AI Compliance Without the Risk.

GPTfy, Privacy, Ethics, Data Residency and Compliance. GPTfy is a Salesforce AppExchange app to bring artificial intelligence such as ChatGPT-type functionality into your Salesforce org and provide it to your end users securely, quickly, and in a compliant manner. GPTfy comes to you from Cloud Compliance, a Salesforce AppExchange partner. We have been in the data security and privacy business for more than four years, and we took a lot of time to make sure that we address some of the key considerations. Here are some of the areas we have constantly heard from our customers. There are requirements around regional privacy laws — GDPR in Europe, CPRA in California, PDPB in India, and so on. There are ethical considerations around AI, particularly in terms of bias, toxicity, and hallucination. There are data residency requirements around AI, such as where data will be processed by AI, what region that AI service resides in, and so on. And there are other requirements. Let's start with regional privacy laws. One of the key requirements is how you enable AI in specific geographies and align with regional laws. If you have a global Salesforce org, how do you comply with CPRA in California and GDPR in Europe? One option is to assign AI capabilities to specific users. For example, you may selectively enable AI access to your US users but not to European ones. The second part of this is how you limit AI processing on customer data. In certain scenarios you may want to not process customers who are resident of a particular region. For example, perhaps you don't want to process data of European customers. Another scenario could be that you only want to process data where there is an explicit opt-in by your customer. A third example is processing data only where there is a legitimate basis to do so. The way to handle this is to configure prompts to process records either by location or by consent. The second part is to enable prompts only for use cases approved under a legitimate basis. A Salesforce admin can selectively enable specific prompts for a given profile or record type. This means you can selectively enable prompts for users in Europe or the United States or other regions. You can control it at a user level by named users. You can control it at a profile level. You can control it at a record type level — for example, if you have different record types for leads from Europe versus leads from America. In addition, GPTfy supports selective record processing where you can use a WHERE clause in a SOQL statement to pick only specific records that meet criteria. All of this ensures that AI is only applied in line with your policies. Another area specific to privacy laws is data retention. GPTfy has a robust security audit capability, and you can specify how long you want to keep those auditable records. You can configure zero data retention, 30 days, or whatever your retention policy is, and GPTfy will automatically delete records once that retention timeframe is reached. The next area is bias. How do you address this ethical consideration? You can avoid fully automated AI use cases initially to prevent bias — ensure there is always a human in the loop. For example, you can prevent automatically generating and sending out an email, and instead ensure that only a draft is generated which a human reviews and sends. That is the simplest, most direct way to address this challenge. GPTfy supports this scenario completely today. Secondly, how do you enforce an AI quality assurance policy to detect toxicity? One way is to apply regular data audits and provide training to spot biases. GPTfy has a complete AI security audit trail for every piece of information that is extracted from Salesforce, masked, and then sent to your AI. You can see the information that was extracted, the data that GPTfy masked or removed from it, which was deemed sensitive, and what was sent to AI. GPTfy also tracks what came back from AI and what was presented to the user. By applying a quality audit and review policy on top of this, you can ensure that any toxicity and bias is immediately detected and addressed. Another concern with AI is hallucination. One option to address hallucination is to set your AI to a lower temperature — a more deterministic and less imaginative setting. In addition, GPTfy supports the ability to adjust temperature for each AI individually. So if your Salesforce is connected with more than one AI — because of regions, degree of specialization, or other factors — you have a choice of controlling this temperature and ensuring AI is more deterministic and less imaginative. The second part of addressing hallucination is to ensure AI doesn't misinterpret your request, which boils down to two areas. The first is to provide well-grounded prompts that give enough context to AI. GPTfy supports this really well. The second is to ensure that data is tagged correctly so that AI is not trying to guess what information has been sent to it. GPTfy addresses both of these very well. Another important consideration is data residency. GPTfy works with one or more AI instances in your infrastructure to ensure that data is sent to the appropriate AI provider so that data sovereignty requirements are addressed. These AI providers are infrastructure components that your organization selects and controls. GPTfy offers this rich capability so that your organization's IT and information security teams can determine what AI instance your Salesforce data is going to. Finally, another important consideration is integrating third-party data sources. An example could be address standardization. It could also be bringing in financial information, ensuring that the data being processed does not fall under anti-money laundering, the Bank Secrecy Act, or other such compliance and regulatory requirements. GPTfy supports third-party data sources and APIs so that customers can facilitate this and ensure compliance with requirements as they emerge. We hope this gives you a sense of how GPTfy lets you accelerate your Salesforce integration with AI in a secure, Salesforce-native, and compliant manner.