# Security overview Comind.work applies security at multiple layers - from authentication and network encryption through to fine-grained record-level access control. This page summarizes the key mechanisms. ## Authentication[​](#authentication "Direct link to Authentication") Comind.work uses a dedicated auth server for token issuance and validation. The platform supports SSO, LDAP, and Active Directory integration for enterprise identity providers. See [Single sign-on (SSO)](/admin-guide/system-admin/single-sign-on-sso.md) for configuration details. Two-factor authentication is available through SSO providers. Enterprise customers configure 2FA at the identity provider level. Standalone 2FA is also available by request for organizations that need it outside of SSO. ### AI agent access[​](#ai-agent-access "Direct link to AI agent access") MCP-based AI agent connections use a dedicated auth scope for AI operations. Each customer subscription receives its own OAuth credentials, so AI agent access is scoped per tenant. ## Authorization[​](#authorization "Direct link to Authorization") Comind.work enforces a four-layer ACL model that evaluates permissions in order: 1. **Workspace** - top-level access to the workspace itself 2. **App** - access to a specific app within the workspace 3. **Record** - access to individual records 4. **Field** - visibility and editability of specific fields on a record Groups provide team-based access control across all four layers. See [ACL evaluation order](/admin-guide/system-admin/acl-evaluation-order.md) for the detailed evaluation logic and precedence rules. For managing user accounts and access, see [Manage users](/admin-guide/system-admin/manage-users.md). ## Data security[​](#data-security "Direct link to Data security") ### Encryption in transit[​](#encryption-in-transit "Direct link to Encryption in transit") All traffic between clients and the server is encrypted with SSL/TLS. Cloud-hosted deployments sit behind Cloudflare, which provides CDN caching and DDoS protection in addition to TLS termination. ### Multi-tenancy and data isolation[​](#multi-tenancy-and-data-isolation "Direct link to Multi-tenancy and data isolation") Cloud-hosted subscriptions share infrastructure with tenant isolation enforced through row-level filtering - every database query is scoped to the active subscription. Dedicated database instances are available for enterprise and self-hosted plans. ### Backups and disaster recovery[​](#backups-and-disaster-recovery "Direct link to Backups and disaster recovery") The platform includes backup and disaster recovery provisions. For self-hosted deployments, administrators manage their own backup schedules and retention policies. ## Application secrets[​](#application-secrets "Direct link to Application secrets") Sensitive configuration values - auth tokens, passwords, API credentials - are stored as server-side environment variables. These values are resolved at runtime by the backend and are never sent to the browser. See [Settings model](/developer-guide/building-blocks/settings-model.md) for how secrets are defined in app code. ## Audit trail[​](#audit-trail "Direct link to Audit trail") Comind.work maintains a full version history on records with field-level diffs. Every change is tracked - who made it, when, and exactly which fields were modified. Changes are captured in real time and stored alongside the record data. ## Hosting options[​](#hosting-options "Direct link to Hosting options") * **Cloud-hosted** - managed by Comind.work, behind Cloudflare * **Self-hosted** - on-premise deployment for organizations with specific compliance or data residency requirements See [server requirements](/admin-guide/system-admin/self-hosted-installation-server-requirements.md) for hardware and software prerequisites. ## Additional security options[​](#additional-security-options "Direct link to Additional security options") * **Two-factor authentication** - available through SSO providers, or as standalone 2FA by request * **Dedicated database** - available for enterprise and self-hosted plans for full data isolation