Spacewell AI Assistant: Security, Privacy & Compliance

Executive Summary

The Spacewell AI Assistant brings natural language capabilities to Spacewell products, enabling users to find information, complete tasks, and interact with workplace and facility data more efficiently.

Because the assistant processes customer data, security, privacy, and compliance are fundamental design principles. The AI Assistant has been built according to the same enterprise-grade standards that govern all Spacewell cloud services.

Key Facts

TopicSummary
Data residencyAll AI processing takes place within the European Union
AI providersGoogle Vertex AI with enterprise-grade models from Google and Anthropic
Model trainingCustomer data is never used to train or fine-tune AI models
Access controlThe AI Assistant fully inherits Spacewell's existing permissions and RBAC model
Data isolationCustomer environments remain fully isolated
GDPRProcessing is covered by Spacewell's GDPR framework and Data Processing Agreement
RetentionOperational logs follow Spacewell's standard retention policies (currently 24 months)
Additional licensingNo separate AI consumption charges for customers
Fine-tuning requiredNo customer-specific training or fine-tuning required
Customer-managed AI infrastructureNot required
Autonomous decision makingNot supported, users remain in control

AI Models & Architecture

Which AI models power the Spacewell AI Assistant?

The Spacewell AI Assistant uses enterprise-grade Large Language Models (LLMs) accessed through Google Vertex AI.

Depending on the use case and product capability, Spacewell may utilize models from Google and Anthropic.

The underlying model providers may evolve over time as AI technology advances. Regardless of the model used, the same privacy, security, and compliance commitments described in this article remain applicable.

How does the AI Assistant generate responses?

Unlike public AI tools that rely heavily on general internet knowledge, the Spacewell AI Assistant is designed to operate on customer-specific business data.

When a user submits a request:

  1. The assistant interprets the user's question.
  2. Relevant information is retrieved from the user's authorized Spacewell environment.
  3. The AI model generates a response based on that information.
  4. The answer is returned to the user.

The assistant is designed to be grounded in customer data rather than generating responses from external sources.


Data Processing & Data Residency

What data can the AI Assistant access?

The AI Assistant can only access information that the current user is already authorized to access within Spacewell.

Depending on the product, this may include:

  • Reservations
  • Occupancy information
  • Locations, buildings and floors
  • Spaces and resources
  • Contact groups
  • Asset information
  • Maintenance information
  • Other product-specific data available to the user

The assistant never receives broader access than the user already has.

What data cannot be accessed?

The AI Assistant cannot access:

  • Data hidden by role or permission settings
  • Information outside the user's scope
  • Data protected by tenant-level restrictions
  • Information that has been anonymized according to customer policies

If a user cannot access information through the standard application, they cannot access it through the AI Assistant.

Where is the AI Assistant hosted?

The AI Assistant operates entirely within the European Union on Google Cloud infrastructure.

All AI-related processing remains within EU-hosted environments.

No customer data is transferred outside the European Union for AI processing.

Is customer data stored by the AI Assistant?

The AI Assistant processes information required to answer a user's request but does not create a separate customer database.

Conversation content is not retained as a knowledge source for future responses.

Operational logs are maintained for security, support, audit, and service improvement purposes in accordance with Spacewell's standard retention policies.

How long is data retained?

Operational logs are currently retained for up to 24 months.

Customers may request deletion of AI-related operational data through their Spacewell Customer Success representative, subject to contractual and legal obligations.


Privacy & Model Training

Is customer data used to train AI models?

No.

Customer data is never used to train, fine-tune, or improve any AI model.

This includes:

  • Prompts submitted by users
  • Conversation content
  • Reservation data
  • Asset data
  • Maintenance data
  • Occupancy data
  • Metadata processed during AI interactions

This restriction is contractually enforced with Spacewell's AI infrastructure and model providers.

Is customer data shared with other customers?

No.

Customer environments remain fully isolated.

