Download the security pack (PDF)
A single PDF covering everything in this section, ready to forward to your security or infosec team.
One data boundary, two access points
Both customer-facing AI surfaces connect to the same server — the Kowalah Client MCP atmcp.kowalah.com — and reach data through the same three tools, with the same limits. Their data boundary is identical.
| Claude Connector | Kowalah Agent (Slack / Teams / Google Chat) | |
|---|---|---|
| Connects to | Kowalah Client MCP (mcp.kowalah.com) | The same Kowalah Client MCP |
| Authenticates as | The signed-in user, via OAuth | The same user, via a per-user token issued after they link their account |
| Data it can reach | Only the organizations you belong to | Identical — only the organizations that user belongs to |
| Tools available | 3 tools: 2 read, 1 create | Identical |
| Can it edit or delete data? | No | No |
- The Connector answers questions and explores your data inside Claude.
- The Agent actively coaches your team — it uses skills (a coach, a use-case advisor, and a workflow designer) to be a sparring partner and help design AI workflows in the flow of work.
Headline guarantees
Least privilege by design
The connector exposes three tools. Two are read-only; one creates a new opportunity. There is no capability to edit, overwrite, or delete any of your data — it does not exist in the code.
Strict tenant isolation
Every database query is filtered to your organization through a single, tested function. A user can only ever see data for organizations they are an accepted member of.
No training on your data
Anthropic does not use data sent through its commercial APIs to train its models. Your conversations and data are not used to improve any model.
Authenticated as the individual
Access is always tied to a real, authenticated user and their role. The Agent resolves identity per message, so each person only ever sees their own organization’s data.
How data flows
When someone uses the Connector or the Agent, their request is authenticated, scoped to their organization, and answered from the Kowalah database. Data is fetched on demand for that single request — nothing is bulk-copied or mirrored. The two surfaces take different routes to the same place — and importantly, a different Claude does the work in each:
- Connector: it’s your Claude. The conversation happens inside your own Claude workspace, on your own subscription and your own agreement with Anthropic. Kowalah never sees the conversation — the only thing that reaches Kowalah is the tool calls arriving at the MCP server.
- Agent: it’s Kowalah’s Claude. Messages to the Agent are processed by Kowalah’s Claude, via Anthropic’s API under Kowalah’s commercial terms — covered by the same no-training commitment and our subprocessor disclosures.
- Either way, the same boundary. Both routes land on the same Kowalah Client MCP, which scopes every query to the user’s organization before it touches the database — and the database returns only that organization’s data, with internal fields stripped and non-client records filtered out.
What’s in this section
Data flow and exfiltration
What can and can’t move between your organization and Kowalah, why these tools exist, and how to verify it yourself.
Data and access control
Authentication, tenant isolation, role-based permissions, least privilege, and how data is handled and retained.
Chat platform security
Slack and Teams OAuth scopes explained, how the Agent is triggered (mention or DM), account linking, revocation, and admin controls.
Subprocessors and compliance
The full list of subprocessors, where data is hosted, AI model handling, and the Data Processing Agreement.
Infosec FAQ
Direct answers to the questions security teams ask most — ready to forward.
Have a question this section doesn’t cover, or a vendor security questionnaire you need completed? Talk to your Kowalah team and we’ll respond directly.