Data Security & Privacy Statement for the UoB AI Gateway 

The University's AI Gateway (developed by the University's IT Innovation and Cloud Platform teams) provides university staff with secure and private access to cutting-edge AI services via RESTful APIs. The platform enforces the following robust security and privacy protections for user prompts and data, underpinned by the university’s Microsoft enterprise agreement: 

  • Encryption in Transit: All data passed through the AI Gateway to the underlying processing service is encrypted in transit using HTTPS and TLS encryption. 

  • Access Control: Access is managed by university administrators. A unique Subscription Key is required for all API calls, ensuring only authorised University users can access the services. 

  • Data Isolation: The services accessed via the AI Gateway ensure academic interactions, including prompts and completions, are logically isolated and are not used to train, retrain, or improve the base AI models. 

  • Data at Rest: Data is encrypted at rest by default by the processing service.

  • Data Usage & Retention: AI Gateway administrators do not store or view your prompts. However, once prompts reach the processing service, they may be stored for purposes such as Security Monitoring, which is mostly automated with limited human involvement [1]. 

  • Data Residency vs. Processing Location.:  For models deployed in the UK, your data is stored in the UK. However, the processing service may process prompts/completions outside of the UK in Europe or the United States [2]. For models deployed in Europe (e.g., gpt-5-pro), your data is stored in Europe, but the service may process prompts/completions globally in Europe or the United States.  

[1] Security monitoring – the AI gateway leverages Microsoft security classifier models and pattern detection to automatically filter prompts for harmful content, security risks, and policy violations. While deactivation of this function is possible, it necessitates a prior, comprehensive assessment of the resultant security and compliance implications. 

[2]  Generative Artificial Intelligence (GenAI) is a globally distributed technology, the technical requirements to run large language models (LLMs) from providers such as OpenAI, Gemini and Anthropic are hugely complex and costly to develop and run. The majority of current providers of LLMs will not guarantee the processing of data in the UK for the very latest LLMs. The AI gateway guarantees the privacy and security of data when processed.