Security and trust

Use company context without handing it to a black box.

NUMI is only useful if you can trust it with the context your team already protects. So every source is scoped, every risky action is approval-gated, and every decision leaves an audit record you can export.

How context flows

Three steps, each one gated.

01 / ASKSomeone asks

In Slack, Teams, or the hosted surface. NUMI sees only the channels admins connected.

02 / RETRIEVENUMI retrieves approved context

Retrieval is filtered by workspace, source permissions, and the asking user's access before anything is ranked or summarized.

03 / DELIVERWork comes back, cited

Answers cite their sources. Anything risky — external sends, new tools, broader knowledge — waits for human approval.

Tenant isolationWorkspace scope is enforced before rendering or mutating tenant state. Cross-workspace requests fail closed.

Enterprise identitySAML/OIDC SSO, SCIM or owner-approved provisioning, verified domains, session controls, and offboarding evidence.

Secrets by referenceRaw provider, OAuth, and tool credentials are never rendered or stored in product records — only secret references.

Approval gatesHigh-risk tool, provider, memory, export, retention, and workflow changes require explicit human review.

Audit and retentionApprovals, delivery, exports, retention, and access review produce durable, exportable, tenant-scoped audit records.

Knowledge OS controlsMemory retrieval is filtered by workspace and scope before ranking, summarization, or execution context assembly.

Model and tool policyProvider routing, tool availability, spend posture, and data egress sit behind admin policy and runtime controls.

Connector boundaries

Know what each connector reads before you connect it.

Admins choose the sources for every connector before anything syncs. NUMI never stores raw credentials: tokens and signing secrets live behind secret references.

channels and threadsSlack

Reads: The channels and threads admins approve as sources.

Never reads: Direct messages, unless someone invites NUMI into the conversation. Private channels only when NUMI is invited and an admin approves the source.

team channelsMicrosoft Teams

Reads: The team channels admins select through Microsoft Graph, and the threads inside them.

Never reads: Private chats, or teams outside the granted scope. NUMI joins a conversation only when invited.

drive, docs, gmailGoogle Workspace

Reads: The Drive folders, Docs, and Gmail scopes an admin grants as knowledge sources.

Never reads: Anything outside those grants. OAuth tokens are stored as secret references, never raw credentials.

sharepoint, onedrive, outlookMicrosoft 365

Reads: The SharePoint sites, OneDrive files, and Outlook mail inside the scopes an admin grants.

Never reads: Mailboxes or drives outside the grant. Graph credentials stay behind secret references, never raw tokens.

Honest about certifications.

SOC 2 and ISO 27001 certifications are not yet complete — we say so rather than imply otherwise. What exists today: a documented security model, deployment guide, launch-readiness evidence, and the controls on this page, all available for your security team's review.

Security packet available on request for formal review.
Production deployments require configured secrets, durable stores, and runtime egress boundaries.
Every claim on this page maps to a control you can inspect in the console.

Trust Centertenant/isolation

Workspace scopeenforced

Secret displayredacted

Data exportpermission gated

5.0 Data-egress posture →

Let NUMI work with context without letting context wander.

NUMI separates channel UX from policy, execution, and tenant state. Production deployments should use durable stores, secret references, scoped API keys, and sandbox or remote-worker egress controls before enabling live tools.

Secrets by reference Website and admin pages should never render provider, channel, or tool secrets. Credentials live behind configured secret references.
Tool egress boundary HTTP-capable tools belong behind Kubernetes sandbox policy or an explicitly managed remote worker boundary, not the public website process.
Knowledge retrieval scope Knowledge OS retrieval is filtered by workspace and source permissions before ranking, summarization, or execution context assembly.
Identity and lifecycle review SSO, provisioning, invites, deprovisioning, service credentials, API keys, session controls, and recovery runbooks should be visible in the admin console with audit evidence.
Export and retention review Data export, retention changes, destructive operations, and high-risk provider/tool changes must stay approval-gated and audit-backed.