Trust and security
Witty attaches great importance to the privacy and security of its users.
In this spirit, the trust of our users is more important to us than data collection. However, in order to provide our users with insights and to continuously improve Witty, we do need to collect some data.
In order to validate the security of our systems Witty Works is SOC 2 Type II certified. Read more about our information security management here and our responsible disclosure policy here.
On this page, we want to give an overview over:
Data storage
Platform.sh
Platform.sh is used to store the configuration of each organization. For example, we store if grammar & spelling issues should be highlighted, or if inclusive terms should be seen. For more details, have a look at the trust center of platform.sh.
Platform.sh uses the following infrastructure as a service (IaaS) IaaS:
- AWS: Amazon Web Services (AWS) is the world's most comprehensive and broadly adopted cloud platform, introduced by Amazon in 2006.
- Azure: Azure is a cloud platform introduced by Microsoft in 2010.
- GCP: Google Cloud Platform (GCP) is a cloud platform introduced by Google.
Currently, all the servers Witty uses on platform.sh are running on Azure. For more details have a look at the IaaS resources of platform.sh.
Witty uses the advanced backup plan which includes data retention for 1 year.
In Witty dashboard we store the email and a chosen name. In additional we store personal and team preferences and aggregated analytics data.
On the Witty API we store the email and personal and team preferences. Also any text analyzed in the browser extension is send to the API for processing but no data is persisted in the API.
Witty exclusively uses data centers within the EU.
Azure ML
Azure ML is used to deploy Witty's custom machine learning model for context aware false positive detection to prevent highlighting words that should not be highlighted within a specific context. As a result this service only at most sees individual sentences but no data is persisted.
This service is hosted in the EU. For more details, review the Microsoft documentation of this service.
Azure AD B2C
Azure Active Directory B2C (Azure AD B2C) is an identity management service that enables customers to register and login to Witty. The login is needed to store the customization and the settings of each user, e.g. for which webpage Witty should be disabled. In this service we store the email, chosen name and either a password or the single sign on account issuer (Google or Microsoft).
This service is hosted in the EU. For more details, review the Microsoft documentation of this service.
Amazon Bedrock (coming in Q4)
Amazon Bedrock is used for Witty's opt-in Large-Language-Model (LLM) based solution for grammatical correct alternatives. For this feature it will send the sentence to Amazon Bedrock to use the LLM to replace the alternative in the sentence while making any necessary adjustments for grammatical correctness. Note since LLM's are not deterministic, the results may vary, but Witty's prompt aims to limit the variance and risk for negative side effects as much as possible.
This service is hosted in the EU. For more details, review the Amazon Bedrock FAQ and their more detailed data protection documentation.
Stripe
Stripe is our payment gateway. Any credit card information is never seen by Witty Works.
This service is only used for paying subscriptions by credit card. When opening the payment portal from Witty dashboard an account is created using the email and chosen name. In case of a purchase the relevant credit card and invoice data is stored at stripe.
For more details, have a look at the security information from Stripe.
Posthog
PostHog is an open-source product analytics platform. We use Posthog to provide you with statistics about your use of Witty, such as how many terms you or your team have replaced in the last month or what the most commonly used deterrent terms in your organizations are.
We made the conscious decision to move sending data to Posthog from the API to the browser extension, so that users can inspect what data we are storing for increased transparency. We anonomize all URLs, Emails and Numbers before sending any data to Posthog.
We are also using Posthog to better understand how Witty dashboard is used.
We do not store email or chosen name in Posthog to prevent any risk of casually exposing even portions of text together with such personal identifable information. All collected data is therefore only associated with a personal and team ID to provide the analytics reports on Witty dashboard.
This service is hosted in the EU. For more details, have a look at the privacy compliance of Posthog.
HubSpot CRM
HubSpot is a Customer Relationship Management tool (CRM). We use HubSpot to track users on Witty's website and on Witty's dashboard, but not when using Witty. We also use the chat functionality to provide support and we use HubSpot CRM to send the onboarding emails and regular mailings.
Aside from the tracking and chat data we synchronize email and chosen name with Witty dashboard along with aggregated engagement numbers (f.e. team size, how frequently Witty is used) to be able to tailor the onboarding and regular mailings.
This service is hosted in their EU data center. For more details, have a look at HubSpot's security page.
Mailjet
Mailjet is used for sending server side emails like the verification emails during the signup process and invitations and for any mailings not handled via HubSpot.
This service is hosted in the EU. For more details, have a look at this blog post and privacy policy.
