Security and Governance

Access Model

• Workspace membership controls organization access.
• Admin privileges are required for high-impact mutation workflows.
• Agent resources are scoped to organization and agent identifiers.

Key Security Controls

• Widget publishable key hashing at rest (SHA-256)
• Domain allowlist enforcement for widget-facing APIs
• Audit event capture for sensitive workspace actions

Governance Recommendations

• Use separate workspaces for separate legal entities or brands.
• Restrict admin role assignment.
• Rotate widget publishable keys routinely.
• Review webhook destinations quarterly.
• Review agent actions for endpoint and schema drift.