There is:

  • No cross-customer data sharing
  • No shared knowledge base between customers
  • No shared AI training
  • No shared search index

Data from one customer environment is never exposed to another customer environment.

Does the AI Assistant build user profiles?

No.

The AI Assistant does not create behavioral profiles, track users across sessions, infer personal characteristics, or build long-term preference models.

Each interaction is processed independently and only uses information required to fulfill the immediate request.


Security & Access Control

How is access controlled?

The AI Assistant inherits Spacewell's existing security model in its entirety.

The same permissions, roles, and restrictions that apply within the standard application also apply within AI interactions.

There is no separate AI-specific privilege model.

Does the AI Assistant support Role-Based Access Control (RBAC)?

Yes.

The assistant fully respects all existing RBAC rules.

Examples include:

  • A user who cannot see a colleague's reservations cannot retrieve them through the assistant.
  • Building-level restrictions remain enforced during AI interactions.
  • Anonymized records remain anonymized.
  • Asset visibility restrictions continue to apply.

Can the AI Assistant bypass permissions?

No.

There is no privilege escalation path through the AI interface.

Users cannot access information through the AI Assistant that would otherwise be unavailable to them through the standard application.

Can administrators control AI access?

Yes.

Organizations maintain full control over AI functionality.

Administrators can:

  • Enable or disable AI functionality
  • Restrict access to specific user groups
  • Govern AI availability through existing user management controls

Enterprise AI Governance & Risk Management

Many enterprise customers conduct formal AI risk assessments before enabling AI functionality. The following questions address common requirements from security, compliance, architecture, procurement, and governance teams.

Does the AI Assistant require customer-specific model training or fine-tuning?

No.

The Spacewell AI Assistant is delivered as a standard SaaS capability and does not require customer-specific model training, fine-tuning, or model customization.

Customer data is never used to train or improve the underlying AI models.

Does the AI Assistant require a customer-managed Retrieval-Augmented Generation (RAG) platform?

No.

Customers do not need to deploy, configure, or manage vector databases, retrieval systems, machine learning infrastructure, or AI platforms.

The AI Assistant is delivered as a fully managed cloud service operated by Spacewell.

Does the AI Assistant require customer-specific data preparation or preprocessing?

No.

The AI Assistant operates directly on the data already available within the customer's Spacewell environment.

Customers are not required to create separate AI datasets, perform data labeling, transform information, or maintain dedicated AI data pipelines.

Can customers modify system prompts or AI instructions?

No.

Core system prompts, safety controls, governance policies, and operational instructions are managed by Spacewell and are not configurable by end users.

Customer administrators retain full control over application configuration, user permissions, and access management, but cannot modify the underlying AI governance framework.

Does the AI Assistant have access to enterprise data beyond what is available in Spacewell?

No.

The AI Assistant only accesses information that is already available to the user through the Spacewell application.

It does not automatically connect to other enterprise systems, cloud platforms, databases, file shares, email systems, collaboration tools, or external knowledge repositories unless explicitly provided as part of a supported Spacewell integration.

Does the AI Assistant have privileged access to customer data?

No.

The AI Assistant inherits the permissions of the user who initiates the interaction.

There is no separate AI access path, privileged service account, or bypass mechanism that grants broader access to information.

Can the AI Assistant make decisions on behalf of users?

No.

The AI Assistant is designed as a decision-support tool.

Users remain responsible for reviewing information, validating recommendations, and confirming actions before they are executed.

The assistant does not independently approve transactions, enforce policies, override workflows, or make autonomous business decisions.

Can AI-generated output be accessed by other customers?

No.

Customer environments are fully isolated.

There is no cross-customer sharing of prompts, conversations, responses, business data, or AI-generated content.

Is customer data protected from being used to train other customers' AI models?

Yes.

Customer data, prompts, conversations, and generated outputs are never used to train, fine-tune, or improve models for other customers.

This protection is enforced through Spacewell's architecture, operational controls, and contractual agreements with its AI providers.

