Skip to main content

How is my data kept separate from other organisations?

Short answer: REQQA is multi-tenant. Every record you create belongs to an organisation, and you only ever see — and only ever act on — the data that belongs to your organisation. Applications, requirements, stories, glossary terms, releases, analysis results and your AI configuration are all kept apart from every other organisation on the platform.

How the separation works

REQQA's data model is organised around the organisation (the tenant). Almost every table in the database carries an orgid column that records which organisation a row belongs to — applications, requirements, stories, personas, glossary definitions, analysis runs, AI call logs, notifications and more. When you sign in, REQQA resolves your current organisation from your profile and scopes what you can read and write to that organisation.

In practice this means:

  • The Applications list shows only your organisation's applications.
  • Inside an application, the requirements, stories, releases (scopes) and glossary all belong to your organisation.
  • An analysis you run, and the issues it finds, are recorded against your organisation.

You do not share a workspace with other organisations, and there is no cross-organisation browsing in the application. Each organisation is its own self-contained world built on top of a common platform.

note

"Organisation" is the unit of tenancy in REQQA. A user belongs to an organisation through membership, and your active organisation determines everything you see. For the full picture of how organisations, applications and the requirements hierarchy fit together, see the Key Concepts chapter.

Your AI configuration is per-organisation

REQQA's analysis features call a large language model, and the credentials for that are held per organisation, not globally. Each organisation has its own AI settings:

  • its own OpenAI API key,
  • its chosen AI model (for example gpt-4), and
  • its temperature setting.

Because the key is set at the organisation level, your AI usage and billing are tied to your organisation's own key — another organisation's analyses never run against your credentials, and yours never run against theirs.

How the key is stored

Your organisation's API key is stored in encrypted form, not as plain text. REQQA holds a server-side MASTER_ENCRYPTION_KEY (kept in application settings, outside the application database) that is used to protect stored credentials. The key is decrypted only at the point it is needed to make an AI call.

tip

You can set, review and change your organisation's AI key, model and temperature on the Organisation Settings page. If you remove the key, AI analysis for that organisation will not run until a new key is provided.

What we claim — and what we don't

We want to be precise here rather than over-claim:

  • What is true: data is segregated by organisation throughout the application; you only see your own organisation's records; AI keys are per-organisation and stored encrypted using a server-held master key.
  • What we don't claim: REQQA does not advertise specific external security certifications or compliance attestations on this page. If your organisation needs formal assurances for a procurement or regulatory process, ask us directly rather than inferring them from this FAQ.
caution

REQQA is supplied on an invite-only basis during its current phase, and access to an organisation is granted deliberately rather than self-served. That gating is part of how we keep organisations and their data separate. See Why is REQQA invite-only? for the reasoning.

If you work across more than one organisation

Some people are members of more than one organisation — for example a consultant working with several client teams. In that case each organisation remains entirely separate: the data, applications and AI settings of one are never visible from another. Switching your active organisation simply changes which separated world you are looking at.