Trust Center

Frequently Asked Questions

Paste a questionnaire question or search by keyword. Best match appears first.

All questions by category

Data Protection Roles

  • Is Crystal Knows a data controller or processor?

    Crystal Knows acts as a data processor. Our customers act as data controllers. Customers determine how and why the platform is used, what data is entered, who has access, and how outputs are applied. We process data only in accordance with customer instructions and contractual terms.

  • Does using Crystal Knows create new controller obligations for us?

    Most organizations already act as data controllers for systems such as CRM, HR, ATS, and analytics platforms. Using Crystal Knows does not introduce a new category of controller responsibility beyond standard SaaS usage.

  • Are individuals made aware of the processing of their personal data?

    Yes. Customers, as data controllers, are responsible for providing appropriate notices to individuals. Crystal Knows supports this through its privacy documentation and contractual terms.

  • Are individuals asked to acknowledge the Privacy Notice or provide consent?

    Consent and acknowledgment requirements are managed by customers in their role as data controllers, based on their specific use cases and legal obligations.

Transparency and Privacy Notices

  • Do we need to update our privacy notice to use Crystal Knows?

    Crystal Knows does not mandate that customers update their privacy notices. However, customers are responsible for meeting their own transparency obligations under applicable privacy laws. Depending on the use case, you may review your existing privacy notice to confirm it covers the relevant processing or make updates if appropriate.

  • Please provide details of the relevant Privacy Notice.

    Crystal Knows maintains a publicly available Privacy Notice covering the platform and its data processing activities.

  • Who is responsible for informing assessment respondents?

    When customers use assessments, respondents voluntarily provide their information. Customers are responsible for informing respondents of the purpose of the assessment and how results will be used.

  • How does transparency work for prediction use cases?

    For prediction use cases, insights are generated from publicly available professional information and limited identifiers such as work email addresses. Customers determine how transparency requirements apply in their jurisdiction and context.

  • Are users informed that they are interacting with an AI system?

    Yes. Transparency is provided through product interfaces, documentation, and contractual terms, informing users that the system provides AI-assisted insights.

AI System Overview

  • What does the Crystal Knows system do?

    Crystal Knows provides personality-based communication insights to help users tailor how they communicate with others in professional contexts. The system is designed for a specific use case and is not a general-purpose AI platform. It does not rank, score, or make eligibility or employment decisions.

  • Please describe the AI system in terms of its objective and functionality.

    The objective is to provide personality-based communication insights for professional contexts. At a high level: user-initiated input is provided, inference models generate insights, and outputs are presented to the user for interpretation. The system is hosted on AWS with encrypted data transmission and storage. All usage is user-initiated; the system does not execute autonomous actions. Monitoring focuses on system availability, reliability, and security rather than individual behavior.

  • What kind of AI or modeling does Crystal Knows use?

    Crystal Knows is built on a proprietary Bayesian statistical modeling framework (not a large language model). The system uses probabilistic inference to estimate likely communication and personality preferences based on observed signals and available professional information. Outputs represent likelihood-based insights and are advisory in nature. Crystal Knows does not operate as a general-purpose generative AI system, chatbot, virtual assistant, or recommendation engine, and it does not train or fine-tune large language models on customer data.

  • What is the AI system category?

    AI System: Other. Crystal Knows is based on a proprietary Bayesian statistical modeling approach rather than a large language model (LLM). Outputs represent likelihoods and confidence-weighted insights, not generated text predictions or conversational responses.

  • Is there human oversight? What is the level of human involvement (Human in the Loop)?

    All interactions with the system are initiated by human users. Outputs are advisory only and require human interpretation and action. No automated actions or decisions occur without human involvement. Human users remain fully in control of how insights are used. Crystal Knows does not perform automated decision-making or execute actions without human involvement.

  • Do you use our data to train or fine-tune models?

    No. The platform does not use customer data to train or fine-tune large language models.

  • What performance criteria are defined for the AI system?

    Performance criteria focus on system reliability, availability, stability, and aggregate accuracy of insights. The system is not evaluated based on decision accuracy, as it does not make decisions.

  • How was the AI system evaluated against performance criteria?

    Performance is evaluated through internal testing, monitoring, user feedback, and ongoing review of system behavior at an aggregate level.

Responsible AI Practices

  • What responsible AI principles does Crystal Knows follow?

    Crystal Knows is designed around transparency about system functionality, human oversight and control, purpose limitation, avoidance of automated decision-making that impacts individuals' rights, and ongoing monitoring of system performance at an aggregate level. Documentation and references to these practices are available upon request.

  • Are there any ethical issues with the processing?

    No inherent ethical issues have been identified. The system is designed to provide advisory, assistive insights only. It does not make automated decisions, does not determine outcomes for individuals, and does not operate autonomously. Human users remain fully responsible for interpretation and use of outputs.

  • Is there a reporting channel for errors or ethical concerns?

    Yes. Users can report errors, data quality issues, or ethical concerns through established customer support.

Data Sourcing and Use

  • What data does Crystal Knows process? What information is used to generate the output?

    Crystal Knows uses a limited subset of non-sensitive personal data: name (first and last), work email address, job title, role, professional background, and publicly available employment or education-related information when relevant. Crystal Knows does not intentionally collect, process, or rely on biometric data, genetic data, health or medical data, government identification numbers, financial or banking data, location tracking data, criminal conviction data, political opinions, religious or philosophical beliefs, trade union membership, or data concerning sex life or sexual orientation. Crystal Knows does not require or process dates of birth, salary or compensation data, performance evaluations, government identifiers, credentials or passwords, or special category personal data.

  • Where is data sourced from? Please provide details of the data sourcing process.

