt, Paris, France
91880073398 underwritten by Company:
AXA France IARD
313 Terrasses de l’Arche
92727 Nanterre Cedex
The appointed Data Protection Officer (DPO) is Amédée Potier. In addition to managing the company security, he is in charge, as the CTO, of all important decisions on tools, purchases, architecture issues, and processes that are associated with the IT.
Any internal or external questions related to data protection should be sent to dpo@konverso.ai.
The DPO is running monthly security review team meetings with all employees to review key security-related procedures and best practices. As part of the preparation for this meeting, the CEO and the DPO review the current administrator privileges and adjust them, if necessary, in accordance with the defined rules.
Konverso’s recovery strategy:
We make environment backups at least once every 24 hours.
Backup hosts are designed to be in a region different from the VM to be backed up.
Backups are encrypted. Only the team members who are granted access to the environment may have access to the key to decrypt the backup data.
Solution configuration and settings are stored in Bitbucket customer repositories with versioning and access restrictions.
With the database and solution code, any environment can be recreated and returned to full functionality in less than 2 hours.
To summarize our recovery strategy:
RPO is 24 hours
RTO is 2 hours
We run random full recovery tests on one customer environment at least once per quarter.
All Konverso customer data is stored in the Microsoft Azure cloud environment, running in region requested by the customer. We currently have instances running in different continents.
Our customers are using our software to provide employees with HR and IT services. In the scope of our application, users and the chatbot might exchange user information during a conversation. There are only IT or HR-related questions, which can be considered sensitive; however, there is no payment, credit card, or salary information shared.
Our application allows organizations to define the data retention period. User data that is older than the retention period is automatically deleted.
Contact us if you wish to set a specific data retention period for your organization.
Various processes are put in place to protect the application code against any tampering or inclusion of any malware.
The source code is managed in the secured source code control environment in Atlassian BitBucket.
Only selected and qualified engineers are the members of the group with Bitbucket Write permissions.
All projects are organized in distinct groups for the core product, solutions, and customer solutions.
Only the team members that really require access to a particular group are granted access to that group.
No code change can take place without the creation of a pull request and corresponding code review. Approval and review comments are all tracked.
Any code change must be associated with a development ticket that describes the purpose of the change. No code change can be done without a related ticket and a clear purpose that was agreed to in the sprint planning.
We carefully select the third-party code (such as open-source packages) that is embedded inside our application.
An internal request ticket is created for integrating new third-party code.
License and source packages are reviewed for approval by the Konverso CTO/DPO.
The open source package is downloaded only from known and trusted sources.
Selected package versions are documented, so customers can review the list of third-party products.
Distinct network subnets, VMs and source code repositories are used for:
Development environment (accessed by Konverso developers), not including customer data.
Production environments (accessed by our customers and our consultants).
Furthermore, on typical customer deployment, there is data segregation between production and non-production, using distinct hosts for the production and pre-production environments.
Some Konverso Kbot features leverage external services. If these are enabled, some user data can be shared with these external applications and the related customer is notified of such data sharing.
In case a user activates the Speech to Text feature, the user’s recorded voice is sent to the Microsoft Azure environment, located in Western Europe. This feature may be turned on or off in your configuration.
In case a user activates the bot’s voice function, the bot responses are sent to the Microsoft Azure environment, located in Western Europe. This feature may be turned on or off in your configuration.
If the user inputs a “social chatting” sentence, this sentence is sent for evaluation to the social chatting engine powered by Pandorabots. This feature may be turned on or off in your configuration.
If the search on public content such as Microsoft Support or Google Support database is active, the user input can be sent for evaluation to one or several search engines:
Google Search: for search on the content of the selected site.
Microsoft Search.
This feature may be turned on or off in your configuration.
We are GDPR compliant:
We only store customer data that is required;
There is a mechanism in place to delete particular user data;
There is a retention mechanism;
The administrator has an opportunity to review the collected data through the Profile view.
Send an email to dpo@konverso.ai if you want us to fully delete any user, customer or tenant-related data.