Theodore&
Back to Theodore&

Trust & Safety

Security & privacy

2 min read · Updated Mar 7, 2026

Theodore& is built to help people trust the system that does real work in their files. Here’s how we protect your data, your workspace, and your team.

Key takeaways

  • We process your workspace files only to complete the work you request — never for unrelated model training.
  • Your data is encrypted in transit and at rest, with provider keys stored in hardware-backed Azure Key Vault.
  • You know which AI provider is being used on every request, and provider access is governed by scoped OAuth.
  • You can request export or deletion of your account data at any time by contacting support.

Our commitment

Users should always be able to understand where work is happening, which AI provider is being used, and what data is required to get the job done. No hidden processes. No ambiguity.

Security measures

How we protect your workspace.

Encrypted in transit & at rest

All communication uses HTTPS. Provider keys are stored in Azure Key Vault with hardware-backed encryption.

Scoped OAuth tokens

Workspace files are accessed through Microsoft Graph API with scoped OAuth tokens — Theodore only accesses what you authorize.

Azure-hosted infrastructure

All services run on Azure Container Apps with managed identity, role-based access controls, and audit logging.

No training on your data

Theodore& does not use your workspace files for model training. Your data is processed solely to deliver the requested workflow.

Provider transparency

When Theodore sends a request to OpenAI or Anthropic, you know which provider is being used. Provider API calls are governed by the provider's own terms.

Role-based access

Admin controls, permission-based workspace access, and audit trails ensure your team maintains control over who can do what.

Privacy policy

How we handle your data.

Workspace data privacy

Theodore& processes project files, messages, and workspace metadata only to deliver the requested workflow. Theodore& does not use customer workspace files for unrelated model training, and access to files remains tied to the product flows and permissions required to perform the task.

Business and project data

Theodore& stores the project information needed to operate the service: account details, connected providers, workspace and file metadata, job history, event logs, and output artifacts. That information helps with reliability, support, auditability, and product operations.

How Theodore& uses information

We use information to provide the service, maintain security, debug issues, improve the product, communicate with users, and comply with legal obligations. When users connect a provider such as OpenAI or Anthropic, Theodore& may send the relevant request payload to that selected provider in order to complete the task.

Data sharing

Theodore& does not sell customer data to third parties. Theodore& may share information with infrastructure partners, AI providers users have connected, and legal authorities where required. Provider API calls are governed by the provider's own terms.

Data retention

Job history and output artifacts are retained for the duration of the user's active account. Users may request data export or deletion by contacting support. Provider-side retention is governed by each provider's data handling policies.

Still have questions?

Talk to us. We’re happy to walk through security, data handling, or anything else.

Talk to us

Last updated: March 7, 2026.