Sentry
Google Analytics
Google Analytics is a web analytics service that provides statistics and basic analytical tools for search engine optimization and marketing purposes. We use Google Analytics to track users anonymously on Witty's website and Witty's dashboard but not when using Witty. For example, we track which content user click on to help us improve the user experience.
For more details, read how Google safeguards your data.
Note: We are looking to reduce our use of Google Analytics.
Productboard
Productboard is an online service that helps product teams understand what customers need, prioritize what to build next, and align everyone around the roadmap.
We use productboard to create tickets when a user sends us a bug report or asks for a feature. We send the user's email, name, message and attached screenshots to Productboard to be able to understand the needs and to be able to notify the reporting person when the issues has been addressed.
This service is hosted in the USA. For more information find more information here.
HelpHero
HelpHero is an onboarding tool. We use HelpHero to help during onboarding on the dashboard with targeted product tours, hotspots, and checklists. We send certain data about users to HelpHero, such as whether the person has invited anyone or has a paying account. However, we do not send personal identifiable information like name or email to HelpHero.
This service is hosted in the USA. For more information see their security page.
Data collection
We collect data for two purposes: to improve product content and product quality.
As a key first step for any data we collect, we always filter the data to remove URLs, emails and numbers to reduce the chance of any personal identifiable information to be collected.
Improve the product content
We collect data about user interaction. For example, we collect how often a user opens the popup, which alternatives a user accepts or which categories are used most. This helps us understand which parts of Witty generate the most value for users and which parts require work or maybe even need to be removed.
Furthermore, we collect a few words before and after the highlighted term (100 characters) when a user accepts an alternative or chooses to ignore a highlighted term. This allows us to learn in what context a term should or should not be highlighted. Paid users can choose to disable context collection, f.e. if there are legal requirements.
By collecting which alternative users accept, we can also learn in what context which alternative is the most appropriate. We use this information to be able to change the sort order of the alternatives and which alternatives should or should not be listed (we currently limit ourselves to maximum 5 alternatives for usability reasons).
Whatever data we collect is never used for automated training of machine learning models. We only use the collected data to identify patterns, but we then manually craft sentences that match these patterns for training purposes.
Improve the product quality
In rare cases of errors or exceptions, we capture a so-called “stack trace” to allow us to better understand what caused the exception in order to fix it. This “stack trace” never contains the user's email address or name, but links to the browser id. It also contains parts of the submitted text. We remove the “stack trace” data as soon as the issue has been analyzed and fixed. We use the default 90 day retention period. Below is an example of what this may look like:
Data Analytics & Dissemination
On Witty's dashboard, users and teams can access their analytics, such as how many terms were replaced in the last month or what the most commonly used inclusive terms were. These analytics help users and organizations gain insights into their biases and progress. It is important to note that the goal is not to expose individuals. The main goal of Witty is to help people write inclusively.
For this purpose, several steps are taken to protect the privacy of individuals when providing team analytics:
-
We collect the data for each user with a randomly generated ID. By default, this ID is not linked to a user or an email address. Users will be able to choose to connect this random ID to their email account in order to get an aggregated view of all of their devices and to prevent losing analytics data because they uninstall the extension.
-
Team analytics always provides an aggregated view and never individual user data.
-
For small teams (less than 10 weekly active users), users must consent to be included in aggregated team analytics. For more than 10 weekly active users, companies can choose to require opt-in or not, and the setting will be displayed to all users
How we ensure that we behave ethically
Since the beginning of 2022, we work with our own technology ethics board. The purpose of this board is that “Witty Works has all the information it needs to be a shining example of technology ethics from product conception, implementation, and go-to-market strategy”.
Why do we need an ethics board?
The topic of diversity, equity and inclusion requires credibility. We have to make an effort to build trust. In our work on Witty Works products, we're frequently faced with ethical questions and dilemmas, such as how to approach inclusive language or how we build for accessibility. We believe that outside experts are critical to ensure we have the right expertise to handle such questions but more importantly that we are held accountable to deliver on our mission in an ethical manner.
What is the ethics board responsible for?
- Reviewing ongoing developments and product roadmap for potential ethical issues
- Advising on how to handle ethical issues
- Publishing relevant information about the ethical board processes and decisions
If you have ethical concerns, how can you send feedback?
We take ethical concerns or suggestions about language rules from our users seriously. There are two ways to send us your feedback. If you would like to suggest ideas about vocabulary, you can do so here.
If you have ethical concerns, you can write to ethics@witty.works.