Skip to content

Security tied to the real platform

Controls protect workspace data, payment events, API access and the evidence trail without claiming certifications we have not verified.

Last reviewed: July 15, 2026

Workspace isolation

Requests resolve an authenticated workspace and server-side permission before protected data is returned.

Scoped access

Roles, CSRF checks, short sessions and scoped API keys limit what each caller can do.

Audited operations

Sensitive platform-admin and billing changes preserve actor, reason and request context.

Verified events

Payment and Telegram webhooks require signatures and idempotent processing before access changes.