Google - AI Review Questions | Reco Help Center

Is data from all customers of the Shadow SaaS detection service co-mingled in a single application tenant?

Only if we see an unseen automatic email sender (i.e., we see it for the first time across all of our customers), with a domain that is related to a SaaS application, we send the external sender and related email subjects to a global application. There is no option to know from which customer the information arrived from (there isn’t any customer-related identifier). The global application then determines if the sender is indicative of app usage. If yes, we store only the sender's email address in the global dataset as an indicator for app usage (this data is not exposed externally). The global dataset is being populated to all customer tenants on a daily basis.

Note:
1. We don’t send any sensitive information, such as email recipients, email content, or any other specific customer information/identifier.
2. We filter out all emails from internal users and emails from non-business
3. accounts (Gmail, Hotmail, etc.), i.e., we analyze only subjects of auto-generated emails sent from external entities that haven’t been seen in the past.
Data in transit and not data at rest

How is access to the Shadow SaaS detection AI capabilities in Reco managed and controlled?
- Are the AI capabilities enabled by default?
  Yes
- Can the AI capabilities be limited to a set of users of the service?
  No. However, the entire Shadow App Discovery module can be limited to a set of users.
- Can the AI capabilities be fully disabled?
  If this is implemented, only apps discovered from third-party integrations with core apps and apps governed by IDP will be displayed without shadow apps discovered from email.

Are the Shadow SaaS detection AI capabilities built in-house by Reco or does Reco acquire them from a third party?
Built in-house, we are using Azure OpenAI LLMs.

Does the Reco Shadow SaaS detection solution contain any generative models or functionalities that create or modify content?
We mainly use Generative AI models for classification tasks, not content generation (neither modify content).

Are the Azure OpenAI models used by Reco hosted in a Reco-managed environment?
Reco-manged environment

How many AI models does the Reco Shadow SaaS detection solution have?
We use the same LLM model for two tasks: Sender evaluation and domain evaluation.

Are any of the Shadow SaaS detection AI models updated? If so, how often?
We replace the models with the latest version of OpenAI GPT models. Before the replacement, we conduct a comparison analysis to ensure no degradation in the performance.

Do we have a way to control when or if updates occur to the Shadow SaaS detection AI models?
No

Where is AI model training data stored? (e.g., In a Reco-managed environment, In a third-party environment, etc.)
Not applicable - we don’t train the model

Does our data used to fine-tune any of the Shadow SaaS detection AI models?
Not applicable - we don’t train or fine-tune the model

Is prompt filtering (input moderation) capability present in the application?
Yes, we have input validation. (It is worth mentioning that we use it as part of our internal algorithmic layer, so a user can not interact with the model)

Is output filtering/moderation capability present in the application?
Yes, our output validation is strict for specific classes/categories.

Are there visible/audible and forensic watermarks on assets generated (output)?
It's not applicable. We do not generate content with AI; we just use it for classification. The technology (internal and secure) is used to determine whether the organization uses shadow applications.