Security & Privacy
Genie handles internal DHL documents, including data that may be classified as RESTRICTED. This page summarizes how the system protects your data and what to expect about your own privacy.
Authentication
- Single Sign-On with Entra ID — there is no separate Genie account or password.
- Multi-Factor Authentication is enforced at the identity-provider level via Conditional Access policies. You will be prompted for MFA when your account requires it.
- OAuth 2.0 / OpenID Connect — Genie validates every incoming JWT against Entra ID's signing keys (JWKS) on every API request, checking issuer, audience, expiration, and signature.
- Token lifetime and revocation are controlled by your DHL Entra ID configuration, not by Genie itself. Expired tokens trigger a redirect back to sign-in; revoking a session has to go through Entra ID. On shared devices, always close the browser tab after Logout so cached state can't be reused.
Authorization
Genie uses Role-Based Access Control (RBAC) with two layers:
System-level: Super Admin
Members of a designated Entra security group are Super Admins. The only system-wide right that Super Admins have is creating new knowledge bases — they do not automatically get access to every KB.
KB-level: per-knowledge-base roles
| Role | Who | What they can do |
|---|---|---|
| Owner / KB Admin | Designated by KB creator | Manage users, upload/delete documents, approve join requests, edit KB metadata |
| Reader / KB User | Assigned directly OR via Entra group | Chat with the KB, view citations, download cited documents |
| Authenticated User | Any signed-in DHL user | Submit join requests to KBs they don't yet have access to |
Permissions are checked on every API call. For management operations on KBs you cannot manage (or that don't exist), the server deliberately returns 404 Not Found rather than 403 Forbidden to avoid leaking the existence of private KBs. For pure-use operations such as chat or content download, the server returns 403 Access denied instead.
Data isolation
- Each KB is its own tenant. A user with access to KB-A cannot search, browse, or download anything from KB-B. The search engine is forced to filter by
knowledge_base_idon every query — there is no way to bypass this from the client. - Chat history is per-user. Even KB administrators cannot read other users' chats. Chat documents in Cosmos are partitioned by user ID and access is enforced at the database level.
- File downloads are double-checked. When you click a citation to download a source file, the server validates both that you have access to the KB and that the file is actually indexed in that KB.
Encryption
- In transit: TLS 1.2 or higher for every connection — frontend to backend, backend to Azure services, browser to docs site.
- At rest: Azure-managed encryption with Microsoft-managed keys for every storage layer (Cosmos, Blob, AI Search, Key Vault).
Personally Identifiable Information (PII)
The following PII is processed by Genie:
| PII type | Where | Why |
|---|---|---|
| Entra Object ID (OID) | Most logs, all chats, audit logs | User identification (preferred over names/emails for stability) |
| Email address | KB admin lookups, join request emails | Notifications |
| Display name | User pickers, audit context | UI |
| IP address | Authentication and access logs | Security investigations |
| Document content | Indexed in AI Search, served via citations | Core RAG functionality |
PII is minimized wherever possible — for instance, internal references use the stable Entra OID rather than full names, and chat-history storage strips out raw retrieved passages to keep documents small.
Logging & monitoring
Genie generates seven categories of logs, each with its own retention policy:
| Log type | Retention | Where | Contains PII? |
|---|---|---|---|
| Administrator & Operator Logs | 365 days | Azure Log Analytics | Yes (OID, IP) |
| Access Logs | 365 days | Azure Log Analytics | Yes (OID, IP, user agent) |
| System Logs | 365 days | Azure Log Analytics + Container Apps logs | No |
| Audit Logs (every action with consequence) | 2555 days (~7 years) | Cosmos DB (append-only) | Yes (OID, email, IP) |
| Client Telemetry | 365 days | Application Insights | Yes (OID via authenticated context) |
| Business Metrics | 365 days | Application Insights custom events | Yes (OID, session ID) |
| Error Telemetry | 365 days | Application Insights | Yes (OID) |
Audit logs are append-only — they cannot be deleted from inside the application even by Super Admins. They satisfy DHL's compliance and GDPR requirements.
What is recorded as an audit event
Every action that has security or compliance significance is audited:
- Authentication events (login attempts, sign-outs)
- Document uploads and deletions
- Knowledge base creation, modification, deletion
- Join request submission, approval, rejection, deletion
- File downloads (Content access)
- Chat creation and deletion
- Authorization denials (someone tried to do something they couldn't)
- Rate limit violations
- Malware detections in uploads
Each audit record includes when, who (Entra OID), what (action), and where (target resource).
Your right to know, your right to be forgotten (GDPR)
Genie aims to comply with GDPR including the right of access and right of erasure.
- Right of access: to request a copy of all data Genie holds about you, contact Support. The team can extract your chat history, audit events, and account references.
- Right of erasure: while you can delete individual chat sessions yourself, audit logs cannot be self-deleted because they are required for compliance. To request full erasure of your personal data (subject to legal retention requirements), contact Support and the DHL Data Protection Team.
What Genie does NOT do
To be explicit:
- Genie does not train any AI model on your documents or chats. Azure OpenAI is configured in zero-retention mode for inference — prompts and responses are not used to train OpenAI's models.
- Genie does not share your chats with KB owners. Chat history is yours alone.
- Genie does not send data outside Azure. All processing happens in the configured Azure region; no third-party AI services are involved.
- Genie does not bypass DHL's data classification. If you upload RESTRICTED documents, only users with KB access can ever retrieve passages from them.
Reporting a security concern
If you believe you've discovered a security vulnerability or data-leak, please contact Support immediately — do not post about it in public channels.
For account-level issues (lost MFA device, suspected compromised account), contact IT Service Desk directly — they handle Entra ID account security.
Related
- System Architecture — the technical implementation
- Known Limitations — explicit list of what Genie does and doesn't enforce