Trust · Last updated July 5, 2026
Trust & Security
Groundwork's security posture is structural, not aspirational: the boundaries below are enforced in code, tested in the connector's suite, and monitored in production. This page states them plainly so you can evaluate them before connecting anything.
What leaves your systems, and what never does
- Served TO your agents: your own company state (brand, voice rules, priorities, module inventory, entitled skills), scoped to your tenant, read-only.
- Recorded by us: per-token call counts and the names of tools called with timestamps. Never tool arguments, never agent conversations, never file contents.
- Never through us: model calls. The connector makes zero LLM calls on anyone's account; your agents talk to their own AI vendors directly under your agreements.
- Never leaves you: your workspace files. Groundwork's substrate is plain files in your repository; the hosted layer serves state, it does not hold your work hostage.
The boundary, enforced
- Per-tenant isolation. A bearer token resolves to exactly one tenant; a tenant's calls can only ever read that tenant's snapshot. A missing snapshot fails closed rather than falling back to anyone else's data.
- Fail-closed auth. Unknown, revoked, expired, superseded, or mismatched tokens all receive the same generic 401, so the boundary leaks no enumeration signal.
- Tokens hashed at rest. Raw tokens are shown once at issue and stored only as hashes. Revocation is immediate; rotation supersedes the old token atomically.
- Rate limits and a kill-switch. Per-token ceilings return 429s; anomalous per-minute rates auto-disable the tenant and alert the operator, so a leaked token cannot quietly burn for hours.
- Scoped skills at rest. A tenant's stored snapshot contains only the skill bodies their tier entitles, so scope holds even against a storage-layer read.
What requires a human
- Anything that changes what the public sees (published articles, advertised modules) passes a human gate; agents propose, a person approves.
- Client sign-offs land as accept/reject decisions in the dashboard with a full audit trail, not as silent agent actions.
- Outbound writing on our side passes a mechanical voice guard plus human review; security-critical surfaces are built and reviewed by the engineer, not generated unattended.
Monitoring and incident posture
Production errors, cron failures, kill-switch trips, and provisioning failures raise alerts (Sentry) that page the operator in a channel read daily; a scheduled smoke rail exercises the public and authenticated paths end to end every day. Alerts carry incident metadata, never tokens or client content. If an incident affects your data, you hear from us directly by email with what happened and what changed.
Scope, honestly
We are a small firm; there is no SOC 2 report yet, and we will not imply otherwise. What we offer instead is a short, inspectable surface: a read-only connector, structural tenant isolation, and a written account of every boundary on this page. Security questions or disclosures: joseph.scott@rarefied.earth. Subprocessors are listed in the privacy policy; procurement material (W-9, insurance, MSA/SOW process, the professional-engineering boundary) is on the vendor packet page.