How transparent is the AI Assistant's decision-making process?

The AI Assistant generates responses based on information retrieved from the customer's authorized Spacewell environment.

Responses are grounded in structured business data rather than external internet sources, enabling users to understand the business context behind the information returned.

Does the AI Assistant introduce additional information security risks compared to the standard application?

No.

The AI Assistant operates within the same security boundaries, permissions model, hosting environment, compliance framework, and governance controls as the underlying Spacewell application.

It does not introduce a separate data repository, separate identity store, or alternative access mechanism.

Can the AI Assistant be enabled or disabled at customer level?

Yes.

Organizations retain full control over the availability of AI functionality.

Administrators can enable or disable the AI Assistant at tenant level and restrict access to specific user groups in accordance with internal governance and security policies.


Hallucination & Quality Controls

How does Spacewell reduce hallucinations?

Spacewell applies multiple safeguards to minimize the risk of inaccurate responses.

Grounded Responses

The assistant retrieves information directly from structured customer data rather than relying on open-ended internet knowledge.

Limited Scope

The assistant operates within clearly defined business domains and product capabilities.

Graceful Refusal

When relevant information cannot be found, the assistant is designed to indicate this rather than generate speculative content.

System-Level Guardrails

The assistant is instructed to operate only within its intended functional boundaries.

Continuous Validation

Automated testing and evaluation processes are used to monitor response quality across releases and identify regressions before deployment.

Can hallucinations still occur?

As with any system based on Large Language Models, responses are probabilistic and should be reviewed before action is taken.

However, because the assistant operates on structured business data within a constrained domain, hallucination risk is significantly lower than with general-purpose AI tools.


GDPR & Compliance

The AI Assistant is designed and operated in alignment with the principles of the European General Data Protection Regulation (GDPR).

RequirementHow it is addressed
Lawful basisProcessing occurs under the existing controller-processor relationship governed by the signed DPA
Data minimizationOnly information required to fulfill a user's request is retrieved and processed
Storage limitationOperational logs follow defined retention policies
Data subject rightsRequests are managed through Spacewell's standard GDPR processes
EU data residencyProcessing and storage remain within the European Union
Subprocessor managementSubprocessors operate under contractual safeguards, including EU Standard Contractual Clauses where applicable
Audit rightsAvailable under the terms of the Data Processing Agreement
Breach notificationManaged in accordance with GDPR Articles 33 and 34

Is a Data Processing Agreement available?

Yes.

Spacewell provides a Data Processing Agreement (DPA) based on EU Standard Contractual Clauses (SCCs).

Customers requiring compliance documentation may contact their Spacewell representative or Customer Success Manager.


Frequently Asked Questions

Does the AI Assistant use internet searches?

No. The assistant operates on information available within the customer's Spacewell environment and does not retrieve information from public internet sources when responding to customer data questions.

Does Spacewell monitor conversations?

Spacewell does not use customer conversations to train AI models.

Operational logging may be used for security, support, troubleshooting, and service improvement purposes in accordance with applicable contractual and privacy obligations.

Is the AI Assistant included in my subscription?

Unless otherwise specified in your subscription agreement, AI functionality is not included within the applicable Spacewell product subscription without separate consumption-based charges.

Will the AI Assistant become available in additional Spacewell products?

Yes.

Spacewell is gradually introducing AI capabilities across its product portfolio. While functionality may differ between products, the same privacy, security, compliance, and governance principles apply consistently across all Spacewell AI services.

Does the AI Assistant connect to internet sources or public websites?

No.

The AI Assistant is designed to operate on information available within the customer's authorized Spacewell environment. It does not perform open internet searches when responding to customer data requests.


Enterprise Security Reviews 

Spacewell regularly supports customer security assessments, vendor risk reviews, privacy impact assessments (PIAs), AI governance reviews, and procurement processes.

Additional documentation, including Data Processing Agreements and compliance-related materials, can be provided through your Spacewell representative upon request.