Security

Security for a system that can think, act, and touch real workflows.

WorkSwarm security is not only network hardening and encryption. It includes grounded-answer behavior, tool-execution boundaries, agent approvals, and tenant-scoped controls for an AI-native work platform.

Return to Trust CenterSee AI runtime controls
Approval-gated actionsGrounded-answer postureTenant-scoped agent executionSchema-validated tool callsSBOM and supply-chain checksBYOK and HYOK support

AI runtime controls

What changes when the system can act

Grounded answers or refusal

Knowledge answers are expected to answer, hedge, or refuse based on evidence strength instead of confidently filling gaps with generic model output.

Schema-validated tool use

LLM output does not directly execute actions. Tool calls are structured, validated, and routed through explicit execution boundaries.

Approval-gated blast radius

Bulk sends, payments, deletes, broadcasts, and similar high-stakes actions require a human gate before the action is allowed to run.

Tenant-scoped execution

Agents, MCP tools, retrieval, and memory operate inside tenant boundaries so cross-tenant data movement is prevented by design.

Data sovereignty architecture

Your most sensitive data never crosses our perimeter.

The three architectures CISOs ask about most. Each shows exactly what stays inside your network and what crosses the encrypted tunnel. The full set of five lives on the data sovereignty page.

Hospital Private NetworkInside the hospital firewall. HIPAA controlled.EHR SystemEpic, Cerner, or SuvarnaPHI: names, MRN, labsLab and ImagingDICOM, lab reportsDe Identification SLMStrips PHI per Safe HarborIn hospital networkMCP TunnelOutbound only.Hospital holds the key.PHI STAYS INSIDE THE HOSPITALDE IDENTIFIED ONLYCarries cohorts and outcomes, never namesWorkswarm Healthcare PackBAA signed. No PHI in our boundary.Care WorkflowOrchestratorHealthcare SLMTrained on de identifiedcare pathwaysIndustry adapterReminders, Claims,Follow up WorkflowsTemplates per specialtyAudit and Consent LogEvery access logged with signed proof from the hospital MCP.Hospital compliance officer has full read access.BAA SIGNED

Never leaves your side

  • Patient names, MRNs, addresses, phone numbers
  • Full clinical notes, lab results, imaging
  • Insurance member IDs and claim details
  • Doctor identifiers and prescription specifics

Crosses, encrypted

  • Cohort sizes ("28 patients need follow up this week")
  • Anonymous care pathway events
  • Workswarm's draft messages and reminders
  • Signed audit receipts

What Workswarm does

  • Picks the right care pathway template
  • Generates reminders and claim drafts in the hospital's voice
  • Sends action back for staff to approve
  • Never stores PHI. Stores workflow audit only.
OK
Compliance picture. HIPAA Privacy and Security Rule satisfied because PHI never leaves the hospital. BAA covers the de identified metadata. DPDP Act obligations stay with the hospital as data fiduciary. ISO 27001 controls match.
Hospital networkDe identified tunnel trafficWorkswarm Healthcare PackPHI restricted
See the full architecture
Bank Data CentrePCI DSS scope. RBI audited. India only.Core BankingFinacle or Flexcubeaccount, txn, balanceCKYC and CardsPAN, Aadhaar, card PANOn Prem Fraud SLMScores transactions inmilliseconds, stays in DCMCP TunnelOutbound only.Signed responses.CUSTOMER DATA STAYS IN INDIATOKENIZED ONLYCarries scores and case IDs, no PANsWorkswarm Finance Pack (India region)Mumbai hosted. India only data plane.Case WorkflowOrchestratorCollections SLMTrained on token levelrepayment behaviorPer bank adapterComplaint Reply,RBI Grievance TemplatesIn bank's brand voiceSigned Audit TrailEach tunneled response cryptographically signed by bank.RBI inspector verifiable.RBI ALIGNED

Never leaves your side

  • Account numbers, full transaction history, card PAN
  • Aadhaar, PAN, CKYC documents
  • Internal credit scores and limits
  • Any data subject to RBI localization

Crosses, encrypted

  • Anonymous case IDs (mapped to real customers only inside the bank)
  • Risk scores and aggregated signals
  • Workswarm's draft replies and recovery scripts
  • Cryptographically signed audit receipts

What Workswarm does

  • Drafts customer communications in bank's tone
  • Coordinates collections and complaint workflows
  • Templates for RBI Banking Ombudsman replies
  • Never sees PAN or card number. Only token IDs.
OK
Compliance picture. RBI payment data localization is satisfied. PCI DSS scope is dramatically smaller because card data never enters Workswarm. DPDP obligations stay with the bank. CERT In incident reporting is straightforward.
Bank data centreTokenized tunnel trafficWorkswarm Finance PackLocalization restricted
See the full architecture
Firm's Document VaultPrivileged. Audit logged.DMSiManage or NetDocumentsSigned contractsMatter FilesClient identities, deal termsClause Extractor SLMRuns in firm's tenant.Trained on firm's precedents.MCP TunnelOutbound only.Firm holds the keys.PRIVILEGED MATERIAL DOES NOT EXITMETADATA AND DRAFTSCarries clause types and redline suggestionsWorkswarm Legal WorkspacePer firm tenant. Adapter encrypted with firm KMS.MatterOrchestratorLegal SLMTrained on firm's ownprecedents, in firm's voicePer firm LoRA adapterRedline,Renewal TrackerDrafts review notesPrivilege Preserving AuditDocuments stay by reference. Metadata and drafts logged.Managing partner can delete the workspace any time.PRIVILEGE SAFE

