01
Step 1
Protect workspace access
Use a unique password, keep account recovery details current, and invite each teammate separately rather than sharing credentials. Review the Team page when roles change.
02
Step 2
Protect API and webhook secrets
Store API keys and webhook signing secrets only in server-side secret storage. Never paste them into browser code, public repositories, screenshots, or support messages.
- Rotate a key if it may have been exposed
- Verify webhook signatures before processing payloads
- Grant access only to systems and people that need it
03
Step 3
Use customer data responsibly
Collect only the information needed to serve the customer, follow applicable privacy and messaging rules, and avoid placing highly sensitive personal information in AI instructions or general knowledge content.
