Smart Compose Feature – GDPR Compliance Inquiry
I’m currently evaluating the use of your Smart Compose functionality within our application and would like to ensure that it aligns with GDPR requirements, as our users and data are based in the EU.
Could you please clarify the following points:
Data Usage:
Does the Smart Compose feature process or store the content of user emails in any way for learning or model improvement purposes?
Training Data:
Are customer email contents used to train or fine-tune any machine learning models – either globally or per customer instance?
Data Storage & Processing Location:
Are the data processed by Smart Compose exclusively stored and handled within the EU? If not, what legal safeguards (e.g. Standard Contractual Clauses) are in place?
DPA Coverage:
Is the Smart Compose feature explicitly covered by your Data Processing Agreement (DPA), and are subprocessors involved in its delivery listed accordingly?
Opt-out or Control Options:
Is there an option to disable Smart Compose or restrict it from accessing certain types of sensitive content?
We’re aiming for full GDPR compliance and transparency with our users, and we want to ensure that using Smart Compose does not create any unintentional risks.
Looking forward to your clarification.