Security and Compliance
Security in Linquid is layered across identity, permissions, integrations, and data handling.Authentication and account protection
Use:- strong password policy (minimum complexity requirements)
- optional 2FA where available
- session review and revoke workflows
- controlled email change and recovery flows
- anti-bot checks during signup/signin
- account lockout behavior after repeated failed logins
- verify-first onboarding so unverified users do not fully activate
Session and identity hygiene
Recommended operational practices:- enforce strong credentials and enable 2FA for privileged users.
- review active sessions during offboarding and incident response.
- revoke stale sessions after suspicious login or device loss.
- verify social/OAuth account links only for authorized personnel.
Workspace access hardening
- apply least-privilege roles
- review owner/admin membership regularly
- monitor invite and permission changes
Role and permission governance
| Control | Why it matters | Operational cadence |
|---|---|---|
| Owner/admin roster review | Prevent privilege drift | Monthly |
| Invite policy review | Reduce unauthorized workspace access | Monthly |
| Role assignment review | Keep access least-privilege | Quarterly |
| Service account key review | Reduce unattended credential risk | Monthly |
Enterprise identity controls
Enterprise workspaces can use:- SAML SSO for centralized login
- SSO enforcement for approved email domains
- SCIM provisioning for user/group lifecycle automation
- Stage SSO rollout with pilot users first.
- Confirm emergency break-glass owner access process.
- Validate SCIM deprovisioning before broad rollout.
- Keep identity-provider metadata and certificates current.
Integration and webhook safety
- validate provider signatures
- rotate secrets on schedule
- isolate test and production delivery configurations
- monitor retry/error patterns
- verify signature in your receiver
- enforce idempotency on receiver side
- test destination before enabling in production
Webhook security controls checklist
- Validate signature on every delivery.
- Reject duplicate/replayed events in receiver logic.
- Process events idempotently by event identifier.
- Keep destination authentication separate from signature validation.
- Rotate webhook secret on schedule or after incident.
API key safety
- create scoped keys for specific automations
- rotate keys and disable unused keys
- avoid exposing keys in client-side code
- API keys: server-side privileged automation
- publishable keys: browser-safe tracking use only
Data protection and privacy practices
- limit exposed customer data by role and operational need.
- avoid sharing export files outside approved finance/ops channels.
- set clear retention policy for customer and conversion data.
- document incident handling process for potential data exposure.
Compliance operations
- maintain audit trails for critical settings
- document retention and deletion obligations
- run periodic access and incident response drills
Incident categories and first response
| Incident type | First response action | Secondary action |
|---|---|---|
| Credential exposure | Rotate affected key/secret immediately | Audit impacted operations and restore safe credentials |
| Suspicious workspace access | Revoke sessions and review invites/roles | Enforce 2FA and review identity controls |
| Webhook abuse or replay | Pause webhook destination if needed | Rotate secret and validate receiver idempotency |
| Integration data mismatch | Pause integration sync if risk is high | Reconcile events and re-enable with guardrails |
Monthly security checklist
- Review owner/admin/member roster and stale invites.
- Rotate any high-risk integration/webhook secrets.
- Disable unused API keys and publishable keys.
- Validate domain verification and HTTPS redirect surfaces.
- Confirm billing and payout notification routing for incident response.
/user-guides/manual/workspace/workspaces-and-access/user-guides/manual/data/data-retention-and-lifecycle