Security & Trust

Built for the enterprise security review.

Isolation by default. Audit log on every action. No public endpoints. SOC 2 Type II in progress.

Isolation by Default

Every customer gets their own daemon, their own secrets, their own database. No shared state. No noisy-neighbor risk. A breach on one tenant cannot reach another.

  • Dedicated process per tenant (systemd / launchd unit)
  • Per-tenant encrypted Keychain / Vault namespace
  • Tenant-scoped logs with redaction at the boundary

Socket Mode Transport

Your agent connects to Slack via Socket Mode — outbound-only WebSocket. No inbound port. No public endpoint. No firewall rule. Works behind enterprise network controls without IT involvement.

  • Outbound WebSocket only — no inbound ports
  • No public webhook surface to harden
  • Survives strict egress controls and corporate VPNs

Token Discipline

Tokens are stored in encrypted vault, decrypted only into process memory, and stripped from any payload that goes to the LLM. Rotation is a single command.

  • AES-256 at rest, in macOS Keychain or HashiCorp Vault
  • Stripped from LLM prompts before send
  • One-command rotation, with grace window

Authorized User Lists

Only users on your explicit allow-list can drive the agent. Everyone else gets a polite refusal. Changes to the allow-list are audit-logged and reversible.

  • Per-channel and per-skill allow-lists
  • Slack-native user IDs (no parallel auth system)
  • Audit log retained 90 days minimum

Observability

Every action your agent takes is logged with timestamp, actor, payload hash, and outcome. Replay is one command. Investigations don't require root.

  • Structured JSON logs to your observability stack
  • Per-tenant log retention configurable
  • Replay tooling for any past 90 days of activity

Compliance Posture

SOC 2 Type II readiness baked into the architecture. GDPR / CCPA cooperation built in: data subject access, deletion, and export are first-class operations.

  • SOC 2 Type II in progress
  • GDPR / CCPA data subject tooling
  • Annual third-party penetration test

Compliance status

Where each program stands today.

Program
Status
SOC 2 Type II
In progress
GDPR / CCPA
Compliant
Penetration Test
Annual
Data Processing Agreement
Available
Request security documentation