Controls
Last reviewed 2026-06-24
- ✓TLS 1.2+ enforced for client and API traffic
- ✓HTTPS and HSTS on production application endpoints
- ✓Infrastructure-layer encryption for persistent storage
- ✓Environment separation for production workloads
- ✓Secure operator access to production systems
- ✓Multi-factor authentication supported
- ✓Passkeys (WebAuthn / FIDO2) supported
- ✓Role-based access control for workspaces and administration
- ✓Enterprise SSO (SAML) for entitled organizations
- ✓SCIM 2.0 user provisioning for entitled organizations
- ✓Session invalidation on password change and sign-out
- ✓Security headers including content security policy
- ✓CSRF protections on state-changing requests
- ✓API rate limiting and input validation
- ✓Dependency and vulnerability scanning in CI
- ✓Structured logging with sensitive field redaction
- •Formal penetration testing program
- ✓AES-256-GCM encryption for designated secrets and encrypted content
- ✓Customer-controlled encrypted rooms (organization-managed and E2EE)
- ✓Customer data export capabilities
- ✓Documented data retention and deletion practices
- ✓Subprocessor list published
- ✓Published Privacy Policy and Data Processing Addendum
- ✓Bring Your Own Model — customer chooses AI providers
- ✓Provider API keys encrypted at rest (AES-256-GCM)
- ✓Customer Content not used to train third-party foundation models
- ✓Platform improvement practices documented in Terms and Privacy Policy
- ✓Optional customer AI subprocessors clearly identified
- ✓Database backups with tested restore procedures
- ✓Service health and error monitoring
- ✓Incident response contact and reporting path
- •Published business continuity documentation
✓ Implemented
• Planned
Compliance & certifications · Security overview