AI Security & Data Privacy π
This document explains how UMA Vision uses AI services (Anthropic Claude and OpenAI), what customer data is involved, and what protections are in place.
Summary
UMA Vision uses AI exclusively via API calls to Anthropic and OpenAI. No customer data is used to train AI models. No data is stored by the AI providers after a request completes. This applies to all AI features in Analytics Pro.
How AI Calls Work
When a user invokes an AI feature in UMA:
UMA's backend (gateway-service) constructs a prompt containing aggregated analytics data β for example, room utilisation percentages, building names, sensor averages, and the selected date range.
That prompt is sent over an encrypted HTTPS connection to the relevant provider's API endpoint (Anthropic or OpenAI).
The provider's model generates a response and returns it.
UMA displays the response to the user. The raw prompt and response are not stored by UMA's backend (only token counts are recorded for cost monitoring).
The entire exchange happens in real time. There is no persistent session, no caching of customer data on the provider's side, and no feedback loop back into any model.
What Data Is Sent in a Prompt
AI prompts contain aggregated, non-personal analytics metrics only:
Building and floor names
Resource names (e.g. "Meeting Room A")
Utilisation percentages, occupancy counts, energy totals, sensor averages
Selected date ranges
The user's specific question (for agent interactions)
AI prompts do not contain:
User passwords, authentication tokens, or credentials
Raw device logs or individual sensor readings
Personally identifiable information (PII) such as employee names, emails, or badge numbers
Financial or legal data
Data from outside the currently selected building/floor scope
No Training on Customer Data
Anthropic (Claude)
Under Anthropic's API usage policy, inputs and outputs submitted via the API are not used to train Anthropic's models. This is a contractual commitment that applies to all API customers by default, with no opt-in required.
Reference: Anthropic API Usage Policy
OpenAI (GPT-4.1)
Under OpenAI's API data usage policy, data submitted via the API is not used to train OpenAI's models by default. API customers are automatically opted out of training data collection.
Reference: OpenAI API Data Usage Policies
Data Residency and Transit
All API calls are made over TLS 1.2+ (HTTPS). Data is encrypted in transit.
Anthropic's API infrastructure is hosted in the United States.
OpenAI's API infrastructure is hosted in the United States.
Prompts and responses are held in memory only for the duration of the request β neither provider persists API request content after the HTTP response is returned.
UMA Vision does not send customer data to any AI provider outside of a live user-initiated action (i.e. no background batch processing of customer data by AI).
Token Logging (Internal)
UMA records promptTokens and completionTokens per AI interaction in its own database for cost monitoring and billing purposes. This is a count of tokens, not the content of prompts or responses. No message text is stored server-side.
Summary of Guarantees
Is customer data used to train AI models?
No β API usage is explicitly excluded from training by both Anthropic and OpenAI
Does UMA share customer data with third parties for AI?
Data is transmitted to Anthropic/OpenAI only to generate a response; it is not shared with any other party
Is prompt content stored by the AI provider?
No β API request content is not retained after the response is returned
Is personally identifiable information sent in prompts?
No β only aggregated analytics metrics and resource names
Are AI calls encrypted?
Yes β all calls use HTTPS / TLS
Is there any unsupervised background AI processing?
No β AI is only invoked by explicit user action
Last updated
Was this helpful?