Skip to main content
An agent drafts a follow-up, resolves your WhatsApp credential, and sends the message — in a few seconds, while you’re in a meeting. For that to be safe, every step has to be authenticated, scoped to your organization, and written to a log you can read back later. That’s what this page covers: the auth model, encryption, audit trail, and incident response sitting underneath every action an agent takes on your behalf. The work leaves your plate; the accountability stays on the record.

Principles

Security at Apollo Space follows three principles:

Defense in depth

Multiple independent layers — if one fails, the next one still holds. We don’t rely on a single line of defense.

Auditable

Every access, every change, every billable call generates an append-only log. You (and external auditors) can reconstruct any event.

No sensitive data in transit

Third-party credentials, payment data, secrets — all stored encrypted. Apollo Space only decrypts at the moment and in the context where it’s needed.

Authentication and authorization

  • Cognito (AWS) as the identity provider — federated with Google, email/password + optional MFA
  • Tokens with short expiration (id-token expires in hours; refresh expires in days)
  • Sessions in one org are isolated from sessions in other orgs (login carries no cross-org context)
  • MFA strongly recommended for all Owners + Admins
  • Hierarchical roles per org: Owner > Admin > Member > Viewer
  • Each operation checks the required role before executing
  • Admins cannot modify Owners — guards against privilege escalation from a compromised account
  • Reads and writes that touch customer data pass through an additional isolation layer in the database (see Multi-tenant)

Encryption

WhereHow
Data in transitTLS 1.3 on all client ↔ server communication
Data at rest (database)Provider-managed encryption (AWS RDS with KMS)
Third-party credentials (Tavily, Twilio, Apify, etc.)Encrypted with a dedicated key — Apollo Space decrypts only at time of use
Infrastructure secretsAWS Secrets Manager + IAM with least-privilege
No Apollo Space operator can read third-party credentials in plain text by manually inspecting the database — the encryption key lives in a separate system with audited access.

Third-party credentials

When you connect integrations (WhatsApp/Twilio, Tavily, Apify, Composio), credentials (API keys, OAuth tokens) are:
  • Encrypted in the database with a dedicated key
  • Isolated per organization — another Apollo Space customer cannot see your credentials
  • Accessed only by the backend when a legitimate call requests it — never sent to the frontend
  • Audit-logged — every time a credential is resolved for use, a record is kept: which user/agent, which operation, when
You can rotate credentials at any time (just paste the new one) or revoke them by disconnecting the integration (deletes the credential from the database).We recommend rotating keys for critical integrations (Twilio, Apify) periodically or whenever a team member with access leaves the team.

Audit log

Every relevant action generates an entry in the org’s audit log:
  • User login / logout
  • Role changes (who promoted whom)
  • Integration connections / disconnections
  • Outbound message delivery (email, WhatsApp)
  • Lead modifications
  • Administrative billing operations
The log is append-only — nothing is deleted or edited retroactively. Owners + Admins can inspect it at any time; external auditors can be provisioned as Viewer + read access to the audit log.

Incident response

If you suspect any security incident (unauthorized access, leaked credential, unusual behavior):

Report immediately

Email: security@apollospace.ai. Response within 24 business hours.
For incidents affecting customer data, Apollo Space follows:
  1. Identification + containment (first hours)
  2. Notification to affected parties per applicable regulatory timeline
  3. Public postmortem after resolution (no sensitive data included)

Compliance

Apollo Space designs its privacy and security practices with the LGPD as the primary reference — a documented data protection model, processes for exercising data subject rights, and a contact channel for the data protection officer.
Other certifications (SOC 2, ISO 27001) are under consideration on the roadmap as the product matures and enterprise customer demand grows.Additional privacy and security documentation is available under NDA — contact security@apollospace.ai if your compliance program requires formal evidence.

Next steps

Multi-tenant

Isolation detail between organizations.

Organizations

The role model in detail.