Main content
Unauthorized AI Tools at UChicago
| AI Tool | Status | Purpose | Restrictions | |
| character.ai | Not Approved - Inadequate Privacy protection levels | Platform that allows users to engage in open-ended conversations with fictional or user-created personalities. |
Does not provide SOC 2, ISO 27001, or other enterprise attestations. Does not comply with GDPR/CCPA. Data is stored indefinitely. | |
| Cleverbot | Not Approved - Inadequate Privacy protection levels | A conversational AI chatbot designed for casual dialogue. | Outdated architecture, no modern privacy protections, lacks University required security controls, and conversations are logged without user controls or disclosures. | |
| Dante Chatbot | Not Approved - Inadequate Privacy protection levels | Automated tools embedded in websites to simulate conversation with users. They can answer questions, provide support, guide navigation, and even assist with transactions. | Many third-party chatbot tools do not comply with best-practice security and privacy standards and may expose data to unauthorized parties. Dante is missing SOC 2 and ISO 27001 attestation (though “working toward SOC 2 Type II”). | |
| DeepSeek AI | Not Approved - Inadequate Privacy protection levels | Lacks critical enterprise security attestations (e.g., SOC 2, ISO 27001, GDPR, CCPA) and has been banned or restricted in several jurisdictions due to data sovereignty and national security concerns. Data is stored in China and may be accessed by government authorities. The platform has no clear data retention, anonymization, or deletion guarantees. Public incidents include exposed databases and high vulnerability to prompt injection attacks. Not appropriate for any University use, including research, instruction, or administration. | ||
| Finalsite Chatbot | Not Approved - Inadequate Privacy protection levels | Automated tools embedded in websites to simulate conversation with users. They can answer questions, provide support, guide navigation, and even assist with transactions. | Many third-party chatbot tools do not comply with best-practice security and privacy standards and may expose data to unauthorized parties. SOC 2, Finalsite is missing GDPR, CCPA, other compliance attestations explicitly for AI/chatbot service. | |
| Otter AI | Not Approved - Inadequate Privacy protection levels. Use 3Play Media or Rev AI. | Transcription tool that uses AI to convert spoken language (from meetings, interviews, lectures) into written text. It also provides speaker identification, summarization, and collaboration features. | Not approved from a security and privacy perspective. | |
| Orimon Chatbot | Not Approved - Inadequate Privacy protection levels | AI-powered chatbot creation platform that enables users to build conversational agents that can handle customer interactions across multiple channels. | Not approved from a security and privacy perspective. No SOC 2, no ISO 27001, no GDPR/CCPA certification—no evidence of enterprise security attestations. | |
| Read.ai | Not Approved - Inadequate Privacy protection levels | An AI that transforms meetings, emails, and messages into summaries. | Privacy and security concerns, including unauthorized recording of meetings, excessive access to calendars, and unclear data retention and deletion practices. No SOC 2, no ISO 27001, and no GDPR/CCPA compliance. | |
| Replika.ai | Not Approved - Inadequate Privacy protection level | A personal AI companion designed to simulate empathetic conversation. | Designed for personal use and not aligned with University security standards; collects significant amounts of personal information and is not built with privacy-by-design principles. No SOC 2; though it received ISO 27001 back in 2017, no recent attestations; has had regulatory actions. Missing up-to-date GDPR/CCPA certification. | |
| Securly.ai |
Not Approved - Inadequate Privacy protection level | An AI tool used in K–12 environments to monitor student activity for signs of self-harm, bullying, or threats. |
Does not comply with University data retention standards; poor Bitsight Security score. No SOC 2, no ISO 27001, and no GDPR/CCPA compliance. | |
| You.com | Not Approved - Inadequate Privacy protection level | AI-powered search engine and assistant that combines real-time web results with language model summaries. | Privacy policy allows sharing data with third-party partners unless users log in and opt out. Tool collects query data for improvement by default. No SOC 2, no ISO 27001 (despite corporate SOC 2 Type 2 claim in blog). | |