What your CISO will ask about? Already covered.
Identity, access control, and an immutable change log are built in from the start.
Single sign-on with your identity provider
Connect Okta, Microsoft Entra ID, Google Workspace, Auth0, or any OIDC provider. PKCE flow for native apps. Auto-register on first login. Role claims map directly to RootCX roles.
You decide who can do what
Permissions like app:crm:contacts.read. Wildcards for broad access, per-app roles for scoped control. Agents get their own identity and permissions.
Immutable audit log at the database level
Captured by PostgreSQL triggers, not application hooks. Old value, new value, who, when, which record. Append-only, indexed, queryable.
Encrypted secret vault
API keys and credentials encrypted with AES-256-GCM before they reach the database. Never stored in plain text, never in API responses, never in logs.
Scoped per app or shared across the platform. Decrypted and injected at runtime. No separate secrets service to configure.
Your agents are not admin scripts
Each agent gets a deterministic identity and its own RBAC role. Every tool call is permission-checked. If the agent doesn't have access, the call is denied.
Three supervision modes: autonomous, supervised (approval required), and strict (every action signed off). Every decision logged in the same audit trail as human users.
Your data never leaves your network
Run the full product on your own servers. Docker + any PostgreSQL (Amazon RDS, Cloud SQL, Azure, on-prem). No feature gap between cloud and self-hosted.
Source-available under FSL-1.1-ALv2. Read the code, audit it, run it wherever compliance needs it.