At every demo there comes a moment when the security team speaks up. The question is always the same, only the wording changes: "Where does our data go?" And it is the right question, because between "employees paste contracts into a public chatbot themselves" and "AI works with data under the company's control" lies a chasm worth taking apart piece by piece.
Let's start with an uncomfortable fact: AI is already being used in your company. During our reviews we ask about this directly, and the picture is similar everywhere: 30–50% of office staff regularly turn to public bots to rewrite an email, consolidate a table, or "take a look at this contract." No policy, from personal accounts, with real client data. Bans don't work: the tool saves people hours, and they will use it. What works is different: giving them the same tool inside a controlled perimeter.
A public service and a corporate platform are different things
A public AI service is built simply: you send text to someone else's server on someone else's terms. Free tiers almost always reserve the service's right to use your conversations to train models; your contract with a counterparty becomes part of someone's training data. No access control: an intern can send there something they have no access to in the accounting system. No log: you won't find out what exactly went out, or when.
| Security team's question | Public bot | The AISOL platform |
|---|---|---|
| Where data is processed | The service's server, the service's jurisdiction | An isolated perimeter under a contract with the company |
| Does the data train models | Often yes, by default | No, fixed by contract |
| Access rights | None | Inherited from your systems, by role |
| Action log | None | Every request and every agent action |
| Who is liable under the contract | No one | The platform provider, with an SLA and liability |
The isolated perimeter: how it works
The platform's baseline model is a dedicated, isolated perimeter for each client. Your data is not mixed with other companies' data, does not end up in shared indexes, and is not used to train models, neither ours nor anyone else's. This is not a gesture of goodwill but a clause in the contract, with liability attached.
Agents connect to your systems through integrations and work with data in place: to answer a question about a contract, an agent doesn't need to export the entire contract archive: it reads the specific document, produces the answer, and leaves no copies where they shouldn't be. For organizations with elevated requirements (banks, the quasi-public sector, companies with state secrets inside the perimeter) there is a next tier: deploying the entire platform locally within the company's perimeter, on your infrastructure, up to fully operating without internet access. Such a configuration starts at 100 million tenge per year versus the standard subscription from 12 million, and it isn't needed by everyone: for most tasks the isolated perimeter is enough.
Rights: an agent knows no more than the person asking
The most underestimated threat is not an external leak but an internal one: an AI assistant that answers any employee about any company data is a hole the size of the entire company. A manager asks "what are the salaries in the sales department," and the polite assistant answers.
That's why on the platform rights aren't configured from scratch but inherited from your systems. If an employee has no access to the payroll sheet in the accounting system, the agent won't answer their question about salaries, even if it technically "knows" the answer. Every request runs on behalf of a specific person, with their role and their boundaries. The same goes for the agents themselves: an agent that processes source documents runs under a separate account with rights for exactly that operation. We covered this principle in detail in the article on agents working through the interface.
The log: the question "who did this" is answered in a minute
Every action in the platform is recorded: who asked, what they asked, which sources the answer was assembled from, what actions the agent performed in the systems, and on what basis. For critical operations (changing data, sending documents, anything involving money) control points are defined in advance: the agent prepares the operation, a person confirms it.
The platform's principle: an agent may make a mistake in a draft, but it cannot silently take an irreversible action. Everything irreversible passes through human confirmation and stays in the log.
A short scenario from one of our reviews. The security team of an industrial company demanded that we show what happens to a commercial-proposal file after the agent has analyzed it. We opened the log: the file was read from corporate storage under a specific manager's rights, processed inside the perimeter, the result handed back to that same manager, and temporary data deleted on schedule after 24 hours. A check that is fundamentally impossible for a public service took ten minutes.
What to ask any AI provider
These questions are worth asking everyone, including us. Where is data physically processed, and what does the contract say about it? Is our data used to train models, and where is the clause that forbids it? How are rights separated between employees? Is there an action log, and can we export it ourselves? What happens to the data when the contract ends? A provider who answers evasively on even one of the five is cutting corners on architecture, and that saving will become your problem.
Our answers are gathered on the security page, and you can test them in practice on a prototype: in about a week we set up a scenario on your data for free, inside an isolated perimeter, with the same rights and log as in production. Production takes from 8 weeks, including an access audit together with your security team. Bring your security officer to the demo: the conversation gets more concrete.
Frequently asked questions
Will our data definitely not be used to train your models?
Definitely. Client data is not used to train models: this is fixed in the contract, not in marketing materials. Models are fine-tuned on your data only at your explicit request, and the result of such fine-tuning belongs to your perimeter and is not transferred to other clients.
How is an isolated perimeter different from deployment inside the company's perimeter?
An isolated perimeter is a dedicated environment for your company with contractual guarantees: data is not mixed and does not go to third parties. Deployment on premises means the platform physically runs on your infrastructure, without internet access if needed; this is a configuration from 100 million tenge per year for organizations with regulatory requirements. For most companies the first option is enough.
What happens to the data if we terminate the contract?
Your perimeter, with all its data, indexes, and settings, is deleted within the agreed period, and before deletion you receive an export in open formats. The terms and timelines are set out in the contract in advance: this is a question to close at the signing stage, not at the parting stage, with any provider.