Isolation
One database per tenant. Physically.
Each workspace gets its own SQLite database, its own coordinating runtime object that serializes every write, its own object-storage prefix, and its own vector index namespace. There is no cross-tenant query path in the codebase, and no function accepts a tenant id from a request payload: tenancy comes only from the authenticated context.
Erasure
Deletion by crypto-shredding
Event payloads and message bodies are envelope-encrypted with per-subject data keys (master key, then per-tenant key, then per-subject key). Erasure shreds the subject's keys, redacts their claims, and rebuilds projections. The append-only log keeps its audit integrity; the erased content is permanently unreadable.
Agents
Structurally bounded AI
Agents (ours and any external agent on your MCP endpoint) can read, draft, and propose. No external sends without a capability minted by an approved policy, no claim acceptance, no projection writes, per-seat daily budgets. These limits live in the runtime, not in prompts.
Injection
Untrusted by default
Connector-derived content (emails, page content, SMS) is data, never instructions. It is wrapped as untrusted before any model sees it, and extraction runs under strict output schemas. A malicious email cannot instruct your agent.
Audit
Audit by construction
Approvals, policy changes, agent tool calls, MCP access, and sends are events in the same append-only log as everything else. The audit trail has no gaps to close because it is the substrate itself.
Secrets
Secrets stay out of the data plane
Connector credentials live in the platform secret store, encrypted per tenant. They are never written to the tenant database, never logged, and never included in model prompts. Outbound credentials are resolved at send time only.