Theta Assist is built and managed by Theta Systems Limited (Theta), a trusted technology consultancy based in Auckland, New Zealand with over 30 years of experience. Our team maintains strong governance standards and is supported by a dedicated cybersecurity division that works closely with the Theta Assist product team to safeguard your data and privacy.
Will my data be used for training AI models?
No. Data is explicitly prevented from being used for training.
Will my data be mixed with other customer data?
No. Your data is logically separated from other customer data.
Where is data hosted?
There are two main components at play here - the Theta Assist application and the AI model. The Theta Assist application is hosted in the Microsoft Azure cloud. You choose when you purchase Theta Assist which Microsoft Azure region you wish to use. For AI models, if you choose our A1 plan (AI included), then we use OpenAI's USA servers with appropriate privacy and security controls in place. If you choose to host the AI model on Azure, then you can choose which Azure location you want for the model.
Is data encrypted in transit and at rest?
Yes, using modern industry standards
Theta holds certified compliance with the ISO 27001 information security management standard, applying the same high level of protection across all products, including Theta Assist.
Theta Assist is delivered via Azure Marketplace and is hosted within your own Azure environment. Microsoft completes independent application verification before applications can be published.
By deploying in your Azure tenant, Theta Assist benefits from Azure’s robust, enterprise-grade security - including physical data center protections, encrypted storage, disaster recovery, and ongoing monitoring.
You can select to use our AI-included plans that securely connect to OpenAI APIs in the USA, or you can use Azure-hosted OpenAI services. Azure OpenAI allows for global and regional deployments. In both cases security and privacy agreements are in place.
Theta Assist uses Microsoft logins for access – this allows you to have easy onboarding and offboarding of users and restricts access to your nominated domain(s). All conditional access controls and MFA settings you have in place for your organization apply to the login to Theta Assist.
All data in transit and at rest within Theta Assist is encrypted.
We employ the protection of the Cloudflare Web Application Firewall to defend against DDoS attacks and common web threats.
Theta Assist includes a suite of controls to help you manage privacy effectively:
Data Ownership: Data entered or imported by you remains your property. No data you enter via Theta Assist will be used to train AI models.
Customer Data Segregation: Each customer’s data is stored within their own Azure tenant. If using our AI included plans your data is also sent to OpenAI for processing. All assistants and conversations are separated from other customers with a unique project structure and access separation for each customer.
Conversation Privacy: All conversation threads remain private to your users – unless they explicitly share them, or when assistant memory is enabled (which is clearly shown to users).
Assistant Access Controls: Users and admins can define which users can access and assistant. You can turn on sharing protection – where admins must approve the sharing of assistants.
Admin Access Roles: You can nominate admin users who can transfer ownership of assistants and approve sharing.
Access Governance: Only authorized support users can access your environment. Support staff access is strictly for troubleshooting purposes and requires appropriate authorization.
Our Privacy Policy describes how personal data is collected, used, and managed.
We have a signed Data Processing Agreement with OpenAI. If you use our AI included plans you are protected by this agreement which is a GDPR-grade privacy agreement an explicitly prevents data being used for training purposes by OpenAI. OpenAI has extensive information on their security and privacy credentials available at https://trust.openai.com/.
You can access, correct, or delete your personal information by contacting our privacy team at hello@thetaassist.ai or enquiries@theta.co.nz. In compliance with data protection regulations, we handle all requests promptly and transparently.
We follow a Secure Development Lifecycle (SDLC) methodology, incorporating regular scans aligned with the OWASP Top 10 vulnerabilities.
Code is scanned at compile time to catch issues early, and third-party dependencies are audited for known risks.
We run weekly external automated attack surface scans, plus periodic independent penetration testing on our web interface.
Feature
Details
ISO 27001 Compliance
Yes
Azure-based Hosting
Yes – uses Azure’s security controls, optionally use Azure AI Foundry
Encryption (in transit & at rest)
Yes
WAF / DDoS Protection
Cloudflare WAF
Secure Development Practices
OWASP-based scans, code scanning, dependency checks
External Security Testing
Weekly automated scans + periodic independent penetration testing
Data Ownership & Access Control
You retain ownership. A signed DPA is in place with OpenAI. Support access is restricted to permissioned staff.
OpenAI security and trust
At Theta Assist, we understand that security and privacy are imperatives. By integrating robust security protocols, transparent privacy controls, and customer-first data governance, Theta Assist is designed to help your organization operate with both agility and assurance.
