Security Model

Security is built into every layer of Kiket so teams can adopt workflow-as-code with confidence.

Tenant Isolation

• Organizations are the primary tenant boundary; every project, repository, and workflow repository is scoped to an organization.
• Background jobs carry Current.organization to prevent cross-tenant access during sync and board generation.
• Analytics data is segregated by organization with row-level security.

Secrets Management

• Tokens (GitHub, Slack, extension secrets) are encrypted using the platform’s application-layer encryption, with per-environment master keys stored in Secret Manager.
• Extension installs receive per-project API keys signed with HMAC.

GitHub Integration

• Personal access tokens are stored encrypted and truncated in logs.
• Webhooks validate the shared secret generated per project (project.webhook_secret).
• Sync jobs only read .kiket/ directories, not the entire repository history.

Authentication & Authorization

• Users sign in via passwordless email or OAuth providers (Google, GitHub) depending on your configuration.
• Roles can be defined in team.yaml and mapped to permissions in the application.
• Fine-grained scopes control extension and API access.

Compliance Roadmap

• Audit logs capture administrative actions, workflow changes, and extension installations.
• Zero-knowledge analytics design keeps sensitive event data encrypted at rest and in transit.
• Planned features include field-level retention policies and configurable data residency.

Reach out to your account team for the hardened deployment checklist that covers infrastructure controls and monitoring practices.