Security and data privacy
How we safeguard your data and privacy:
- ISO 27001 certified information security management.
- All data is encrypted in transit and at rest.
- Cloudflare web application firewall (WAF) and DDoS protections in place.
- Secure development lifecycle with OWASP-based scanning, weekly automated scans and periodic independent penetration tests.
- Data you enter remains yours; a Data Processing Agreement (DPA) is in place with OpenAI that prevents OpenAI from using your data for training.
Quick questions
Will my data be used to train AI models?
No. Data entered into Theta Assist is explicitly prevented from being used for AI model training.
Will my data be mixed with other customers’ data?
No. Customer data is logically segregated. Each customer’s application data is stored within their own Azure tenant and assistants/conversations are separated by project and access controls.
Where is data hosted?
Theta Assist is hosted in Microsoft Azure and is deployed into your Azure environment. When you purchase you choose the Azure region for the application. If you select the A1 plan (AI included) the AI processing uses OpenAI’s US servers. If you prefer, you can host the AI model with Azure OpenAI and choose the Azure region for the model.
Is data encrypted?
Yes. Data is encrypted in transit and at rest using modern industry standards.
Data ownership and privacy controls
- Data ownership: data entered or imported by you remains your property.
- Conversation privacy: conversation threads are private to your users unless they choose to share them. Assistant memory (if enabled) is clearly indicated to users.
- Customer data segregation: each customer’s data is stored and separated within its own Azure tenant. Project structures and access separation prevent cross-customer access.
- Assistant access controls: admins and users can be assigned roles and permissions to control who can view or manage assistants.
- Sharing protection: for an extra layer of protection, admins can enable a sharing approval flow so assistants cannot be shared without admin approval.
- Admin roles: you can nominate admin users who can transfer assistant ownership and approve sharing.
- Support access: only authorised support staff can access your environment for troubleshooting, and access requires appropriate authorisation.
Hosting and model options
- Theta Assist is available via Azure Marketplace and is deployed into your organisation’s Azure tenant.
- You choose the Azure region for hosting the Theta Assist application at purchase.
- AI model choices:
- A1 (AI included): securely connects to OpenAI’s US-hosted APIs (covered by a signed DPA).
- Azure OpenAI: you can host models in Azure and pick the region that meets your data residency or compliance needs.
- More on OpenAI security and trust: https://trust.openai.com/
- More on Azure OpenAI data privacy: https://learn.microsoft.com/en-us/azure/ai-foundry/responsible-ai/openai/data-privacy
Authentication and access governance
- Theta Assist uses Microsoft logins for access (Azure AD). This integrates with your organisation’s identity policies.
- Your existing conditional access controls and multi-factor authentication (MFA) settings apply to Theta Assist sign-in.
- Onboarding and offboarding are managed through your Azure AD to make user lifecycle control straightforward.
Security practices and testing
- ISO 27001 certified controls apply across Theta products.
- Secure development lifecycle: code scanning at compile time, dependency checks and OWASP Top 10 aligned scans.
- Continuous monitoring: weekly automated external attack-surface scans and periodic independent penetration tests of the web interface.
- Network protections: Cloudflare WAF and DDoS mitigation are used to protect the service.
Transparency and customer rights
- Theta has a signed Data Processing Agreement (DPA) with OpenAI that prevents OpenAI from using your data for training when you use the AI-included plans.
- You have rights to access, correct or delete personal information we hold about you. To make a request, contact our privacy team:
- We handle requests promptly and transparently in line with applicable data-protection laws.