Yarvis AI Trust & Transparency Document
Document updated and applicable since: February 26th, 2026
About Yarvis
Yarvis is an AI-powered workplace assistant designed for enterprise deployment within Microsoft Teams. It integrates with Microsoft 365 (calendar and shared mailboxes) and Microsoft Teams to help users manage their workday through natural language interactions. YAROOMS integration (room booking and work status management) is available as a separate add-on module and is not required for core functionality.
Yarvis is deployed as a multi-tenant service. Each customer organization (“Tenant”) operates in an isolated environment.
AI Capabilities and Limitations
What Yarvis Can Do
- Read, create, update, and delete calendar events on behalf of the user
- Read and process messages received in a designated shared mailbox
- Draft and send replies from the shared mailbox
- Book and cancel room reservations via YAROOMS (add-on module)
- Set and update user work status (in office, remote, etc.) (add-on module)
- Provide summaries of the user’s upcoming schedule
- Send proactive morning briefings via Teams
- Maintain context across sessions using stored AI memories
Limitations and Boundaries
- Yarvis does not access individual user email inboxes – only a designated shared mailbox.
- Yarvis does not read general Teams channel history – only messages explicitly directed at the bot.
- Yarvis does not download email attachments.
- Yarvis does not take autonomous financial, HR, or administrative actions outside the defined integrations.
- AI responses are generated by a large language model and may occasionally be inaccurate. Users should verify important outputs.
- Yarvis does not guarantee availability, accuracy, or completeness of information retrieved from third-party platforms.
Human Oversight
Yarvis is a tool to assist human decision-making. Actions such as creating calendar events, sending emails, or booking rooms are taken in response to explicit user instructions. Yarvis does not act autonomously without user input, except for scheduled proactive features (morning briefings) that users can configure and disable.
Data Practices Summary
Data Accessed
| Data Type | Source | Access Level | Stored Locally? |
|---|---|---|---|
| User identity | Microsoft Entra ID | Read | Yes (encrypted) |
| Calendar events | Microsoft Graph | Read + Write | No – live access only |
| Shared mailbox email | Microsoft Graph | Read + Send | Partially (AI memory) |
| Teams messages (bot) | Microsoft Teams | Read | Session logs |
| Room bookings (add-on) | YAROOMS API | Read + Write | No – live access only |
| Work status (add-on) | YAROOMS API | Read + Write | No – live access only |
| Auth tokens | Microsoft / YAROOMS (add-on) | – | Yes (encrypted) |
| AI memories / sessions | AI conversations | Write | Yes (encrypted database) |
AI Processing
| Aspect | Detail |
|---|---|
| AI provider | Anthropic (Claude API) |
| Model used | Claude (via Anthropic API) |
| Training on customer data | No – Anthropic does not train on API inputs |
| Data sent to AI provider | User prompts, calendar/email context for active requests |
| Conversation storage | Local only – within the Tenant’s encrypted database; not on Anthropic servers |
| Memory retention | Data is retained for the duration of the customer’s active subscription and permanently deleted within 30 days of subscription termination if the subscription is not renewed |
Yarvis uses the Anthropic Claude API for natural language understanding and response generation. When processing user requests, relevant context (such as calendar summaries or email snippets) is included in API calls to generate accurate, contextual responses.
Third-Party Sub-Processors
| Sub-Processor | Data Shared | Purpose |
|---|---|---|
| Microsoft | Identity, calendar, email, Teams | Core platform services |
| Anthropic | Conversation context, calendar/email summaries | AI response generation |
| YAROOMS | User email, booking and planning data | Room booking and work status (add-on module only) |
Security Measures
Implemented Controls
- Credential encryption: All OAuth tokens and, where the YAROOMS add-on is enabled, YAROOMS API tokens, are encrypted at rest
- Tenant isolation: Full data separation per organization
- Token hygiene: Credentials are never written to logs or error outputs. Decryption occurs only during active service operations.
- Webhook integrity: Microsoft Graph webhook endpoints validate CSRF tokens (client state).
- Bot Framework domain validation: Proactive message delivery targets are validated against Microsoft’s registered domains.
Terms of Service Summary
Acceptable Use
Yarvis is provided for legitimate professional workplace use within the Tenant’s organization. The Tenant agrees not to:
- Use Yarvis to process data outside the scope of its configured integrations
- Attempt to extract, reverse-engineer, or misuse AI model outputs
- Use Yarvis to process special-category personal data (health, biometric, financial) unless explicitly agreed in writing
- Deploy Yarvis in consumer-facing contexts without prior written approval
- Use Yarvis’s AI capabilities for purposes other than those defined in the Service configuration and these Terms. Misuse or attempts to repurpose the AI agent outside its intended scope will result in immediate account suspension.
Tenant Responsibilities
- Ensuring appropriate end-user notice and consent before deployment
- Configuring the shared mailbox and permissions in accordance with their internal data governance policies
- Managing data subject rights requests (erasure, access) – requiring manual intervention
Service Provider Responsibilities
- Maintaining the technical infrastructure in accordance with this document
- Notifying Tenants of material changes to data processing practices
- Supporting data deletion requests within a reasonable timeframe
- Keeping third-party sub-processor agreements current and compliant
Availability and SLA
Service availability, uptime commitments, and support terms are defined in the separate Service Level Agreement (SLA) provided to Tenants. Yarvis is provided without warranty as to uninterrupted availability.
Liability
To the maximum extent permitted by law, the service provider’s liability arising from use of Yarvis is limited as specified in the Master Services Agreement or equivalent contract. The service provider is not liable for actions taken by the AI model that the user elects to execute without review.
Changes to Terms
Material changes to these terms will be communicated to Tenant administrators with reasonable notice prior to taking effect. Continued use of Yarvis after the effective date constitutes acceptance.
Pricing and Plans
Yarvis is offered under a subscription-based pricing model with plans tailored to different organizational needs. Pricing details, plan comparisons, and feature availability – including the YAROOMS add-on module – are published on the Yarvis product website.
The data processing scope described in this document reflects the full feature set. Data categories associated with the YAROOMS add-on module are only applicable where that module is included in the Tenant’s active plan.
Compliance and Regulatory Posture
| Framework / Requirement | Status |
|---|---|
| GDPR (EU) | Fully compliant |
| CCPA (California) | Fully compliant |
| Microsoft 365 Certification | Compliant with Microsoft Bot Framework and Graph API requirements |
| Data residency | Depends on Tenant infrastructure and Microsoft tenant region |
| Right to erasure | Supported via manual process |
| Data Processing Agreement | Available upon request |
This document is reviewed periodically and updated to reflect changes in Yarvis’s data processing activities, security posture, and applicable regulatory requirements.
Data Controller & Brand Owner: YAROOMS INTERNATIONAL SA, dba YAROOMS. Registered address: Regele Ferdinand 22-26 3rd Floor, 400110 Cluj-Napoca, Cluj County, Romania. Company registration number: ROONRC.J2022005628124 | VAT/Tax ID: RO36814476. Privacy contact: dpo@yarooms.com . Yarvis is a registered trademark of Yarooms International SA. All rights reserved.