Security
Overview.

Private app areas require a signed-in account before company, client, or join pages can be accessed.

Users are assigned company or client roles. The app checks the expected role before showing the matching dashboard.

Company workspaces include plan and member access checks so workspace access can be limited when a subscription or seat allocation is not active.

Workspace records are associated with a company workspace so project, task, document, meeting, notification, billing, and booking data can be separated by workspace.

Projects track assigned clients and assigned employees. Client views are filtered to the projects assigned to that client.

Documents use explicit sharing lists for clients and employees. Client document views are limited to documents shared with that client or uploaded by that client.

Client users access a separate client dashboard instead of the internal company dashboard.

Connected app authorization flows use signed state values to reduce unauthorized connection attempts.

Connected app access tokens and refresh tokens are encrypted before being stored. Integration status views do not expose token values.

The platform includes disconnect routes for connected integrations so users can remove stored integration records.

Connected apps are optional workspace features. Current integration surfaces include Slack, Google Drive, Gmail, Google Meet, and GitHub.

Payment webhook requests are verified before subscription events are processed.

Processed webhook IDs are tracked so repeated billing events can be skipped.

Plan data is used to enforce or display limits for resources such as projects, members, clients, AI credits, integrations, and meetings.

Uploaded files are stored in managed application storage and referenced from document records.

Client document uploads include a server-side maximum file size of 3 MB and a maximum of 15 documents per project.

HTML email content displayed through the Gmail integration is sanitized before being inserted into the page.

The platform stores in-app notifications by user and supports browser push notification subscriptions.

The AI features can use workspace context such as projects, tasks, documents, meetings, and chat-related data to answer prompts and perform actions requested by the user.

AI outputs should be reviewed by users before being relied on, especially for generated tasks, schedules, summaries, or bulk actions.

The platform stores AI conversations, messages, credit usage, and request usage records to support the AI experience and plan limits.

If you believe you found a security issue or need details for a vendor review, contact support@collaboraone.com with a clear description and steps to reproduce.