Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.linquid.io/llms.txt

Use this file to discover all available pages before exploring further.

Security and Compliance

Security in Linquid is layered across identity, permissions, integrations, and data handling.

Authentication and account protection

Use:
  • strong password policy (minimum complexity requirements)
  • optional 2FA where available
  • session review and revoke workflows
  • controlled email change and recovery flows
Operational safeguards include:
  • anti-bot checks during signup/signin
  • account lockout behavior after repeated failed logins
  • verify-first onboarding so unverified users do not fully activate

Session and identity hygiene

Recommended operational practices:
  • enforce strong credentials and enable 2FA for privileged users.
  • review active sessions during offboarding and incident response.
  • revoke stale sessions after suspicious login or device loss.
  • verify social/OAuth account links only for authorized personnel.

Workspace access hardening

  • apply least-privilege roles
  • review owner/admin membership regularly
  • monitor invite and permission changes

Role and permission governance

ControlWhy it mattersOperational cadence
Owner/admin roster reviewPrevent privilege driftMonthly
Invite policy reviewReduce unauthorized workspace accessMonthly
Role assignment reviewKeep access least-privilegeQuarterly
Service account key reviewReduce unattended credential riskMonthly

Enterprise identity controls

Enterprise workspaces can use:
  • SAML SSO for centralized login
  • SSO enforcement for approved email domains
  • SCIM provisioning for user/group lifecycle automation
When SSO enforcement is enabled, password login for that domain should be blocked in favor of SSO. Operational guidance:
  1. Stage SSO rollout with pilot users first.
  2. Confirm emergency break-glass owner access process.
  3. Validate SCIM deprovisioning before broad rollout.
  4. Keep identity-provider metadata and certificates current.

Integration and webhook safety

  • validate provider signatures
  • rotate secrets on schedule
  • isolate test and production delivery configurations
  • monitor retry/error patterns
For outbound webhooks:
  • verify signature in your receiver
  • enforce idempotency on receiver side
  • test destination before enabling in production

Webhook security controls checklist

  1. Validate signature on every delivery.
  2. Reject duplicate/replayed events in receiver logic.
  3. Process events idempotently by event identifier.
  4. Keep destination authentication separate from signature validation.
  5. Rotate webhook secret on schedule or after incident.

API key safety

  • create scoped keys for specific automations
  • rotate keys and disable unused keys
  • avoid exposing keys in client-side code
Also separate credential classes clearly:
  • API keys: server-side privileged automation
  • publishable keys: browser-safe tracking use only

Data protection and privacy practices

  • limit exposed customer data by role and operational need.
  • avoid sharing export files outside approved finance/ops channels.
  • set clear retention policy for customer and conversion data.
  • document incident handling process for potential data exposure.

Compliance operations

  • maintain audit trails for critical settings
  • document retention and deletion obligations
  • run periodic access and incident response drills

Incident categories and first response

Incident typeFirst response actionSecondary action
Credential exposureRotate affected key/secret immediatelyAudit impacted operations and restore safe credentials
Suspicious workspace accessRevoke sessions and review invites/rolesEnforce 2FA and review identity controls
Webhook abuse or replayPause webhook destination if neededRotate secret and validate receiver idempotency
Integration data mismatchPause integration sync if risk is highReconcile events and re-enable with guardrails

Monthly security checklist

  1. Review owner/admin/member roster and stale invites.
  2. Rotate any high-risk integration/webhook secrets.
  3. Disable unused API keys and publishable keys.
  4. Validate domain verification and HTTPS redirect surfaces.
  5. Confirm billing and payout notification routing for incident response.
Related:
  • /user-guides/manual/workspace/workspaces-and-access
  • /user-guides/manual/data/data-retention-and-lifecycle