Generative AI & data privacy: What to look for in an AI vendor

August 9, 2024

•

min read

TL;DR

AI is changing the game for sales. It's opening doors we never knew existed, helping us tap into data in ways that seemed like science fiction just a few years ago. With these AI-powered tools, we're not just working harder - we're also working smarter. But here's the thing: as we embrace this AI revolution, we can't forget about the elephant in the room: data privacy.

We aren’t just talking about following rules and ticking boxes here. This is about protecting our customers, our companies, and — yes — ourselves. As we dive into this AI-powered future, choosing the right vendor isn't just a tech decision: it's a trust decision. We need partners who can deliver cutting-edge solutions while treating our data with the respect it deserves. In this article, we’ll arm you with the information you need to navigate these choppy waters, helping you ask the right questions and identify vendors who take data privacy as seriously as you do.

Key takeaways from the article:

Certifications matter: Look for vendors with industry-standard certifications like SOC 2 and GDPR compliance. These aren't just badges; they're tangible proof of a vendor's commitment to data security.
Less can be more: The best AI systems don't need mountains of data to be effective. Seek out vendors who can deliver results with minimal information, reducing your exposure and respecting privacy boundaries.
Data retention policies are crucial: Opt for vendors with clear, stringent data retention and deletion protocols. Automatic data purging and encrypted storage are hallmarks of responsible data management.
Integration security is non-negotiable: Your AI solution should seamlessly and securely integrate with your existing tech stack. Look for vendors who prioritize encrypted data transfers and respect your CRM's permission settings.
Ask the right questions: When vetting vendors, don't be afraid to dig deep. Inquire about their access controls, incident response plans, and AI training practices. A reputable vendor will welcome these questions and provide transparent answers.

Generative AI (genAI) is already revolutionizing the sales landscape, offering unprecedented opportunities to leverage data in ways that were once unimaginable. It's helping reps work smarter and faster than ever before. For sellers looking to stay ahead of the curve, understanding this powerful technology is no longer optional—it's essential.

But with great power comes great responsibility — especially when it comes to data. As you evaluate vendors for AI sales prospecting solutions, it's crucial to consider their approach to data privacy.

In this article, we’ll explore five fundamental criteria you should use to assess potential AI solutions, ensuring they meet essential data protection standards and align with your security requirements. At the end, we’ll share some examples of questions you can ask about different elements of data privacy and security that you can ask during conversations with vendors. Armed with this information, you’ll have an easier time separating the wheat from the chaff and be able to identify the vendors that take data privacy and protection as seriously as you do.

Without further ado, let’s dive in.

Evaluation criterion #1: Certifications & guarantees

When it comes to data privacy, the vendor’s certifications and guarantees provide tangible (and explicit) evidence of their commitment to protecting your information.

Here are some basic “credentializing” criteria you should keep an eye out for when vetting AI vendors:

Confidentiality guarantees: Your proprietary data should be handled with the utmost confidentiality.
- Make sure your vendor has clear policies on how they protect and manage your sensitive information.
Industry-standard certifications: SOC 2 and GDPR compliance should be a must-have.
- These certifications underscore a vendor's commitment to unparalleled data security.

Evaluation criterion #2: Data sourcing procedures & policies

Understanding how an AI prospecting solution obtains and manages data is critical to ensuring ethical and compliant practices.

Here are some basic data sourcing-specific criteria you should keep an eye out for when vetting AI vendors:

Minimal data requirements: There are a lot of companies out there that claim that they have more data so their AI is inherently “better.” However, that’s a myth: a good AI system should be able to do a high-quality job with the least amount of information possible.
- The functions of an AI Agent that require massive amounts of data are the language component that’s powered by the large language model (LLM) — like OpenAI’s GPT or Anthropic’s Claude — that the Agent sits on top of. Those LLM systems are so advanced that fine-tuning them with extra proprietary data does not materially improve the performance.
- The place where data is king is in how good an Agent is at learning from its real-time interactions with your prospects and adjusting its tempo and messaging accordingly.
- Many solutions – including Regie.ai – can start with just an email address. This simplicity ensures that your prospecting process respects privacy while remaining highly effective.
Persona development: You can get a lot of useful information about the prospects’ roles and personas without needing to get into their personal information.
- Ideally, AI vendors should be able to build high-quality personas using the least amount of information about a prospect; many really only need a job title to get the job done.
- This allows for more relevant outreach without getting too personal. By focusing on job titles, these systems can craft nuanced personas that allow for targeted, personalized outreach while complying with stringent data protection standards.
Third-party data sources: Good AI vendors often use reputable third-party data sources like Apollo.io and ZoomInfo for prospect data.
- This approach means that you – the customer – aren’t responsible for providing this sensitive information, thereby limiting your exposure in the event of a data breach.

Evaluation criterion #3: Data retention policies & protocols

A crucial aspect of data privacy is how long and in what manner AI vendors store your information.

