Security & Trust
Switchy reads your team’s chat and can act on connected tools — so trust is the product. Here is exactly what it does, what it doesn’t, and how it’s built.
What Switchy does
- Keeps each organization’s memory, messages, connections, and secrets walled off from every other org (enforced in SQL, proven by a CI merge-gate test suite).
- Stores connector credentials in a secrets vault (GCP Secret Manager) — never in our database, never in a log, never in a model prompt. A CI guard fails the build if a secret could leak.
- Requires explicit human approval before any side-effecting action (send an email, post a message, delete) — from every surface, even if a message tries to trick the AI.
- Responds only to explicit @mentions, and only reads channels you’ve linked it to.
- Lets an admin pause, revoke, kill, export, and delete — each action audited.
What Switchy never does
- Read a channel it isn’t linked to, your DMs, or another member’s private memory.
- Train models on your content. Inference is routed through OpenRouter with provider-side training/retention disabled where offered.
- Send your credentials to a model. The model sees the conversation and the memory it needs — never a token.
- Take a sensitive action on its own. A human approves first.
Credential-injection architecture
Connector credentials live in a secrets vault, not our database. When the bot calls a tool, the credential is injected at the moment of the outbound request and discarded — it is never placed in the model’s context, returned in tool output, or written to a row or log. Each vault reference is bound to its owning organization, so a reference can only ever be resolved within that org.
The approval model
Read actions (search, fetch, recall) run freely. Any side-effecting action — send, post, create, delete, pay — is classified as sensitive and routed to explicit human approval before it runs. This is structural: even a successful prompt injection in channel content cannot trigger a real-world action, because the action still waits for a person to approve it.
Tenant isolation
Memory, connections, secrets, and messages are scoped per organization, and private memory is scoped to its single owner — enforced at the SQL layer. A consolidated cross-user and cross-tenant leak suite runs as a required CI check on every change; a red test blocks the merge.
Sub-processors
| Sub-processor | Purpose |
|---|---|
| Google Cloud | Hosting, database, secrets (encrypted at rest) |
| OpenRouter | Model inference routing |
| Anthropic / OpenAI / Google (via OpenRouter) | Model inference |
| Ably | Realtime message delivery |
| Stripe | Billing (no chat content) |
| Composio | Outbound tool execution |
A current sub-processor list and a Data Processing Agreement (DPA) are available on request — email security@switchy.build. Compliance status (SOC 2, GDPR/CCPA) is tracked on our roadmap.
Signed in? See exactly what each connection can see and do.