Security Model
When AI has access to your company’s knowledge, security is not optional. Contextful’s security model is built on Hakiri’s capability-token architecture — designed for a world where agents are first-class principals.
Principles
Section titled “Principles”- Data never leaves your control — local-first sync means your data lives on your devices in encrypted open formats
- Agents see only what they should — per-agent scoping via capability tokens, not broad “AI has access to everything”
- Every access is auditable — full trail of who (human or agent) read what, when, with what authorization
- Permissions are code, not config — diffable, reviewable, version-controlled
Access control
Section titled “Access control”| Role | What they can do |
|---|---|
| Owner | Full control — billing, member management, delete workspace |
| Admin | Manage connections, deploy recipes, configure permissions |
| Member | Use agents within their scope, view their audit trail |
| Guest | Read-only access to specific recipes (e.g., auditor access) |
Per-agent scoping
Section titled “Per-agent scoping”Each recipe defines which data sources and fields the agent can access. When a Member asks a question, the agent is further scoped to that member’s permissions.
graph LR U[User: Member, Sales team] --> T[Capability Token] T --> A[Agent: Contract Renewal Tracker] A --> CRM[CRM data ✓] A --> EMAIL[Email ✓] A --> GL[General Ledger ✗]The agent cannot access data outside the intersection of (recipe scope) AND (user permissions).
Encryption
Section titled “Encryption”| Layer | Method |
|---|---|
| In transit | TLS 1.3 / mTLS for sync |
| At rest (cloud) | AES-256, org-scoped keys |
| At rest (local) | OS keychain-managed encryption |
| Secrets | Never stored in context — resolved at connector runtime via secret:// references |
Audit trail
Section titled “Audit trail”Every interaction is logged:
- Who — user identity + agent identity (full subject tuple)
- What — which records accessed, which fields returned
- When — timestamp with millisecond precision
- Authorization — which capability token, what scope it granted
- Result — what the agent returned (for compliance review)
Viewable in the UI under Permissions → Activity. Exportable as JSON for compliance tooling.
Compliance posture
Section titled “Compliance posture”| Standard | Status |
|---|---|
| SOC 2 Type II | Target: 12 months post-GA |
| GDPR | Data residency options (EU/US), right-to-erasure flows |
| HIPAA | Architecture supports BAA; not offered at launch |
LLM data handling
Section titled “LLM data handling”- Contextful does not train models on your data
- Queries are sent to the LLM provider (configurable: Anthropic, OpenAI, local)
- The full context store is never sent to the LLM — only retrieved snippets relevant to the query
- Local inference option available for sensitive workloads (Business tier)