Here are some basic data retention-specific criteria you should keep an eye out for when vetting AI vendors:

Automatic data purging: The best AI systems will delete unnecessary data without you even having to ask.
- This simplifies your data management process and ensures no unnecessary data accumulation.
- Ultimately, this means that you won’t have to micromanage data deletion requests for either third-party or first-party data: your vendor will handle it all, removing the burden from your internal processes.
Clear data retention policies: Ideally, AI systems should have strict policies in place that guide the retention of third-party data.
- For example, Regie.ai’s policy is that we only retain third-party data only for as long as necessary to serve our customers’ prospecting needs or for a maximum of 30 days – whichever comes first.
- This applies to both prospecting data and any custom fields pulled from your CRM.
Ethical audience expansion: The best AI solutions are set up to help you find new prospects that are similar to your existing leads, but delete that data within a reasonable period of time (typically 30 days).
- This approach allows for responsible data use while respecting privacy concerns.
Data encryption: Look for AI vendors who have procedures in place to rigorously encrypt your data.
- Some solutions may even use an advanced encryption approach in which a key (managed by a third-party like Amazon) is needed in order to decrypt the data.
- In these scenarios, your AI vendor would retain exclusive access to the decryption key, ensuring that even if a physical drive were to be compromised, the data would remain inaccessible without the key.
Secure storage: Ideally, your AI vendor would also have policies or procedures in place to safeguard your data, both in transit and at rest.
- Some vendors use database management systems like MongoDB for their flexibility and robust security features.
Strict data removal protocols: When a piece of data is no longer needed — or you make a specific request for its deletion — your AI vendor should be able to remove it from their database accurately and completely.
- This should be a straightforward process, giving you more control over your information.

BONUS: Advanced AI data retention policies

We know there are a lot of questions that come up about whether AI systems can “learn” from previous queries, and if that information gets shared with other customers who use the same vendor.

If these are concerns you have, make sure to look out for vendors who have either (or both) of the following types of policies in place:

Zero-data retention (ZDR): This type of policy means that once your query is answered by their solution, all traces of it disappear.
- This should help address any concerns about data training and long-term storage.
Zero-shot prompting (ZSP): This type of policy means that each interaction that your prospects have with a third-party LLM provider — like OpenAI or Anthropic — is treated as brand new.
- This means that the third party’s model never learns from your data and — more importantly — there isn’t any data carryover. This ensures that your proprietary data isn't used to train the AI for future interactions with other customers.
- Your AI vendor should provide a custom model specific to your business for other functions of the agent, and all of that data is 100% confined to your company. No other company has access to another company’s model or data.
- Think about it this way: Your business and market are unique, so the only information that’s really valuable for it to learn from are your specific prospects anyway; it wouldn’t be helpful for the agent to take in information about other businesses’ prospects because they’d have different needs and pain points that don’t align with those of your own prospects.

If a vendor has either or both of these policies in place, it indicates that they’re committed to using your data responsibly and are taking active measures to address concerns about data training and retention head on.

Evaluation criterion #4: Support for ABM strategies

For account-based marketing (ABM), less is often more.

Here are some basic ABM-specific criteria you should keep an eye out for when vetting AI vendors:

Minimal data requirements: For ABM campaigns, good AI vendors only need account names and email domains, and should steer clear of any deeper proprietary details or sensitive information.
- This focused approach ensures efficiency without compromising security or privacy.
Focused prospecting: Look for systems that can use your existing lead or contact lists to identify and target additional, similar prospects – all without needing to access more sensitive deal information.
Limited data access: Ensure that the AI vendor doesn't have access to detailed proprietary information like deals, account history, or other proprietary data about active accounts.
- That information should remain securely within your CRM and under your control.
- The only information your AI solution should be given are the account names and email domains necessary to execute targeted ABM campaigns – and that should be provided by you directly.
Stringent retention & removal policies: Ideally, your AI vendor should have policies in place that guide the storage and removal of any information tied to your ABM campaigns.
- For example, a typical policy would include a 30-day storage period for any downloaded data, after which it’s automatically deleted from their systems.

Evaluation criterion #5: Tech stack integrations

Your AI solutions should play nice with your existing tech stack.

Here are some basic integration-specific criteria to keep an eye out for when vetting AI vendors:

Integrations with commonly used platforms: Look for secure connections with common sales tech and CRM platforms like Salesforce, Outreach, Snowflake, and Marketo.
Data encryption & security protocols: Make sure that your AI vendor has procedures in place to allow for the secure flow of data between their system and the rest of your tech stack.
- Encrypted data transfers are a must, ensuring data integrity across all platforms.
- Whether it's pulling data for analysis or pushing insights and actions back into these platforms, every data transaction is encrypted and handled with the highest standards of security.
- This includes utilizing secure APIs and adhering to the data privacy regulations that govern each system.
Observe CRM permission settings: The AI vendor should respect existing permission settings in your CRM.
- For example, it should integrate as a user in Salesforce with carefully controlled access to only the necessary fields.
Precision access control: The best systems allow you to fine-tune permissions, ensuring the AI only accesses the data necessary to perform its functions — such as email addresses and company domains — without exposing any sensitive or confidential information.

30+ questions to ask AI vendors about their data privacy protocols

We know that vetting tech vendors isn’t a favorite activity for most people. There’s so much to think about and so many details to keep track of.

To help you out, we’ve compiled a list of questions – organized by the specific criteria they address – that will help you get a better sense of how your prospective vendors handle data privacy and security. Scan the list and click on the link to jump to the specific criterion you want to learn more about:

Ultimately, the goal is that these questions will help you determine the level of commitment each vendor is making towards keeping your data – and more importantly, your customers’ data – as secure as possible.

Let's dive in.

Access controls

Look for vendors that implement strict access controls, which can enable you to limit who can view or manipulate your data within their systems.