How Your Data Is Isolated — Security Architecture

Your data lake belongs to you alone. No other ThatApp customer can access your data, no data is shared between organizations, and no customer data trains shared AI models.

ThatApp serves thousands of organizations. They have nothing in common with each other inside the platform.

Organizational isolation at the database level

Every ThatApp customer's data lives in a private MongoDB collection. Collections are not shared between customers. There is no database table where your records and another organization's records coexist. The separation is structural, not policy — AVA cannot access another organization's data because that data does not exist in your lake.

When AVA responds to your query, she is reading from your collection. The existence of other customers on the platform has no effect on your results. A record in another customer's Podio account cannot appear in your AVA query results. Period.

Organization context is scoped per session

Every AVA session operates within a declared organizational context. The session knows which organization it is operating for, and all tool calls — every query, every record lookup, every action — are scoped to that organization.

This is not a user-interface-level restriction. It is enforced at the system level. A tool call that attempts to read data from an organization the session is not authorized for is rejected before execution. AVA cannot be asked to "look at another company's data" any more than she can be asked to invent records that do not exist.

Data never crosses organizational boundaries

The following operations are architecturally impossible within ThatApp:

Returning records from Organization A in a query run for Organization B
Using Organization A's data to train or calibrate AVA's responses for Organization B
Exposing one organization's structural metadata (field names, app names, record counts) to another organization's session

When AVA processes your questions and takes actions, the only data she can access is the data you have connected and authorized to your account.

Encryption

Your data lake is encrypted at rest using AES-256. All data in transit between your connected platforms, ThatApp's servers, and the AVA processing layer is encrypted using TLS 1.2 or higher.

Stored credentials (OAuth tokens, API keys, database passwords) are encrypted using envelope encryption with per-credential keys. Credential material is never logged in plaintext.

Employee access

ThatApp employees do not have routine access to your data. When access is needed for support purposes — diagnosing a sync failure, investigating a data discrepancy — it is granted explicitly, logged, and time-limited. Support access does not extend to your record contents unless you specifically request it for troubleshooting.

Your data is never used to train external AI models

ThatApp uses established AI model providers to power AVA's reasoning. Your data is never sent to those providers as training data. It is sent as context for a specific inference request — the same way you might paste a document into a conversation to ask a question about it — and that context is not retained by the model provider after the response is generated.

Your data is the source of AVA's organizational knowledge. It is not the source of a shared AI model's general intelligence.

Related: How AVA Learns Your Organizational Data · GDPR and Data Deletion Requests · Sharing Data With Your Team