KeystoneIQ Security Overview
This document provides security information for vendor reviews and compliance inquiries. KeystoneIQ is the product; Intellibricks Inc. is the operating company.
AI Data Handling
- Data is transmitted to AI providers via encrypted connections for brief generation only.
- Under API terms with our providers, customer content is not used for model training.
- We do not store prompt/completion logs beyond what is needed to deliver the Service.
Data Protection
- Encryption in transit: All traffic uses TLS (HTTPS).
- Encryption at rest: Integration credentials are encrypted at rest. Database encryption follows our hosting provider's standards.
- Keys and tokens are never logged.
Access Controls
- Authentication: Email/password, Google, Microsoft sign-in. Enterprise SSO (SAML) coming soon.
- Two-factor authentication: TOTP-based MFA available for all users.
- Role-based access: Owners manage workspace settings, billing, and team. Members can view and interact with intelligence.
- Data isolation: All data is scoped to your workspace. Multi-tenant isolation ensures no cross-workspace data access.
- API keys: Owner-only creation and revocation. Scoped per workspace. Never logged.
Audit Logging
Sensitive operations are logged for compliance review, including API requests, authentication events, and administrative actions. Logs are append-only with no credentials stored.
Rate Limiting
API endpoints are rate-limited to prevent abuse. Sensitive operations have stricter limits.
Data Retention
- User data retained while workspace is active.
- Export and deletion available from account settings, supporting GDPR right to erasure.
Incident Response
- Report: support@keystoneiq.ai
- Process: Containment, investigation, notification to affected customers without undue delay per applicable law (including GDPR Art 33/34 where applicable).
Compliance
- GDPR: Export and delete capabilities; data processing aligned with controller obligations. DPA available upon request.
- PIPEDA: Accountable under Canadian federal privacy law.
- CCPA/CPRA: We do not sell personal information.
Infrastructure
- Application and data processing run on managed cloud infrastructure in the United States with encryption in transit and at rest.
- Database backups are managed by our hosting provider.
- Infrastructure providers maintain industry-standard security certifications.
- KeystoneIQ is responsible for application-level controls: access management, audit logging, credential encryption, and incident response.
Integration Data Access
When you connect an integration, KeystoneIQ syncs data according to each provider's authorization model. All workspace members can see synced data within KeystoneIQ. Integration credentials are encrypted at rest using AES-256-GCM.
Access scoping varies by provider. Some providers grant portal-wide or org-wide access once a user authorizes the connection (HubSpot, Gong); others honor the connecting user's row-level permissions (Salesforce, Pipedrive, Zoho); others are strictly per-user (Notion, Confluence). Review the Authorization Scope column carefully, and for regulated environments, connect a dedicated integration user with least-privilege scopes (see guidance below).
| Integration | Auth Method | Authorization Scope | Data Accessed | Workspace Visibility |
|---|---|---|---|---|
| HubSpot | OAuth 2.0 | Portal-level: once authorized, KeystoneIQ can read all objects matching the granted scopes across the entire HubSpot portal, regardless of the connecting user's in-app permissions | Deals, companies, contacts (scopes: crm.objects.deals.read, crm.objects.companies.read, crm.objects.contacts.read) | All workspace members |
| Salesforce | OAuth 2.0 | User-level: respects the connecting user's profile, role hierarchy, sharing rules, and field-level security | Opportunities and accounts visible to the connecting user (scopes: api, id, refresh_token) | All workspace members |
| Pipedrive | OAuth 2.0 | User-level: respects the connecting user's visibility groups | Deals visible to the connecting user | All workspace members |
| Zoho CRM | OAuth 2.0 | User-level: respects the connecting user's role and data-sharing rules | Deals visible to the connecting user | All workspace members |
| Copper | OAuth 2.0 | User-level: respects the connecting user's permissions | Opportunities visible to the connecting user | All workspace members |
| Gong | API Key | Org-level: API keys authorize read access across the Gong org, not a specific user | Call transcripts (last 14 days), competitor mentions | All workspace members |
| Zendesk | API Token | Agent-level: scoped to the agent whose token is issued; inherits that agent's ticket visibility | Support tickets visible to the token's agent | All workspace members |
