What it is and what it does
What are the Kowalah Connector and Agent, and what do they access?
What are the Kowalah Connector and Agent, and what do they access?
Kowalah offers two AI access points into your Kowalah programme data. The Claude Connector lets a user query their Kowalah workspace from inside Claude. The Kowalah Agent does the same from Slack, Teams, or Google Chat when
@mentioned or messaged directly, and additionally coaches users on applying AI to their work. Both connect to the same server (mcp.kowalah.com) and access only your organization’s Kowalah programme data — projects, deliverables, opportunities, Expert Requests, and accelerators. They do not access your email, files, source code, or any system outside Kowalah.What can these tools actually do — read, write, delete?
What can these tools actually do — read, write, delete?
The connector exposes exactly three capabilities: get a status update (read only), find an accelerator (read only), and raise a new opportunity (create only). It cannot edit, overwrite, or delete any existing data, and it has no access to settings, billing, or member management. These limits are structural — the code to modify or delete your data is not present in the connector.
Is the Agent more powerful than the Connector?
Is the Agent more powerful than the Connector?
Not in terms of data. The Agent authenticates as the linked user and reaches data through the same three tools, with the same limits — its data boundary is identical to the Connector’s. It does, however, do more with the model: it actively coaches your team, using skills (a coach, a use-case advisor, and a workflow designer) to act as a sparring partner and help design AI workflows. Those skills are knowledge and instructions for the model, not additional data access — so the Agent can still only reach the same data a person could reach in the Connector.
What are 'skills', and do they give the Agent more access to our data?
What are 'skills', and do they give the Agent more access to our data?
Skills are knowledge and instructions that shape how the Agent coaches — for example, how to run a use-case discovery conversation or design a workflow. They change the Agent’s behaviour, not its permissions. The only way any surface reaches your data is through the three Kowalah tools; no skill can read files, email, or anything outside that tool surface.
Data exfiltration and validation
Can the Connector or Agent exfiltrate our private data to Kowalah?
Can the Connector or Agent exfiltrate our private data to Kowalah?
No. The connector exposes one write path — raising an opportunity — and it only fires when a user explicitly asks to. There is no tool that uploads, exports, syncs, or copies your data to Kowalah, and no background process that harvests conversations or scans your workspace. The Connector also has no access to anything outside Kowalah (no files, email, or drives), so there is no private data for it to take. See data flow and exfiltration.
What is the only thing that can be sent to Kowalah, and how do we see it?
What is the only thing that can be sent to Kowalah, and how do we see it?
A new opportunity — a short description of an idea the user wants to raise. Every opportunity appears in your own workspace with an
OPP-XXXX number, the submitter, and the full content, so you have a complete audit trail of everything that has ever reached Kowalah through these tools.How can our security team verify all of this independently?
How can our security team verify all of this independently?
Several ways, none of which require trusting our documentation: (1) enumerate the tool list over the MCP protocol (
tools/list) and confirm there are three tools with no upload/export capability; (2) audit the granted OAuth scopes in your own Slack or Teams admin console and confirm there are no file/drive/email scopes; (3) monitor egress with your CASB/DLP — traffic only goes to mcp.kowalah.com and Anthropic; (4) inspect every opportunity created in your workspace; (5) confirm in your chat audit log that the Agent only acts when directly addressed (an @mention or a direct message), never passively; (6) pilot it in a single channel first. See data flow and exfiltration for the full checklist.Does the Agent's coaching ability let it reach more of our data?
Does the Agent's coaching ability let it reach more of our data?
No. The Agent coaches using skills, which are model knowledge and instructions — not data access. Whatever it can do as a coach, it still reaches data only through the same three Kowalah tools as the Connector.
What does the Agent retain, and where?
What does the Agent retain, and where?
The Agent keeps short-lived thread context and a per-user/per-organization memory so it can be a useful coach across a conversation. This is held in Anthropic’s managed infrastructure (a named subprocessor), scoped to the individual user and their organization, never pooled across customers, and never used to train models. Conversation content is not written into Kowalah’s customer database unless the user raises an opportunity.
Authentication and access
How are users authenticated?
How are users authenticated?
There is no anonymous access. Connector users authenticate via OAuth using their Kowalah account, managed by our identity provider (Clerk). Each request carries a signed token that the server verifies cryptographically before responding. Agent users link their chat identity to their Kowalah account once; after that, a per-user token resolves to the same authenticated identity on every request.
How do you ensure one customer can't see another customer's data?
How do you ensure one customer can't see another customer's data?
Every database query passes through a single shared scoping function that filters results to the organizations the requesting user is an accepted member of. Customer connections are never run in an unrestricted mode. This boundary is covered by automated tests because a regression would otherwise be invisible. A user can only ever see data for organizations they belong to.
Are permissions role-based?
Are permissions role-based?
Yes. Within their own organization, users have one of three roles — admin, core team, or member — and the connector resolves the user’s role per organization on every request. A user’s role in one organization does not carry over to another.
Can the tools access your internal/admin systems or other customers' data?
Can the tools access your internal/admin systems or other customers' data?
No. The connector reads only from the customer database schema, scoped to the user’s organizations. It has no access to Kowalah’s internal admin systems, employee data, financial/contract internals (which are stripped from responses), or any other organization’s records.
