Security
Overview.

Authentication

Private app areas require a signed-in account before company, client, or join pages can be accessed.

Role Separation

Users are assigned company or client roles. The app checks the expected role before showing the matching dashboard.

Plan Access

Company workspaces include plan and member access checks so workspace access can be limited when a subscription or seat allocation is not active.

Workspace Scoping

Workspace records are associated with a company workspace so project, task, document, meeting, notification, billing, and booking data can be separated by workspace.

Project Access

Projects track assigned clients and assigned employees. Client views are filtered to the projects assigned to that client.

Document Sharing

Documents use explicit sharing lists for clients and employees. Client document views are limited to documents shared with that client or uploaded by that client.

Client Portal

Client users access a separate client dashboard instead of the internal company dashboard.

Connection Verification

Connected app authorization flows use signed state values to reduce unauthorized connection attempts.

Token Storage

Connected app access tokens and refresh tokens are encrypted before being stored. Integration status views do not expose token values.

Disconnect Controls

The platform includes disconnect routes for connected integrations so users can remove stored integration records.

Optional Integrations

Connected apps are optional workspace features. Current integration surfaces include Slack, Google Drive, Gmail, Google Meet, and GitHub.

Webhook Verification

Payment webhook requests are verified before subscription events are processed.

Duplicate Handling

Processed webhook IDs are tracked so repeated billing events can be skipped.

Plan Limits

Plan data is used to enforce or display limits for resources such as projects, members, clients, AI credits, integrations, and meetings.

File Storage

Uploaded files are stored in managed application storage and referenced from document records.

Client Upload Limits

Client document uploads include a server-side maximum file size of 3 MB and a maximum of 15 documents per project.

Email Rendering

HTML email content displayed through the Gmail integration is sanitized before being inserted into the page.

Notifications

The platform stores in-app notifications by user and supports browser push notification subscriptions.

Workspace Context

The AI features can use workspace context such as projects, tasks, documents, meetings, and chat-related data to answer prompts and perform actions requested by the user.

Review Required

AI outputs should be reviewed by users before being relied on, especially for generated tasks, schedules, summaries, or bulk actions.

Usage Records

The platform stores AI conversations, messages, credit usage, and request usage records to support the AI experience and plan limits.

If you believe you found a security issue or need details for a vendor review, contact support@collaboraone.com with a clear description and steps to reproduce.