| Intercom | Access Token | Workspace-level: token authorizes read access across the Intercom workspace | Conversations, competitor mentions | All workspace members |
| Notion | OAuth 2.0 (per-user) | Per-user, per-page: each KeystoneIQ user connects individually; only pages explicitly shared with their integration are accessible | Pages explicitly granted during OAuth authorization | Only the connecting user's pages sync, but results are visible to all workspace members |
| Confluence | OAuth 2.0 (per-user) | Per-user, space-scoped: each KeystoneIQ user connects individually; access follows that user's Confluence space permissions | Pages in spaces accessible to the connecting user | Only the connecting user's pages sync, but results are visible to all workspace members |
| Cloud file storage (Drive / SharePoint / OneDrive / Dropbox / Box) | OAuth 2.0 (per-account) | User-level: honors the connecting account's folder and file permissions in the underlying provider | Files and folders visible to the connecting account | All workspace members |
| Slack | OAuth 2.0 (webhook) | Channel-level: webhook posts to a specific channel; KeystoneIQ never reads Slack messages | Outbound notifications only, no data is read from Slack | N/A (outbound only) |
| Microsoft Teams | Webhook URL | Channel-level: webhook posts to a specific channel; KeystoneIQ never reads Teams messages | Outbound notifications only, no data is read from Teams | N/A (outbound only) |
| Google Analytics 4 | OAuth 2.0 | Property-level: respects the connecting user's GA4 property access | Aggregated traffic metrics for the configured property | All workspace members |
| Klaviyo | API Key | Account-level: read scopes on the Klaviyo account | Aggregated list/campaign metrics | All workspace members |
| SEMrush | API Key | Account-level: read scopes on the SEMrush account | Competitor keyword and traffic data | All workspace members |
| G2 | API Key | Account-level: G2 review feed | Competitor review data | All workspace members |
| Company Enrichment (Clearbit) | API Key | Service-level: enrichment lookups on domains you provide | Public firmographic data for competitors you track | All workspace members |
Dedicated Integration User (recommended for regulated environments)
For enterprise deployments, we strongly recommend connecting KeystoneIQ using a dedicated integration user rather than a named employee's account. This provides predictable, auditable access scoping, avoids disruption if the employee leaves, and maps cleanly to least-privilege principles.
- HubSpot: Create a user with only the required
crm.objects.*.readscopes enabled. Because HubSpot grants portal-level access on authorization, the scopes are the only real boundary. Keep them minimal. - Salesforce: Create a dedicated Integration User profile with a permission set limited to read access on
OpportunityandAccount. Apply sharing rules and field-level security to further restrict what KeystoneIQ can see. - Pipedrive / Zoho / Copper: Create a read-only user assigned to only the visibility groups / roles whose deals should flow into KeystoneIQ.
- Gong: Use a scoped API key rather than an admin-level key if available on your plan.
- Zendesk: Issue an API token for a dedicated agent whose ticket views match the tickets you want KeystoneIQ to analyze.
- Notion / Confluence / cloud file storage: These are already per-user or per-account scoped. Share only the spaces/folders containing competitive material with the KeystoneIQ integration.
- GA4: Grant the dedicated user Viewer role on only the properties whose traffic data should flow into briefs.
Data Processing Agreement
If your organization requires a DPA for GDPR or similar regulatory compliance, contact support@keystoneiq.ai.
Public API (/api/v1/*) CORS policy
The public REST API at /api/v1/* returns Access-Control-Allow-Origin: * to allow integrations (Zapier, Make, custom scripts) to call it from any origin. This is safe by design because:
- No cookie-based auth. The API accepts Bearer tokens only (
Authorization: Bearer sk_...).Access-Control-Allow-Credentialsis explicitlyfalse, so browsers will not attach cookies on cross-origin requests even if an attacker tries to force them. - API keys are workspace-scoped and revocable. Every call is authenticated with an HMAC-SHA256-hashed key tied to a single workspace; owners can rotate or revoke at any time from Settings → API.
- Per-IP rate limiting.
/api/v1/*is guarded by a 60-req/min sliding-window limit (seelib/ip-rate-limit.ts) to prevent brute-force key guessing. - Session-cookie routes are NOT part of this policy. All user-session APIs (
/api/workspace/*,/api/invites/*, etc.) rely on same-origin cookie delivery under Next.js defaults and do not emit a wildcard CORS header.
Related policies
Last updated: April 29, 2026