Security model
WebmasterID Agent is built on a compliance-first foundation. Credentials are encrypted. Workspaces are fully isolated. The AI layer never sees raw secrets. And every external action requires your approval.
Security principles
Credential encryption at rest
OAuth tokens and API keys are encrypted using AES-256 before storage. Decryption keys are stored separately from the encrypted values. Provider secrets are never logged or exposed in API responses.
Workspace isolation
All data is partitioned by workspace_id. Server-side authorization checks enforce that every query is scoped to the authenticated workspace. No cross-workspace reads are possible at the application layer.
No AI exposure of secrets
The Claude Code MCP bridge returns provider signals and work package context — never raw API credentials. The AI execution layer has no access to decrypted secrets at any point in the workflow.
Human-approval gate
Every external action — commit, deploy, outreach, API write — requires explicit operator sign-off in the dashboard. The Agent has no autonomous publish path. This gate is enforced in the application layer, not just at the UI.
Owner-scoped only
The Agent only processes sites verified through WebmasterID Core ownership. Verification uses DNS TXT records or file-based methods — the same standard as Google Search Console.
Full audit trail
Every sync run, provider fetch, recommendation, and approval event is logged with a timestamp, actor, and outcome. Logs are retained and exportable for compliance review.
Principle of least privilege
Provider OAuth scopes are requested at the minimum required level. GSC access is read-only. GitHub OAuth requests repository read scope only — no write access unless a specific write action is approved.
No raw visitor identities
WebmasterID Agent receives aggregated analytics signals from WebmasterID Core — never raw visitor session data or PII. The Agent cannot reconstruct individual user journeys.
Frequently asked questions
Is WebmasterID Agent SOC 2 compliant?
WebmasterID Agent is in the process of completing a SOC 2 Type II audit. Security controls and audit trail capabilities are designed to meet SOC 2 requirements. Contact us for the current compliance status.
Where is data stored?
Application data is stored in a managed PostgreSQL instance in the eu-west-1 region. Provider credentials are encrypted before storage. Sync logs are retained for 90 days by default.
Can I revoke provider access at any time?
Yes. Any provider connection can be disconnected from the workspace settings page. OAuth tokens are immediately invalidated on disconnection. Revocation is instant and irreversible.
How are MCP API keys managed?
MCP API keys are workspace-scoped, shown once on creation, and can be rotated at any time from Settings → API. Rotating a key immediately invalidates the previous key.