Convoship Docs

Product documentation

Security

Identity, encryption, isolation, and audit controls that ship in every Convoship workspace.

Convoship is built for teams whose security review never gets skipped. Every workspace ships with the controls auditors expect — no add-on tier, no add-on price. This page summarises the controls, the implementation, and where to find them in the studio.

Identity & access

  • Workspace roles: owner, admin, developer, editor, viewer. Capability checks are enforced server-side, not just hidden in the UI.
  • MFA is supported per-user via TOTP. Owners can require MFA for sensitive actions.
  • Refresh tokens rotate on every use and are revoked on logout; the access cookie is HttpOnly, Secure, SameSite=Lax.
  • Brute-force protection: configurable failed-login window + lockout duration.
  • A workspace-wide "revoke all sessions" action signs every member out of every device, useful after a credential leak or departing employee.

Encryption & secrets

Tool nodes reference secrets by name; the raw value never enters prompts, exports, or logs. Today secrets are encrypted at rest with Fernet (workspace-scoped key); a KMS-backed envelope is the upgrade path and is enabled by setting CONVOSHIP_KMS_KEY_ID.

  • TLS terminates at the load balancer using an ACM certificate; in-VPC traffic to ECS and RDS remains private.
  • Database connections use SSL (sslmode=require) from the application container.
  • Backups are encrypted at rest by RDS; final snapshots are taken before any infrastructure destroy.

Workspace isolation

Postgres Row-Level Security enforces workspace_id scoping on every workspace-scoped table. The application role (convoship_app) is created with NOBYPASSRLS, so a SQL bug or LLM-generated query cannot leak rows across workspaces — the isolation is structural, not just policy-enforced.

Defense in depth

The same workspace boundary is enforced in three places — the route's auth dependency, the session-scoped Postgres GUC, and the RLS policy itself. A failure in any one layer cannot cause a leak.

Audit trail

Every mutation lands in an append-only audit log: agent edits, deployments, secret reads, member role changes, workflow publishes, and channel changes. Filter by actor, action, target, and time range. The log is exposed both in the studio (Workspace → Audit log) and via the API for SOC 2 evidence collection.

Usage metering & budgets

  • Per-AI-agent daily LLM spend cap, enforced at request time. The agent halts before exceeding the limit.
  • Per-workspace conversation counter (30-day rolling) surfaced on the dashboard and via /v1/workspaces/usage.
  • Prometheus metrics: sessions_started_total, turns_total, llm_tokens_total, tool_invocations_total — scraped by /metrics behind a bearer token.
  • Rate limits on all auth and public-runtime endpoints (slowapi backed by Redis).

Code execution sandbox

Python nodes run with PYTHON_NODE_TIMEOUT_SECONDS (default 2s) and session-scoped variables only. No filesystem, no outbound network unless explicitly proxied through a tool node. The sandbox is the same isolation primitive used to run extraction's auto-repair pass — battle-tested.

Responsible disclosure

Found a vulnerability? Email security@convoship.org with a description and reproduction steps. We acknowledge reports within one business day and credit reporters in release notes when permitted.