Access controls
The product supports email/password authentication, workspace membership, invitations, roles and permissions, API key creation, rotation, and revocation.
Tenant isolation
Decision ingestion, search, timelines, analytics, alerts, intelligence, and optimization records are tenant-scoped. API requests are authenticated with either bearer user sessions or API keys.
Auditability
Administrative activity, workspace changes, and optimization workflow actions are recorded in audit logs so teams can review who changed what and when.
Data handling
Decision records are append-only by design. Customers should avoid sending secrets or unnecessary regulated data in flexible JSON fields such as inputs, context, evidence, and metadata.
Responsible disclosure
Before launch, publish a dedicated vulnerability reporting process with affected URL, reproduction-step, and impact requirements.