Never leaves your side

  • Full text of signed contracts and matter files
  • Client identities and counterparty names
  • Deal terms, valuations, IP filings
  • Internal partner notes and strategy memos

Crosses, encrypted

  • Clause types and document classifications
  • Redline suggestions in the firm's house style
  • Renewal alerts (matter ID and a relative date)
  • Workspace audit metadata

What Workswarm does

  • Routes the request through the firm's matter workflow
  • Calls per firm SLM trained on firm's precedents
  • Returns redline drafts the lawyer can accept or modify
  • Never stores contracts. Stores matter level metadata only.
OK
Compliance picture. Attorney client privilege preserved because privileged material never crosses the firm's perimeter. State bar and bar council confidentiality rules met. ISO 27001 controls match. GDPR processor obligations are minimized by design.
Firm document vaultMetadata only tunnel trafficWorkswarm Legal WorkspacePrivileged perimeter
See the full architecture
See all five architectures

Why AI-native security is different

A secure chatbot is not the same thing as a secure work system.

WorkSwarm needs to defend not only against unauthorized access, but also against confident wrong answers, malformed tool calls, and autonomous actions happening without the right human checkpoint. This section exists to make that difference explicit for buyers.

Evidence before answer

Knowledge answers are grounded against retrieved passages before they are shown to a user.

Hedge or refuse behavior

Low-confidence or contradictory evidence should narrow the answer or stop generation entirely.

Tool executor boundary

Structured tool calls pass through explicit execution checks instead of allowing free-form model output to run actions.

Human gate for blast radius

Payments, bulk sends, deletes, and similar actions require approval before execution.

AI-specific threat model

WorkSwarm is AI-native. These are the threats we defend against at the platform layer.

Prompt injection (direct & indirect)

Distinct system/developer/user/tool roles. Untrusted content excluded from instruction interpretation. Parameters validated against schema.

Jailbreak & prompt extraction

No customer secrets in system prompts. Pattern-matching detection. Rate-limiting. Logged.

Model inversion / membership inference

No training on customer data. Provider robustness evaluations. Output cardinality limits.

Hallucination on factual claims

"AI-generated, verify before acting" disclaimer. High-stakes outputs (legal, medical, financial) require human gate.

Voice cloning & deepfake

Consent-only voices (recorded, time-bounded). C2PA provenance on synthetic media. Do-not-call list checks.

Toxic or biased output

Bias evaluation per release. StereoSet, RealToxicityPrompts benchmarks. Reportable bias triggers model swap.

Cost weaponization

Per-call token cap, per-user daily budget, circuit breaker on cost spikes, anomaly alerts.

Authentication & access control

SSO

SAML 2.0 + OIDC. Okta, Azure AD, Google Workspace, OneLogin, Ping, JumpCloud.

MFA

TOTP, FIDO2/WebAuthn, push. Phone-based factors disabled by default. Hardware keys for admins.

SCIM 2.0

Automated user lifecycle: invited → active → suspended → deprovisioned.

Session mgmt

12-hour access tokens, 30-day refresh with rotate-on-use. Configurable idle timeout.

Authorization

RBAC for features (admin/builder/contributor/viewer/guest). ABAC for data-level (project, workstream, gate).

Privileged access

JIT elevation, 4-hour max, session-recorded. Quorum approval for break-glass.

Encryption everywhere

At rest

AES-256-GCM via cloud KMS. Per-tenant DEKs wrapped by per-tenant KEKs. BYOK at Enterprise, HYOK at Enterprise Plus.

In transit

TLS 1.3 minimum on all ingress. mTLS for internal service-to-service. Certificate pinning on mobile.

In use

Confidential computing (AWS Nitro Enclaves, Azure CVM, GCP CVM) for highest-tier inference and PII processing.

Backups

Encrypted with separate keys, separate region. S3 Object Lock with compliance retention.

Go next

Security is easiest to understand when it is connected to trust, workflows, and agent behavior.

The strongest security reading of WorkSwarm comes from following how the system answers, acts, checks approvals, and surfaces evidence rather than isolating security as a separate checklist page.

Trust Center

See the procurement-facing trust surface, reports, deployment models, and top-level control posture.

Open route →

Compliance Engine

See how policy and residency controls are enforced during writes, transfers, and deletion workflows.

Open route →

Agents

See how named specialists, tool bindings, and checkpoints shape the action model.

Open route →

Knowledge Layer

See how grounded answers, confidence, and refusal behavior fit into the security posture.

Open route →

Application & supply chain security

OWASP Web, API, Mobile, and LLM Top 10 all addressed.

  • Threat model per feature - documented in repo
  • SAST (Semgrep, CodeQL) on every commit
  • Dependency scanning (Snyk, Dependabot) - 7-day critical-fix SLA
  • SBOM generated per build, attested with Sigstore
  • Container scanning (Trivy) on every image push
  • DAST (OWASP ZAP, Burp Suite) on every staging deploy
  • Pen testing: external annual, internal quarterly
  • Two-reviewer approval for all production changes
  • Security team sign-off for auth, crypto, key handling, audit changes
← Back to Trust Center