Documentation
Security
Application practices we actually follow. Trust center policies live on the public site; this guide points operators at product controls.
Product controls
- MFA / passkeys
- SSO / SCIM
- Audit log
- API keys (Enterprise) · encrypted integration secrets
Platform
Security headers (HSTS, CSP, COOP, CORP), Redis-backed rate limits on abuse surfaces, SSRF guards on monitors, and production env fail-closed gates. See Trust for legal policies.
Disclosure
Report vulnerabilities via Trust / responsible disclosure — never send secrets to shared chat.
Limitations
- SOC 2 and ISO certification are not currently claimed.
- Formal pen-test packs are sales / roadmap discussions.