|
| 1 | +# AI Usage and Data Handling Guidelines |
| 2 | + |
| 3 | +WSO2 Integrator: BI provides an AI-powered Copilot to enhance developer productivity. This page explains how the Copilot works, how user data is handled, and what best practices organizations should follow when using AI features. |
| 4 | + |
| 5 | +These guidelines are designed to ensure transparency, security, and compliance when using AI-powered assistance in enterprise environments. |
| 6 | + |
| 7 | +## Macro architecture |
| 8 | + |
| 9 | +The AI Copilot is integrated into the WSO2 Integrator: BI developer experience. It works as follows: |
| 10 | + |
| 11 | + <a href="{{base_path}}/assets/img/references/ai-usage/macro-architecture.png"><img src="{{base_path}}/assets/img/references/ai-usage/macro-architecture.png" alt="AI Macro Architecture" width="70%"></a> |
| 12 | + |
| 13 | +- **AI Copilot Code**: Delivered as a Visual Studio Code (VS Code) extension, providing in-editor assistance such as code completion, explanations, and suggestions. |
| 14 | +- **Language Server**: Powers intelligent features inside the IDE, including syntax awareness and integration with Copilot services. |
| 15 | +- **BI Intelligence Endpoint**: A lightweight intermediary service that connects the extension to Anthropic or Bedrock models. This service does not retain data. |
| 16 | +- **Anthropic or Bedrock Integration**: The endpoint forwards user prompts and context to the selected Large Language Model (LLM) provider for processing. |
| 17 | + |
| 18 | + |
| 19 | + |
| 20 | +## Authentication |
| 21 | + |
| 22 | +To maintain security, all AI Copilot features require authentication: |
| 23 | + |
| 24 | +- Users must log in to enable Copilot functionality. |
| 25 | +- Social login options are supported for ease of use. |
| 26 | +- Authentication and session management are handled by [Asgardeo](https://wso2.com/asgardeo/), WSO2’s identity provider. |
| 27 | + |
| 28 | +This ensures that only authorized users in your organization can access Copilot features. |
| 29 | + |
| 30 | +## Data flow |
| 31 | + |
| 32 | +The movement of data through the Copilot is designed for zero-retention at the intermediary layer: |
| 33 | + |
| 34 | + <a href="{{base_path}}/assets/img/references/ai-usage/ai-data-flow.png"><img src="{{base_path}}/assets/img/references/ai-usage/ai-data-flow.png" alt="AI Macro Architecture" width="70%"></a> |
| 35 | + |
| 36 | +- **Direct Forwarding**: BI Intelligence forwards user data directly to Anthropic for processing |
| 37 | +- **No Local Storage**: BI Intelligence does not store any user data locally |
| 38 | +- **Real-time Processing**: All data handling occurs in real-time without persistent storage at the BI Intelligence layer |
| 39 | + |
| 40 | +## Bring your own key (BYOK) |
| 41 | + |
| 42 | +Organizations can configure the Copilot to run using their own model provider accounts. This ensures enterprise-level control over data governance and billing. |
| 43 | + |
| 44 | +### Anthropic deployment |
| 45 | +- Copilot can connect directly to Anthropic’s public deployments. |
| 46 | +- Requires an Anthropic API key that you provide. |
| 47 | +- This setup ensures that data flows directly between your environment and Anthropic without WSO2 retaining it. |
| 48 | + |
| 49 | +### Amazon Bedrock |
| 50 | +- Copilot can also run using Claude models deployed on Amazon Bedrock. |
| 51 | +- Requires an active Claude deployment in your Amazon Bedrock environment. |
| 52 | +- Users must provide their own access keys for connectivity. |
| 53 | + |
| 54 | +## Ballerina copilot code |
| 55 | + |
| 56 | +The Copilot is open source, enabling transparency and community contribution: |
| 57 | + |
| 58 | +- The full source code is available for inspection, download, and modification. |
| 59 | +- This allows organizations to validate the behavior of the Copilot. |
| 60 | +- Enterprises can also extend the code to adapt to custom compliance needs. |
| 61 | + |
| 62 | +This openness ensures that security-conscious users can audit how prompts and data are handled. |
| 63 | + |
| 64 | +## Feedback data |
| 65 | + |
| 66 | +To improve the Copilot experience, user feedback may be collected. |
| 67 | + |
| 68 | +**Retention period** |
| 69 | + |
| 70 | +- Feedback data (such as thumbs up/down ratings) is retained for 1 week only. |
| 71 | +- After 1 week, feedback records are permanently deleted. |
| 72 | + |
| 73 | +**Collection scope** |
| 74 | + |
| 75 | +- Feedback is collected only when a user explicitly provides it. |
| 76 | +- No hidden or passive data collection is performed. |
| 77 | + |
| 78 | +**Transparency** |
| 79 | + |
| 80 | +- The feedback interface clearly explains what is being collected and why. |
| 81 | +- Users always have control over whether to provide feedback. |
| 82 | + |
| 83 | +## Guidelines |
| 84 | + |
| 85 | +When using AI features, organizations must apply standard security and compliance practices. |
| 86 | + |
| 87 | +### Data usage policies |
| 88 | +- All operations are subject to the [Anthropic Data Usage Policy](https://privacy.anthropic.com/en/articles/7996866-how-long-do-you-store-my-organization-s-data) or the chosen model provider’s terms. |
| 89 | +- WSO2 ensures that the Copilot does not bypass these policies. |
| 90 | + |
| 91 | +### Organizational data storage |
| 92 | + |
| 93 | +How long do we store your organization's data? |
| 94 | + |
| 95 | +We follow a zero-retention policy at the BI Intelligence level - your organizational data is not stored by our intermediate services. |
| 96 | + |
| 97 | +### Best practices |
| 98 | + |
| 99 | +To ensure maximum security and privacy, we recommend avoiding sending organizational-specific details such as: |
| 100 | + |
| 101 | +- Customer personal information |
| 102 | +- Passwords or authentication credentials |
| 103 | +- Proprietary business data |
| 104 | +- Sensitive internal communications |
| 105 | + |
| 106 | +General Copilot Best Practices are as follows. |
| 107 | + |
| 108 | +- Review all AI-generated code before implementation |
| 109 | +- Be mindful of what information you include in prompts |
| 110 | +- Use generic examples rather than real data when possible |
| 111 | +- Follow your organization's data governance policies |
| 112 | + |
| 113 | +## Data retention summary |
| 114 | + |
| 115 | +| Data Type | Retention Period | Notes | |
| 116 | +|---------------------------------|------------------------------|----------------------------------------------------------------------| |
| 117 | +| Code Prompts & Responses | Not stored by BI Intelligence | Forwarded directly to Anthropic or Bedrock | |
| 118 | +| User Feedback | 1 week | Retained only when explicitly provided by the user | |
| 119 | +| Authentication Tokens | Session-based | Managed securely by Asgardeo | |
| 120 | +| Organizational Data | Not stored | Zero-retention policy at BI Intelligence | |
| 121 | + |
| 122 | + |
| 123 | + |
| 124 | + |
0 commit comments