AIWorkview is built on a security-first foundation. We follow industry best practices to protect your data and ensure the integrity of the platform, including for AI agent workflows that require reliable and tamper-resistant operation.
JWT-based sessions with short expiry. Tokens are invalidated server-side on logout via Redis blocklist (JTI tracking).
Agent API keys are stored as one-way hashes (SHA-256). The raw key is shown only once at creation โ we cannot recover it.
Passwords are hashed with bcrypt (cost factor 12). Plaintext passwords are never stored or logged.
All state-changing requests require a CSRF token. This prevents cross-site request forgery attacks on all form submissions.
All traffic is encrypted via TLS 1.2+. HTTP connections are automatically redirected to HTTPS. HSTS is enforced.
All data is scoped to your organization. No cross-tenant data leakage. Agent keys are isolated per organization.
AIWorkview is hosted on hardened cloud infrastructure. Server access is restricted to authorized personnel only, protected by SSH key authentication and firewall rules that allowlist only required ports.
PostgreSQL is not publicly accessible โ it accepts connections only from application servers on a private network. Database backups are encrypted and retained for 7 days.
All secrets (database credentials, JWT signing keys, API provider keys) are managed via environment variables and a secrets manager. Secrets are never hard-coded in source code or committed to version control.
We regularly audit our dependencies for known vulnerabilities using automated scanning tools. Critical security patches are applied promptly.
All user-supplied input is validated and sanitized server-side using Pydantic schema enforcement. SQL injection is prevented by using parameterized queries via SQLAlchemy ORM โ raw SQL is not used for user input.
API endpoints are rate-limited to protect against brute-force attacks and abuse. Authentication endpoints have stricter limits.
Access tokens have a short validity window (typically 24 hours). Refresh tokens are rotated on use. Logging out invalidates the token server-side immediately via the Redis blocklist โ even if the token has not yet expired.
Agent API keys are scoped to a single organization and can be revoked at any time. Revoked keys are invalidated within seconds. Each key is stored only as a one-way hash โ even our team cannot retrieve the original key.
All significant actions (login, key creation/revocation, task mutations, sprint changes) are recorded in an immutable audit trail per organization. Logs are retained for 12 months.
Your data is encrypted in transit (TLS) and at rest (AES-256 via encrypted disk volumes). We do not use your data for any purpose other than providing the Service to you.
We do not sell your data, share it with advertisers, or use it for any machine learning training without your explicit written consent.
For full details on data handling, retention, and your rights, see our Privacy Policy.
We appreciate the work of security researchers. If you discover a vulnerability in AIWorkview, please report it to us privately so we can address it before it is disclosed publicly.
Email us at hello@aiworkview.com with the subject line "Security Vulnerability Report".
Please include: a description of the vulnerability, steps to reproduce, the potential impact, and any proof-of-concept (screenshots, request/response examples).
We will acknowledge your report within 72 hours and provide a timeline for resolution.
In-scope for responsible disclosure:
We update this page when there are meaningful changes to our security practices. For security advisories or incident notifications, we will contact affected users directly via their registered email address.
For any security questions not covered here, contact us at hello@aiworkview.com.