Vistra logs and stores every change, every action and every event, including the deletion of data, for easy auditing and root cause analysis.

Vistra customers can choose to use multi-factor authentication for their access to Vistra´s service by either using SAML to integrate with their own identity management system, or by using Google or Microsoft SSO.

Also note that Vistra employees use multi-factor authentication for access to all systems containing customer and other sensitive data.

Vistra lets you set granular access controls to grant and restrict capabilities based on specific roles and authorities.

In addition to SAML SSO, Vistra also supports Google and Microsoft Authentication. If a user´s Google and Microsoft email and Vistra login addresses match, authentication may be required through Google or Microsoft. Authentication through Google or Microsoft also supports two-factor authentication.

SAML support is provided on request. Please see this page for guidance on how to configure SAML SSO in your environment.

All data hosted by Vistra is encrypted. Vistra uses industry-accepted encryption products to protect data at rest, with AES-256 encryption.

TLS 1.2/1.3, and HTTPS are used to protect data in transit.

By default, we retain Personal Data about you for 10 years as long as you have an open account with us or as otherwise necessary to provide you with our Services. In some cases, we retain Personal Data for longer, if doing so is necessary to comply with our legal obligations, resolve disputes or collect fees owed, or is otherwise permitted or required by applicable law, rule or regulation. We may further retain information in an anonymous or aggregated form where that information would not identify you personally.

Vistra supports data deletion requests for both the data we control and the data we process.

Lucy Archer is our Group Data Privacy Officer (DPO). She is responsible for defining and enforcing Vistra’s privacy policies across the company.

Requests for access, correction, complaints, or other queries relating to how your personal data is processed should be addressed to us via the contact details set out below:

By post:
Group Data Privacy Officer
7th Floor, 50 Broadway, London SW1H 0DB, UK

By email:
[email protected]

By telephone:
+44 20 3872 7310

Policies and procedures for operational and incident response management require incidents to be logged and reviewed with appropriate action (e.g. system changes) taken if necessary.

A formal incident response plan and standard incident reporting form are documented to guide employees in the procedures to report security failures and incidents. The incident response plan enforces a process of resolving and escalating reported events. Its provisions include consideration of needs to inform internal and external users of incidents and advising of corrective actions to be taken on their part as well as a “post mortem” review requirement.

Vistra’s global entity platform leverages AWS' Elastic Beanstalk for deploying and autoscaling our application.

Vistra utilises tools that measure processing queues to verify the timeliness of processing incoming data while monitoring real-time results. Data lost during processing is detected, and automatically creates an alert to the Engineering team. Alerts are addressed by the Engineering team. Upon occurrence of processing errors within Vistra’s application, the change management process is followed with a change ticket initiated and the error investigated and resolved.

Vistra itself is ISO 27001 certified, and our services are built upon Amazon Web Services platform services and hosted in AWS’s data centre facilities. Amazon Web Services is also ISO 27001 certified, more details about their compliance can be found here.

On at least an annual basis, Vistra undergoes third-party penetration testing using well established consulting firms. Management addresses all vulnerabilities identified within defined timeframes based on severity level. A summary of the annual penetration test report can be provided under NDA.

On at least a weekly basis, Vistra executes vulnerability scan to detect vulnerabilities in Vistra’s application. Dynamic and Static Application Security Testing (DAST and SAST) tools are used to conduct these scans.

Guided by our core values, our AI principles reflect our commitment to innovation and the safe, responsible, and ethical use of artificial intelligence with the Vistra Platform.

1. AI Governance: Vistra will be responsible stewards of our customers’ and their users data throughout AI model development lifecycles. AI capabilities are built using Vistra’s established security and privacy frameworks combined with ensuring fairness, accountability and human oversight on outputs generated by AI solutions. Data will only be collected, used, and stored in alignment with individual privacy rights and preferences, fundamental rights, and segregated from other customers.
2. Customer-Centric Approach: Vistra's AI systems will be designed and developed to elevate our customers' and their end users' experience with software, focusing on identifying opportunities for optimisation, personalisation, and enhanced usability. Vistra will actively seek feedback from customers to inform the development of AI-powered features.
3. Transparency and Open Communication: Vistra is committed to AI transparency and will openly communicate with our community about the AI features that we develop and deploy within our services. We will ensure our customers understand and are informed about the presence, capabilities, and limitations of AI-powered features and functionalities.
4. Optionality and Customisation: Vistra customers are in control of how they want to leverage AI in Vistra services. We understand that customers have diverse needs and preferences. Our AI features are optional and customisable, allowing customers to modify, fine-tune, or opt out as they see fit.
5. Compliance with Legal and Regulatory Frameworks: Vistra will comply with all applicable laws, regulations, and standards governing AI development and deployment, promoting a culture of legal and ethical responsibility.
6. Fairness and Equity: Vistra will actively work to identify and mitigate potential biases throughout the model development lifecycle, ensuring fair and equitable product experiences for all users.
7. Thought Leadership: Vistra recognises the importance of staying at the forefront of technological advancements and will actively seek opportunities to push the boundaries of innovation. By fostering a culture of continuous learning and exploration, we aim to become a leading voice in the industry.
8. Setting the Tone from the Top: Vistra’s executive team is engaged, sets our goals and is accountable for ensuring these principles are implemented and followed throughout all uses of AI technologies in our services and internal processes.
    

At Vistra, performance, security, and data privacy are first-order considerations, the north star for how we design our products and policies as an organisation. We understand that artificial intelligence is a new and unfamiliar technology, and that you, a Vistra customer, may have questions about our 2024 launch of AI-powered products and features. You can learn more about our security and privacy practices related to this launch below and, as our practices evolve, we will strive to continue to provide you with such transparency.

Task Wizard, Amazon Bedrock, Anthropic Claude, Amazon Sagemaker

Q: Has Vistra developed its own AI technology, or is it using AI technologies provided by third party service providers?

A: Vistra is mainly using Amazon Web Services (AWS) technologies, namely LLMs offered within Amazon Bedrock, a fully managed service that makes Foundational Models from leading AI startups and Amazon available via an API, and potentially HuggingFace models that will run on Amazon Sagemaker.

Q: Are you training models using my company's product usage data?

A: Yes. Your company’s usage data will be used to fine-tune Vistra’s LLM and not any models that are available to any organisation outside of Vistra. This is done to create a product that can better serve your needs.

Q: Are you sure that Vistra is not using my company’s product usage data to train any large language models or other artificially intelligent tools? If so, how are you using our data?

A: As above, Vistra will use your company’s product usage data to fine-tune our proprietary LLM. However, all foundation models (FMs) available through Amazon Bedrock are hosted directly on AWS infrastructure managed and owned by AWS. Model providers do not have access to customer data such as prompts and continuations, or Amazon Bedrock service logs. Additionally, Amazon Bedrock doesn't store or log your prompts and completions. Amazon Bedrock doesn't use your prompts and completions to train any AWS models and doesn't distribute them to third parties.

Q: Will I be able to choose if and when I make use of Vistra’s AI-powered products? Or will my company’s data be processed by these AI-powered products the moment that Vistra launches them?

A: If you are an administrative user, when you go into Vistra in your left-hand navigation you can access your subscription Settings page to learn more about each of Vistra’s AI-powered products, which AI technology is in use, which third-party service provider if any is providing such AI technology, and to choose to opt into or out of each product individually or set of products based on the provider. Go to our AI Features Support page for more information on how to do so.