What happens when someone leaves or loses access?
What happens when someone leaves or loses access?
Access is enforced per user on every request. Removing or disabling a user in your identity provider, your chat workspace, or in Kowalah ends their access. The Agent’s per-user token can also be revoked centrally, and revoked or expired tokens are rejected on the next request.
Data handling and privacy
What data leaves our environment, and where does it go?
What data leaves our environment, and where does it go?
When a user makes a request, the request and the Kowalah data needed to answer it are processed by Anthropic’s Claude (the AI model) and returned to the user. Kowalah programme data lives in the Kowalah database (Supabase); the request is handled by the Kowalah server hosted on Vercel. No data from your own systems (email, files, etc.) is involved — the tools only read Kowalah programme data.
Whose Claude processes our requests — ours or Kowalah's?
Whose Claude processes our requests — ours or Kowalah's?
It depends on the surface. With the Connector, it’s your own Claude: the conversation happens inside your organization’s Claude workspace, on your own subscription and your own agreement with Anthropic. Kowalah never sees the conversation — only the tool calls that arrive at the MCP server. With the Agent, it’s Kowalah’s Claude: messages are processed via Anthropic’s API under Kowalah’s commercial terms, disclosed in our subprocessor list. In both cases Anthropic’s no-training commitment applies, and both routes are subject to the same org-scoped data boundary at the Kowalah server.
Is our data used to train AI models?
Is our data used to train AI models?
No. Anthropic does not train its models on data submitted through its commercial APIs. Your prompts, conversations, and the Kowalah data returned are not used to train or improve any model.
Is data encrypted?
Is data encrypted?
Yes. All traffic is encrypted in transit with TLS between every hop — the user’s client, Anthropic, the Kowalah servers, and the database. Data is encrypted at rest in the managed database and infrastructure.
Is our data copied, mirrored, or warehoused?
Is our data copied, mirrored, or warehoused?
No. Data is fetched on demand for a single request and returned. The connector is stateless and keeps no per-user session. The Agent caches short-lived conversation context so a thread stays coherent, and that context expires automatically.
Does the Agent read or store our chat history?
Does the Agent read or store our chat history?
No. The Agent only acts when directly addressed —
@mentioned in a channel or messaged directly — and reads the message and thread or DM it has been brought into, for context. It does not passively monitor channels, and it does not ingest, index, or archive your message history.Chat platform specifics
Why does the Slack app request message history scopes?
Why does the Slack app request message history scopes?
Slack grants history scopes (
channels:history, im:history, and similar) at the conversation level, so an app that replies in threads must request them. The Kowalah Agent uses them only to read the thread it has been @mentioned in, so it understands the conversation. It does not bulk-read, crawl, or store your channel history.What does the Slack app request and why?
What does the Slack app request and why?
It requests permission to detect mentions (
app_mentions:read), reply (chat:write), read the thread it’s participating in (the *:history scopes), resolve where to reply (the *:read scopes), match the Slack user to their Kowalah account (users:read, users:read.email), and add an acknowledgement reaction (reactions:write). See Chat platform security for the full table.What can our workspace admins control?
What can our workspace admins control?
Admins approve installation and can remove the app at any time (which immediately cuts off access). The Agent works in channels and spaces it’s added to (when
@mentioned) and in direct messages users start with it — never passively. Only users who’ve linked a valid Kowalah account receive data. Admins, and your normal leaver process, govern who can use it.Can a prompt-injection attack make the Agent leak another org's data?
Can a prompt-injection attack make the Agent leak another org's data?
No. The data boundary is enforced server-side by the authenticated user’s token, not by anything in the conversation. Even if a message tried to instruct the Agent to return another organization’s data, the server would still scope the query to the requesting user’s own organization.
Vendor, compliance, and infrastructure
Who are your subprocessors?
Who are your subprocessors?
In the path of the Connector and Agent: Anthropic (AI model), Vercel (hosting), Supabase (database), Clerk (authentication), and Upstash (transient session cache). The full subprocessor list is maintained as part of the Data Processing Agreement and available on request. See Subprocessors and compliance.
Do you offer a Data Processing Agreement (DPA)?
Do you offer a Data Processing Agreement (DPA)?
Yes. Kowalah offers a DPA covering the processing of personal data, the subprocessor list, data residency, retention and deletion, and security measures. Ask your Kowalah team for the current version.
Where is data hosted, and can we get data-residency commitments?
Where is data hosted, and can we get data-residency commitments?
The Connector and Agent run on Vercel with data stored in Supabase. Specific hosting regions and data-residency commitments are documented in the DPA and can be confirmed for your contract — talk to your Kowalah team.
Can you complete our security questionnaire?
Can you complete our security questionnaire?
Yes. If your team uses a standardized questionnaire (SIG, CAIQ, or your own template), send it to your Kowalah team and we’ll complete it directly.
Is the connector available on all plans?
Is the connector available on all plans?
The Connector and Agent are available on Kowalah Managed Services plans (Essential and above) and during paid engagements such as AI Impact Sprints and Claude Change Enablement programmes.
Can’t find an answer here? Your Kowalah team can respond directly to anything your security review needs.