Security
This page stays focused on controls we can back up in the codebase today. No fake badges, no certification theater, and no broad promises that are not implemented.
Tenant-scoped access
Workspace access, billing, and integrations are enforced through authenticated organization-scoped checks in the backend.
Inbound integrity controls
Webhook routes verify signatures and include replay or duplicate protection instead of trusting every inbound delivery at face value.
Encrypted integration secrets
Stored integration tokens are encrypted at rest, including explicit AES-GCM authentication tag handling in the current implementation.
Browser and outbound safety
The stack includes CSRF protections for browser flows and SSRF-safe outbound request handling where the app fetches external resources.
What this page does not claim
We do not publish unsupported claims about certifications, uptime guarantees, or disaster recovery programs that are not documented in the current product and ops stack. If your team needs a deeper security conversation, ask for it directly.