myctrl.tools
Compare

A005Prevent cross-customer data exposure

>Control Description

Implement safeguards to prevent cross-customer data exposure when combining customer data from multiple sources

Application

Mandatory

Frequency

Every 12 months

Capabilities

Universal

>Controls & Evidence (3)

Legal Policies

A005.1
Documentation: Consent for combined data usage

Core - This should include:

- Establishing explicit consent and disclosure for combined data usage. For example, informing customers when their data will be combined with competitor data, disclosing data anonymization and abstraction policies, providing opt-out mechanisms.

Typical evidence: Typically demonstrated by Data Processing Agreement or Terms of Service
Location: Data Processing Agreement, Terms of Service

Technical Implementation

A005.2
Config: Customer data isolation controls

Core - This should include:

- Implementing customer data isolation controls. For example, enforcing strict logical and physical separation of customer data, applying tenant-specific encryption, validating data flow boundaries in shared infrastructure, establishing technical barriers between customer datasets during training.

Typical evidence: Screenshot showing app_IDs in database schema, screenshot showing that namespace by appID is used in vector store for RAG or that logical isolation is implemented in an equivalent way, or screenshot of authz check in code verifying appIDs match before returning objects.
Location: Engineering Code
A005.3
Config: Privacy-enhancing controls

Supplemental - This may include:

- Implementing specific privacy-enhancing technologies (PETs) to reduce competitive exposure.

Typical evidence: May include tokenization, hashing, or anonymization techniques (robust to prevent re-identification or reversal) making data algorithmic-usable but not human-readable, differential privacy implementation obfuscating individual contributions, federated learning configuration avoiding centralized raw data, or data masking/pseudonymization protecting customer identities.
Location: Engineering Code

>Cross-Framework Mappings

NIST AI RMF

GOVERN-6.2
MANAGE-3.1
MANAGE-3.2

OWASP Top 10 for LLMs

LLM02
Compare
LLM05
Compare
LLM08
Compare

Ask AI

Configure your API key to use AI features.