KAI is an AI assistant implemented by DIBkunnskap AS to search its content database and provide answers to customer queries. The model is not trained on DIB content but bases its answer on the content. All users have access to the chat and can make queries on the application via text input.

Depending on the User's input, an answer may be formulated differently from time to time.
​

DIBkunnskap AS is an independent data controller for the personal data collected and processed when using our services. However, the Licensee is an independent data controller for the inputs the User makes in KAI, and it is thus the responsibility of the individual user to ensure that neither sensitive business information nor personal data is processed in violation of applicable law. Further information can be found in DIBkunnskap AS general license terms.
​

KAI stores user information in the form of User ID, to distinguish between users. KAI also collects user inputs that may contain personal information, if entered by the user.

A User's input is saved in KAI and remains accessible to the User, allowing them to revisit previous input or ask further questions on the same topic. Content is auto-deleted after 90 days.

KAI is a cloud-based SaaS solution, which means that data is not physically located at DIB’s offices. DIB uses Azure by Microsoft in Norway (east) and EU North (Ireland). Data is therefore not processed outside the EU/EEA.

Any staff with user privileges in KAI are vetted and security approved prior to being allowed access to our development and operations environments. Technical roles responsible for the support and maintenance of KAI can access data to investigate errors and performance issues. Our developers can access anonymous search data to optimize model behavior, selection and performance. DIB has implemented clear role management and procedures and controls and all privileged access to the entire platform require multifactor authentication on user, device and network level.

Data in KAI, including the User's input, is used solely to provide an answer to the User. Only If the User provides feedback to KAI’s answers, will this be used for improvement of KAI. If a user’s input and/or KAI's output is to be used to improve KAI, it will be anonymized prior to use and decoupled from the individual user. See also section 8 Data Retention and Deletion below.

At DIB and Karnov Group we take information security seriously and we have an Information Security Board supervising security risks and controls across the group. A Group CISO is appointed to drive the security strategy and monitor compliance. Karnov Group has defined an internal controls system that includes technology and security controls. The review period of controls is quarterly, and the report of effectiveness is shared with the Board of Directors.

Regular Data Protection Impact Assessments (DPIAs) are conducted for KAI.

Vendors are categorized according to the security risk their services bring to DIB. All medium and high-risk vendors must complete an information security questionnaire and pass the security review performed by DIB security personnel. Compliance of high-risk vendors is reviewed yearly by DIB and vendor security incidents are tracked and impact on DIB information and services is assessed continuously.

DIB and Karnov Group has a dedicated team for monitoring and implementing regulatory changes and monitoring relevant legislation in order to ensure strict compliance with all relevant legislation in our jurisdiction.

Access control is an essential part of the security strategy of DIB. Strong password policies are implemented for customer products and multifactor authentication is enforced for all internal accounts. Review of access rights is performed periodically.

Security awareness is a key element in how DIB and Karnov Group drives its security strategy. All personnel must complete annual security awareness training.

Phishing simulation tests are conducted more times per year and lessons learnt are applied and quarterly security awareness campaigns focusing on emerging threats and best practices.
​

Karnov Group has a Group AI and Data Ethics Policy, that applies to the whole group, including DIB. Furthermore, there is a Group AI Instruction in place, as well as regular security testing.

Access to DIB office locations is provided to active personnel via an access card. The offices are protected with alarm systems connected to physical security vendor companies available 24/7 to respond to any alarm activation.

Microsoft (Azure) are used for hosting most of the product platforms developed by DIB. The supporting infrastructure is physically located in European datacenters in Norway and Ireland. Physical access to servers is restricted to authorized personnel of Microsoft.

DIB is conducting regular penetration testing of KAI's infrastructure by certified penetration test professionals.

Karnov Group have established a model risk management framework aligned with EU AI Act requirements and will adhere to this as it is becoming effective in EU.

DIB is using the Azure OpenAI service which means that User input and outputs are not available to other third parties or used to train models externally and internally.

Please see Azure OpenAI Service documentation for more information.

DIB is using enhanced data minimization techniques by ensuring only necessary data is used to generate the answer to the user.

All client-to-server and server-to-server communication is encrypted. This means that network traffic is encrypted and cannot be intercepted by third parties. DIB does not encrypt the data stored in the databases.

Access control to KAI is handled by a dedicated team that handles access control for all internal systems. KAI backend system cannot be accessed from outside the DIB network.

All logins to the KAI systems are logged with information on IP-address and time stamp.

KAI uses logical data isolation to ensure user data is segregated and cannot be accessed by other users.

User inputs are never used for model training or improvement without complete prior anonymization.

DIB also processes the data generated by your use of our services on the basis of legitimate interests, cf. Article 6(1)(f) of the General Data Protection Regulation. The information is used to provide our service, for marketing, to improve our IT security, for communication and for the development of our products.

As a data subject, you have a selection of rights that you can exercise by contacting us at privacy[at]dib.eu or by sending us a letter. Read more about your rights in our Data Protection Policy.

KAI is not meant for processing of personal information, and therefore the processing in KAI does not require processing of personal data by Third Parties.

To make the user able to return to a previous interaction and ask more questions user input, and generated output, is stored for the individual user for 90 day period.

If a user decides to delete a conversation, the content of conversation, including prompts and output, will be removed completely and is irreversible.
​

Currently we use a combination of automatic evaluation (internal benchmark) and human evaluation (done by domain experts), which measure performance. We evaluate every time there is an update either to the codebase or to the LLMs.

Updates to the database of source data are currently close to real-time. Thus, when a content is updated on the dib platform it is made available to KAI almost immediately.

DIB will notify the customer in case of a breach of data privacy, concerning the customer’s user without undue delay.
​

DIBs license terms explicitly states that KAI is an assistive tool and does not replace professional legal advice.
​