What You Can Expect

This guide outlines how Secureframe uses third-party AI, what data is involved, how it's protected, and how you retain control—including opting out.

Secureframe, Inc. (“Secureframe”) recognizes that large language model-based, generative artificial intelligence applications (“AI”), such as OpenAI’s ChatGPT, have the potential to be incredibly useful and time-saving on a variety of tasks. Currently, Secureframe utilizes ChatGPT for certain AI product features, and we anticipate a growing interest in the use of AI in Secureframe’s product and business operations moving forward. Secureframe also recognizes that AI is still being refined, is known to produce inaccurate or distorted information, and can create significant risks for both Secureframe and our customers. As a result, Secureframe takes appropriate steps (including through its internal Responsible AI Policy) to ensure that it is thoughtful and intentional about the customer data involved in its AI product features and how such data is used. This brief guide is intended to explain Secureframe’s third-party powered AI features (including Comply AI and Trust AI) and the relevant data involved.

Secureframe AI Features

Secureframe uses AI within its platform to help customers automate various compliance tasks:

• Comply AI for remediation delivers auto-generated fixes for infrastructure as code so you can easily fix misconfigurations and nonconformities that cause failing controls in your cloud environment.
• Questionnaires leverages AI-powered automation to pull the best answers for security questionnaires based on past responses.
• Comply AI for Risk automates the risk assessment workflow by analyzing a risk description and company information to produce an inherent risk score, treatment plan, and residual risk score.
• Comply AI for Policies leverages an AI-powered text editor to create clear and polished policies that align with the tone and voice of your organization.

Data Involved

• Remediation - OpenAI is leveraged to assist with AI-powered remediation tasks. If a customer chooses to utilize Comply AI for remediation, the data read by OpenAI is limited solely to cloud resources; meaning that the only customer data involved relates to a customer’s implementation of AWS, Azure, GCP, etc. More specifically, OpenAI is only reading and providing recommendations for a customer’s cloud configuration data. Information pertaining to personnel, employees, endpoints, etc. is not in-scope for Comply AI remediation and is not read by or sent to OpenAI.
  • Detailed Data Elements: Cloud Provider Resource ID (needed to identify the type of asset being tested); Cloud Provider Username (solely if the cloud provider IDs the relevant resource with a username); test description and overview (e.g. the name of the test itself and description/overview of such test). See below screenshots for further examples of the detailed data elements involved.
• Questionnaires - OpenAI is leveraged to assist with Questionnaires under Secureframe’s Trust AI umbrella. If a customer chooses to utilize Secureframe’s AI-powered questionnaire features, the data read by OpenAI may include the contents of customer’s policies, previous questionnaires, knowledge base and other related documentation uploaded to the platform. Personal data elements are limited to those individuals who may be listed or referenced in the customer policies and documentation listed above (e.g. name, title, role, email address, and other business contact information - all of which may be redacted by customers).
• Risk - OpenAI is leveraged to assist with AI-powered risk assessment. If a customer chooses to utilize Comply AI for Risks, the data read by OpenAI is limited solely to the risk description.
• Policies - OpenAI is leveraged to assist with AI-powered summarization and rephrasing within our Policy Editor. Specifically, when highlighting text and selecting an AI feature within the Policy Editor, that text is processed by OpenAI to better refine the messaging.

Machine Learning & Algorithm Training

Secureframe maintains a commercial license to OpenAI’s API Platform for its product-related use cases. As part of this commercial license, OpenAI is not permitted to use any Secureframe or Secureframe customer data for machine learning or to train its algorithms. You can learn more about OpenAI’s privacy commitments here: https://openai.com/enterprise-privacy.

Opt-Out

Customers always have the ability to opt-out of utilizing Secureframe’s third party AI features and use cases by navigating to: Company Settings > Configuration > Labs at the bottom of the screen > “Enable Comply AI” > turn setting to off.

AI/ML Examples & Screenshots

Comply AI for Remediation:

When enabled, Secureframe sends a Cloud Provider Resource ID to OpenAI as well as the failure message. In the following example, only the first two resources are read by OpenAI (as they are the only failing resources). 

• Specifically: arn:aws:iam::429608341515:user/apostolos and arn:aws:iam::429608341515:user/secureframe-app-eu-west-2.
• Secureframe also sends the following failure message: IAM user arn:aws:iam::429608341515:user/apostolos should not have policies directly attached to it

As can be seen in the below screenshot, Secureframe will also send test description and overview. In this case, OpenAI would receive the following text: IAM user account attached policy restriction (AWS)

• Verifies that AWS IAM policies are not connected directly to user accounts.
• Create groups with the required policies, move the IAM users to the applicable groups, and then remove the inline and directly attached policies from the IAM user.

Comply AI for Risks:

When enabled, Secureframe sends the risk description to OpenAI when utilizing the “Complete with Comply AI feature.” Specifically, in the following example: Earthquake knocks down our office would be processed by OpenAI.

Comply AI for Policies:

Secureframe sends the highlighted policy content to OpenAI when using our AI features. Specifically, in the following example: All employees must show integrity and professionalism in the workplace.

Frequently Asked Questions (FAQ)

Does Secureframe utilize a private or public AI model?

• Secureframe uses a combination of private and public models. All usage is governed by our Responsible AI Policy, with strict limits on data sharing and processing.

Is the AI instance used by Secureframe segregated from other customers?

• We use a single model across all customers; however, data is logically segregated per customer. One customer’s data is not accessible to another.

Is customer data ever used to train the AI model?

• No. Secureframe does not use any customer data to train AI or machine learning models.

Can I disable AI features if my company doesn’t want them?

• Yes. You can opt out of Comply AI features in the platform under Company Settings > Configuration > Labs > “Enable Comply AI”.

What types of data are shared with the AI provider?

• Only the minimum data required for each feature is shared. For example, remediation uses resource IDs and config details, while questionnaires may use relevant snippets from uploaded documents. No raw customer databases, endpoints, or full environments are shared.

What version of OpenAI are we using?

• For questionnaires and remediations, we use GPT-5-mini.