SpyVaultSpyVault
Home

Security

Updated April 5th, 2026

This page describes the current security posture of the SpyVault product in practical terms. It is intended to explain how access, private data, uploads, monitoring, and AI-assisted features are handled today without disclosing sensitive implementation details.

Account security

SpyVault uses external identity providers for sign-in and relies on server-managed application sessions rather than exposing local password handling in the app itself.

Workspace controls

Private collaboration is enforced through server-side workspace membership, role checks, and per-workspace access boundaries for documents, assets, chat, and activity.

Service protection

The product includes request limits, upload validation, operational logging, health checks, and monitoring hooks intended to reduce abuse and support investigation when something goes wrong.

1. Security approach

SpyVault is designed around a few simple principles: keep runtime authentication server-side, enforce authorization at the workspace boundary, validate uploads before accepting them, and maintain enough operational visibility to investigate failures and suspicious activity.

This page describes those current controls. It is not a claim of specific certifications, uptime commitments, or custom enterprise controls unless those are separately agreed in writing.

2. Current controls

2.1 Authentication and session handling

  • Users sign in through supported external identity providers.
  • After sign-in, SpyVault mints its own application session and stores it in an HttpOnly cookie.
  • Production session cookies are marked Secure and SameSite=Lax.
  • Application session tokens are hashed before persistence.
  • Logout revokes the current application session and clears residual bootstrap cookies.

2.2 Authorization and least privilege

  • Private workspace access is enforced server-side, not only in the client UI.
  • Workspace roles are separated into viewer, editor, and admin.
  • Member management requires workspace-admin access.
  • The product prevents a workspace from being left without an admin during role changes or removals.
  • Certain edit capabilities can be restricted further even for users who otherwise have editor access.

2.3 Private data and uploads

  • Private document functionality is plan-gated rather than exposed to every account.
  • Workspace assets and attachments are scoped to the workspace they belong to.
  • Uploads are subject to request-size and file-validation checks.
  • Image uploads are restricted by file type, size, dimension checks, and an application safety review step.

2.4 Monitoring, logging, and abuse resistance

  • API requests receive request IDs for traceability.
  • Operational request logging and metrics hooks are built into the service.
  • Protected metrics and health/readiness endpoints are available for operations.
  • Rate limiting is enforced on core API surfaces.
  • Workspace activity records exist for collaboration events inside the app.

2.5 AI-assisted features

Some SpyVault features depend on third-party AI infrastructure to generate answers, rankings, or safety decisions. When those features are used, the data necessary to fulfill the request may be processed by those providers and retained in application logs or usage records needed to operate the feature, investigate failures, and meter usage.

SpyVault does not publish its full internal model or vendor configuration on this page.

3. Security FAQ

How does SpyVault control access to private workspaces?

Access is enforced through server-side workspace membership and role checks. A user must be a member of a workspace to access its private resources, and higher-risk operations such as inviting collaborators or changing member roles require admin-level access.

How are user sessions handled?

SpyVault treats its own application session as the runtime source of truth. Sessions are issued after sign-in, stored in an HttpOnly cookie, marked Secure in production, and stored as hashed tokens in the backend.

Does SpyVault support role-based collaboration controls?

Yes. Workspaces currently support viewer, editor, and admin roles. The application also supports capability restrictions for some editing actions so that collaboration permissions can be tighter than a simple read/write split.

How does SpyVault protect uploads?

Upload-related protections include request-size limits, validation of accepted file types on supported surfaces, and safety review on certain image uploads. The goal is to reject malformed, oversized, or disallowed content before it becomes part of a shared workspace.

Do you keep logs for troubleshooting and security review?

Yes. SpyVault generates request identifiers, keeps operational request and error logging, exposes health and readiness checks, and stores workspace activity records to support troubleshooting, abuse review, and service operations.

Is customer data encrypted in transit and at rest?

SpyVault is deployed on managed cloud infrastructure and is intended to be used over HTTPS in production. Session cookies are marked Secure in production, and stored data relies on managed-service encryption-at-rest capabilities rather than custom encryption schemes advertised on this page.

How are AI features handled from a data-security perspective?

AI-assisted features may send the content needed to answer a request to external model providers. SpyVault also keeps internal usage and operational records for those features. If your organization requires specific AI-data handling terms, provider restrictions, or a no-training commitment, those requirements should be reviewed before onboarding.

Does this page claim formal certifications or enterprise-only controls?

No. This page is meant to describe current product controls. It should not be read as a claim that SpyVault currently offers any particular certification, regulatory designation, enterprise identity integration, or custom security commitment unless it is expressly confirmed elsewhere in writing.

4. Scope note

Security is a product area that evolves over time. As SpyVault adds new capabilities, this page may change to reflect the controls that are actually available in production.