Security & data protection

Boatwork Assist is built on a simple principle: an agent should have exactly the access it needs to do the work you asked of it, granted by you, scoped tightly, and revocable at any time. Nothing is tenant-wide, and nothing relies on standing access we hold independently of your approval.

You connect the accounts, and you stay the owner

To work with your email, calendar, and documents, an agent connects through OAuth using an application registered and consented in your own Google Workspace or Microsoft 365 environment. You grant the permissions, and you can review or revoke them at any time from your provider’s admin console — access stops when you do.

Delegated, per-mailbox access

Permissions are delegated and scoped to the specific accounts that sign in. An agent connected to a mailbox can act within that mailbox — not across your whole organization. Each mailbox is connected independently, by signing in as that mailbox, so the only mailboxes an agent can reach are the ones you explicitly connect. We do not request application (tenant-wide) permissions that would let an agent read mailboxes nobody connected.

Least privilege, explained up front

We request only the permissions an agent needs for the work it does — reading and sending email, managing calendar events, and creating documents — and each permission is explained at setup. If a capability is not needed for your use case, it can be left out.

Encryption at rest

OAuth client secrets and every stored refresh token are encrypted at rest using AES-256-GCM authenticated encryption. They are never stored in plaintext.

Short-lived tokens, never on the agent

The long-lived credential — the refresh token — stays encrypted on our servers and never reaches the agent’s runtime. When the agent needs to act, it fetches a short-lived access token (about one hour) on demand from an endpoint authenticated by the agent’s own credential. Tokens rotate automatically, and the agent can only ever request a token for a mailbox it actually connected.

Isolation between organizations

Each organization’s credentials, configuration, and agent context are isolated. One organization’s agents cannot see or reach another organization’s data. See How knowledge sharing works for how knowledge is scoped within and between organizations.

Audit logging

Connecting an account, disconnecting it, and changing credentials are recorded as audit events — who did what, and when.

Revocation and offboarding

You can disconnect an account or remove an integration at any time. Doing so clears the stored tokens and restarts the affected agent so it drops cached access right away. You can also revoke access directly from your Google or Microsoft admin console at any point.

Third-party AI model providers

To generate responses, message content is transmitted to third-party AI model providers (which may include Anthropic, OpenAI, and others) solely to produce the reply. We select providers that do not use customer data for model training by default. Each provider maintains its own data handling practices. See AI & data handling for the commercial terms, retention, and our Zero Data Retention roadmap.