Skip to main content

Security

Private business apps need boring, explicit controls.

Commands.com designs deployments around local-first data, least-privilege connectors, approval gates, audit trails, and owner-enabled support sessions.

Deployment Principles

The app should be useful without becoming a black box.

Local-first where it matters

Email history, embeddings, indexes, workflow state, and audit data can be kept local or in client-approved storage depending on the deployment.

Least-privilege connectors

Mail, spreadsheet, and document access is scoped to what the workflow needs. Connector permissions are reviewed during implementation.

Approval before action

High-stakes actions, especially client-visible messages and record changes, can be routed through human approval before the app acts.

Audit by default

The app can record prompts, retrieved context, generated drafts, reviewer decisions, sends, and workflow state changes for later review.

Remote Support

Commands communication is off by default.

When Commands communication is embedded in a client app, the owner controls it. It can be toggled on for a specific support session, then disabled again when updates, troubleshooting, or support work is complete.

Support boundaries

Off by default

Commands communication is disabled unless the owner turns it on inside the app.

Session-scoped

The owner can enable communication for one support session and disable it again afterward.

Scoped changes

Updates and troubleshooting should target the deployed app and approved workflow surfaces.

Visible history

Support-relevant actions can be logged so the firm can inspect what changed and why.

Controls By Layer

Security is designed into each workflow layer.

Mail

OAuth or delegated access, limited mailbox scope where possible, draft-before-send workflows, and human approval for sensitive replies.

Spreadsheets

Explicit read/write boundaries, status change audit, reviewer approval for destructive or client-impacting updates.

Corpus

Client-approved source selection, private indexing, retrieval traces, and exclusion rules for sensitive or irrelevant records.

Models

Provider choice is deployment-specific. Workflows can route different stages to different models and keep review gates around outputs.

People

Role-specific views, approval queues, commander access boundaries, owner-controlled support toggles, and clear ownership of final actions.

No Empty Compliance Claims

We keep the public claims practical.

Certifications, retention policies, model-provider terms, and deployment controls should be reviewed for each client. We do not want the website promising a compliance posture that has not been scoped for the actual deployment.

Security Questions

Walk through the workflow before trusting it.

The safest implementation starts by naming what the app can read, what it can draft, what it can change, and what always requires a person.

Ask A Security Question