    Data is sourced from user-provided inputs and publicly available professional information. Data is collected through direct user interactions with the platform or derived from publicly available professional sources, subject to contractual and legal safeguards. Crystal Knows does not source sensitive personal data.

  • What third-party data is used to develop the AI system?

    Crystal Knows relies on proprietary datasets, publicly available professional information, and user-provided inputs. Third-party data providers are subject to vendor due diligence and contractual assurances regarding lawful data sourcing, data quality, and intellectual property rights. No third-party datasets are used to make binding decisions about individuals.

  • Has the quality of data used for development been tested and documented?

    Yes. Data quality considerations include relevance, purpose limitation, accuracy at an aggregate level, and ongoing monitoring for model performance and drift. Outputs are probabilistic and advisory, and the system does not claim perfect representation or completeness.

  • How is data accuracy maintained?

    Accuracy is maintained through updates driven by user input, periodic model review, and ongoing system monitoring. Updates occur as new information is provided.

  • Who is responsible for how we use Crystal insights?

    Customers are responsible for ensuring their downstream use of Crystal insights complies with applicable laws and their own privacy commitments.

  • Does the system contain free text fields where users could enter sensitive personal data?

    Yes, the system includes free-text input fields. Users are instructed not to enter sensitive personal data. The system does not require, encourage, or rely on sensitive personal data to function. Standard acceptable use and contractual controls apply.

  • Are prompts or inputs screened or monitored for acceptable use or abuse?

    The system does not perform proactive content monitoring for surveillance purposes. Standard security logging and monitoring apply to protect system integrity and prevent abuse. This approach minimizes unnecessary processing of personal data.

Compliance and Standards

  • Does Crystal Knows comply with industry guidelines or codes of practice?

    Yes. Crystal Knows aligns with applicable data protection principles under GDPR, follows industry-standard SaaS security practices, and maintains SOC 2 Type II certification covering security controls. Crystal also follows responsible AI practices appropriate for assistive, non-decisioning systems.

  • Are controls in place to ensure users have appropriate rights and permissions to enter data?

    Yes. Controls include contractual requirements that customers act as data controllers, role-based access controls, acceptable use policies, and guidance to ensure users enter data in compliance with applicable laws and regulations.

  • Does Crystal Project Inc. use forced labor or engage in modern slavery practices?

    No. Crystal Project Inc. does not use forced labor, child labor, bonded labor, or any form of involuntary servitude in its operations. Crystal operates as a fully remote software company and does not manufacture physical goods or operate facilities involving manual labor. All personnel are employed or contracted voluntarily and in compliance with applicable labor laws. Crystal expects its third-party service providers to comply with applicable labor and human rights laws. Vendor due diligence is conducted in accordance with our Third-Party Risk Management Policy. We support responsible business practices and compliance with applicable modern slavery and human rights regulations.

Security and Infrastructure

  • Do you have a SOC 2 report?

    Yes. Crystal Knows maintains SOC 2 Type II certification. Our latest report is available in the Compliance section of this Trust Center.

  • Do you undergo penetration testing?

    Yes. We conduct vulnerability scanning and annual penetration testing as part of our governance and monitoring. Summary and availability are listed under Compliance.

  • Where is our data stored? Where is the system hosted?

    Crystal Knows is hosted on Amazon Web Services (AWS) in the United States. AWS provides physical and environmental security controls; we apply additional application-level and organizational controls.

  • Does the system allow for local hosting?

    Local or on-premises hosting is not currently supported. The system is delivered as a cloud-based SaaS offering.

  • Is data transmitted or stored outside the country of origin?

    Data may be transmitted to and processed in the United States, subject to contractual safeguards and applicable data protection mechanisms.

  • Where is the disaster recovery location?

    Disaster recovery is implemented within AWS infrastructure in the United States.

  • Who can access our data? Who has access to the data?

    Access to customer data is restricted using role-based access controls and least-privilege principles. Authorized Crystal personnel may access data only for operational, support, or security purposes. Customers control access within their own organizations. Individuals outside the customer organization do not have access unless contractually authorized.

  • What is the potential impact to individuals in case of illegitimate access or loss of data?

    The appropriate classification is moderate impact. The system does not process financial, biometric, medical, or government identification data.

  • Does the system support logging and auditing of data access and changes?

    Yes. The system maintains logs and audit trails for data access, modification, and deletion in line with security and compliance requirements.

Data Rights and Retention

  • Can you help us respond to data subject access requests? Can personal data be searched, extracted, or exported for DSAR purposes?

    Yes. The system supports searching and exporting relevant personal data to support data subject access requests. Bulk exports are subject to access controls and contractual limitations.

  • Can personal data be provided in a structured, machine-readable format?

    Yes. Data can be provided in commonly used structured formats such as CSV or JSON where required.

  • How long do you retain data? Can we request deletion? What is the retention rule for records and information?

    Data retention is governed by contractual terms and internal data retention policies. Data may be deleted upon request, subject to legal and operational requirements. Input or prompt data is retained only as necessary to provide the service and in accordance with these terms.

  • Will input or prompt data be retained? If yes, for how long?

    Input data is retained only as necessary to provide the service and in accordance with contractual terms and data retention policies. Data may be deleted upon request, subject to contractual and legal requirements.

Governance and Monitoring

  • What governance and continuous monitoring processes are implemented?

    Crystal Knows maintains risk management and annual risk assessments, change management controls, vulnerability scanning and annual penetration testing, incident response procedures, vendor risk management reviews, and ongoing monitoring of system availability and security. Governance includes security monitoring, vendor management, change management, incident response, and periodic review of models and system behavior.

  • Have you had any significant security incidents?

    No significant security incidents occurred during the most recent audited period covered by our SOC 2 Type II report.