Security

Security at WorkAgents AI

AI that acts on your business must be held to a higher standard than software that just stores records. Here is how we design for that — plainly, without overstated claims.

Human-in-the-loop on every AI action

The core of our security model is architectural, not cosmetic: AI agents on the WorkAgents platform produce drafts only. A quotation, an outbound email, a purchase proposal or a customer record change created by an agent does not take effect until a named human approver reviews and signs it off. There is no configuration that lets an agent send a customer-facing communication or commit a financial decision autonomously. Once a human edits an AI draft, the record is locked against further silent AI modification, so what your approver saw is what goes out.

Audit logging

Every mutation in the system — whether performed by a person or an agent — is written to an append-only audit log that records the actor, the actor type (human or agent), the action, the affected record, a correlation ID and a timestamp. Agent actions additionally reference the specific agent run that produced them, so any output can be traced back to the inputs and reasoning that generated it. Quote revisions are snapshotted as immutable versions, giving you a complete before-and-after history of anything sent to a customer.

Authentication and role-based access

Access to the platform is authenticated with short-lived, signed JSON Web Tokens (JWT). Within an organization, users are assigned one of a small set of roles — administrator, operations, approver and viewer — and permissions follow the principle of least privilege. Only users holding the approver role can resolve human-review gates and release AI-drafted output; viewers can read but never change data. Administrative functions are separated from day-to-day operational access.

Tenant isolation

WorkAgents AI is multi-tenant, and every row of data is bound to your organization. Queries are scoped to your organization at the database layer, not just in application code, so one customer's data is not reachable from another customer's session. Per-organization uniqueness and access rules are enforced in the schema itself.

Credentials and data protection

Credentials that you connect — mailbox tokens, API keys for integrations — are stored encrypted at rest and are never exposed back to the browser in plain text. Data in transit is protected with TLS. Internal secrets are rotated when personnel or systems change, and access to production data is restricted to a small number of authorized engineers for support and operations purposes only.

Data minimization

We follow an EU-style data-minimization approach: agents process the business content you explicitly connect — emails, RFQs, catalogues, vendor and customer records — and nothing more. We do not sell personal data, we do not use your business content to train models for other customers, and we retain data only as long as your contract and applicable statutory periods require. You can request export or deletion of personal data at any time via privacy@workagentsai.com; see our privacy policy for details.

AI-specific safeguards

Because our agents read inbound email from the open internet, we treat every incoming message as untrusted input. Inbound content is screened before it reaches an agent's reasoning step, agents operate with narrowly scoped permissions rather than blanket access, and unexpected or suspicious patterns — such as a known company writing from an unfamiliar address — are flagged for human attention instead of being processed silently.

What we don't claim

We are an early-stage company and we prefer accurate claims to impressive ones. We do not currently hold formal certifications such as SOC 2 or ISO 27001. The controls described on this page reflect how the platform is actually built, and we are happy to walk your security team through the architecture in detail as part of any evaluation.

Reporting a security issue

If you believe you have found a vulnerability in any WorkAgents AI product or website, please email security@workagentsai.com with the details. We acknowledge reports promptly, keep you informed while we investigate, and ask that you give us reasonable time to remediate before public disclosure. For general privacy questions, contact privacy@workagentsai.com.