This article provides an overview of how SecurityScorecard uses AI across its existing products and our approach to building AI-powered products.
Our guiding principle is human-led, AI-powered. Our products empower people to excel in their roles while keeping them firmly in control.
ChatSSC delivers fast, insightful answers and recommendations related to your scorecard, along with security insights into your vendors.
Note: ChatSSC is available to paid customers, but is entirely optional to use. SecurityScorecard does not train AI models on your data. Additional details about the models and data handling for ChatSSC can be found below.
ChatSSC (Chatbot)
Model specifications
-
Name of Model(s) Used: Claude 4.5 Haiku
-
Model Version Number:
anthropic.claude-haiku-4-5-20251001-v1:0
- Version description: Claude 4.5 Haiku was selected for its strong performance on complex document analysis tasks. If we upgrade to a newer version, changes will be documented alongside regression tests focused on hallucination rate, output consistency, and coverage accuracy against a validation dataset.
Data privacy and training
-
How is the model trained?
Claude 4.5 Haiku is a pre-trained foundation model developed by Anthropic. We do not use any internal or proprietary data to train or fine-tune the model. However, internal data is used at inference time as part of the prompt context to enable accurate, relevant responses.
-
Where are the models stored?
The model is accessed via AWS Bedrock in the US-East-1 and is not stored locally. Input and output data are not used for training or fine-tuning the model. Amazon guarantees this as part of its data privacy commitments.
-
Restrictions of external data/model/algorithm use.
We use Anthropic's Claude 4.5 Haiku via AWS Bedrock in US-East-1, which guarantees that user data is not used for model training or fine-tuning. Data is processed transiently for inference only, and the model operates within the strict governance and isolation of the Bedrock environment.
-
Where is the output data stored, and will it be retained for future use?
The output consists of AI-generated answers to security questionnaires. These inputs and outputs may be retained for purposes such as auditability, compliance tracking, and prompt engineering.
Risk, monitoring, and governance
-
Potential risks.
Potential risks include inaccurate or incomplete answers due to hallucination or model misinterpretation of the data. There's also a risk that model limitations may not capture subtle nuances of compliance. These are mitigated through human-in-the-loop validation and regular evaluation.
-
Ongoing monitoring in place to ensure performance and safety.
We have implemented comprehensive logging of prompts and outputs to support auditing and manual review. A curated set of test inputs is used to regularly evaluate output accuracy, allowing us to track drift and hallucination rates over time. This monitoring process ensures early detection of potential issues and helps maintain consistent model performance and reliability in production.
-
Third-party AI governance processes and ensuring the integrity of the solution.
AWS Bedrock enforces strong security, data isolation, and compliance frameworks. Claude 4.5 Haiku is governed under Anthropic’s Responsible AI policies, which include extensive pre-deployment testing, red-teaming, and refusal mechanisms to reduce harmful or misleading outputs.
-
Do you have monitoring and reporting mechanisms in place to ensure ongoing compliance of the third-party solution?
Yes, we have automated logging of all interactions with metadata, periodic performance evaluation, and alerts for significant deviations from expected outputs. A feedback loop with researchers and end users will also support continuous improvement.