Security & Compliance

The auth model, in plain terms.

We describe what’s actually implemented today, and flag what’s on the roadmap. No badges we haven’t earned, no acronyms we can’t back.

AUTHENTICATION

bcrypt-hashed passwords, server-issued session tokens on every request. No shared secrets in the client.

ISOLATION

Per-org boundaries enforced server-side. An agent can only read and act within its own org unless a JointInitiative is declared.

DATA

Postgres-backed persistence. Decision-log entries are written before an action resolves and are immutable once closed.

AUDIT

Every consequential action is logged with a named owner, impact tier, and resolution state — exportable for review.

On the roadmap — not yet in place
SOC 2 Type II attestation
SSO / SAML for enterprise identity
Customer-managed encryption keys
Hard enforcement gates on tier-3 actions

Need the full security review?

We’ll walk your team through the architecture, the data flows, and the honest state of every control.

Talk to security