Skip to main content

Security

Configure authentication, encryption, and compliance settings.

Single Sign-On (SSO)

Supported Providers

ProviderProtocol
OktaSAML 2.0, OIDC
Azure ADSAML 2.0, OIDC
Google WorkspaceSAML 2.0, OIDC
OneLoginSAML 2.0
Ping IdentitySAML 2.0, OIDC
CustomSAML 2.0, OIDC

SAML Configuration

  1. Go to AdministrationSecuritySSO
  2. Select SAML 2.0
  3. Configure:
    • Identity Provider metadata URL
    • Entity ID
    • Assertion Consumer Service URL
    • Certificate
  4. Test the connection
  5. Enable SSO

OIDC Configuration

  1. Go to AdministrationSecuritySSO
  2. Select OpenID Connect
  3. Configure:
    • Client ID
    • Client Secret
    • Authorization endpoint
    • Token endpoint
    • Scopes
  4. Test the connection
  5. Enable SSO

Encryption

Data at Rest

All stored data is encrypted:
Data TypeEncryption
Conversation logsAES-256
User dataAES-256
API keysAES-256 with key rotation
Knowledge indexesAES-256

Data in Transit

All network communication uses:
  • TLS 1.3 (preferred)
  • TLS 1.2 (minimum)
  • Certificate pinning for mobile apps

Key Management

  • Keys stored in secure key management service
  • Automatic key rotation (configurable)
  • Customer-managed keys available (Enterprise)

Service Accounts

Overview

Service accounts enable programmatic access without user credentials.

Create Service Account

  1. Go to AdministrationSecurityService Accounts
  2. Click Create Service Account
  3. Configure:
    • Name and description
    • Permission scopes
    • IP allowlist (optional)
  4. Generate credentials
  5. Securely store credentials

Permission Scopes

ScopeAccess
read:agentsView agent configurations
write:agentsCreate and modify agents
read:conversationsAccess conversation logs
read:analyticsView analytics data
admin:usersManage users

Access Control

Role-Based Access

RolePermissions
Platform AdminFull platform access
Workspace AdminManage workspace settings and users
Agent DeveloperCreate and modify agents
AnalystView analytics and reports
UserInteract with deployed agents

Custom Roles

Create custom roles for specific needs:
  1. Go to SecurityRoles
  2. Click Create Role
  3. Select permissions
  4. Assign to users or groups

Compliance

Data Residency

Configure where data is stored:
RegionData Centers
USUS East, US West
EUIreland, Frankfurt
APACSingapore, Sydney

Certifications

CertificationStatus
SOC 2 Type IICertified
ISO 27001Certified
GDPRCompliant
HIPAAAvailable (Enterprise)

Data Retention

Configure retention policies: 
Retention Policy:
  conversations:
    default: 90 days
    extended: 365 days
  analytics:
    default: 365 days
  audit_logs:
    default: 365 days
    compliance: 7 years

Audit Logging

Logged Events

CategoryEvents
AuthenticationLogin, logout, SSO events
AuthorizationPermission changes, role assignments
Data accessConversation access, exports
ConfigurationAgent changes, settings updates
SecurityAPI key creation, service accounts

Log Export

Export logs for SIEM integration:
  • Real-time streaming (Splunk, Datadog)
  • Scheduled exports (S3, Azure Blob)
  • On-demand download (CSV, JSON)

Network Security

IP Allowlisting

Restrict access by IP:
  1. Go to SecurityNetwork
  2. Enable IP allowlisting
  3. Add allowed IP ranges
  4. Configure enforcement (warn or block)

Private Connectivity

Enterprise options:
OptionDescription
VPNSite-to-site VPN connection
Private LinkAWS PrivateLink, Azure Private Link
DedicatedDedicated infrastructure