Subprocessors
Kowalah uses a small set of established infrastructure and AI providers. Each handles a specific, limited part of the service.| Subprocessor | Role in the service | What it handles |
|---|---|---|
| Anthropic | AI model provider (Claude) | Processes the user’s request and the data returned to answer it. Powers the model behind both the Connector and the Agent. |
| Vercel | Application hosting | Hosts the Kowalah MCP server and Agent application that handle requests. |
| Supabase | Database | Stores your Kowalah programme data (projects, deliverables, opportunities, and so on). |
| Clerk | Identity / authentication | Authenticates Connector users via OAuth. |
| Upstash | Transient cache | Holds short-lived conversation/session context for the Agent so a thread stays coherent. Expires automatically. |
This list reflects the services in the path of the Connector and Agent. Kowalah’s full subprocessor list for the wider platform and managed services is available to customers on request and is maintained as part of the Data Processing Agreement.
How AI models handle your data
This is the question that follows any AI tool into a security review.No training on your data
Anthropic does not train its models on data submitted through its commercial APIs. Your conversations, prompts, and the Kowalah data returned are not used to train or improve any model.
Processed to answer, not retained to learn
Inputs and outputs are processed to generate a response. Anthropic applies limited retention for operational and safety purposes under its commercial terms; nothing feeds back into model training.
Claude is the model
Both surfaces are powered by Anthropic’s Claude. There are no fine-tuned or custom model variants trained on your data.
Enterprise-grade provider
Anthropic maintains its own security and compliance programme, including independent audits, which we can reference in a security review.
Hosting and data residency
The Connector and Agent run on Vercel, with data stored in Supabase. Specific hosting regions and data-residency commitments are documented in the Data Processing Agreement and can be confirmed for your contract — talk to your Kowalah team.Encryption
- In transit: TLS on every connection between the user’s client, Anthropic, the Kowalah servers, and the database.
- At rest: managed database and infrastructure with encryption at rest.
- Secrets: the Agent’s per-user access tokens are stored only as one-way SHA-256 hashes; the raw token is held in Anthropic’s secure vault and never written to Kowalah’s logs or database.
Data Processing Agreement
Kowalah offers a Data Processing Agreement (DPA) to customers. It covers the processing of personal data, the subprocessor list, data residency, retention and deletion, and the security measures in place.Request the DPA
Ask your Kowalah team for the current Data Processing Agreement and any additional documentation your security review requires.
If your security team works from a standardized questionnaire (such as a SIG, CAIQ, or your own template), send it to your Kowalah team and we’ll complete it directly rather than asking you to map our docs to it.