Built on the CloudSwarm vault. Audited from end to end.

Credential vault

All third-party credentials used by Actium assistants — CRM tokens, email credentials, spreadsheet OAuth grants — are stored in the CloudSwarm vault. Credentials are encrypted at rest, decrypted only inside the skill execution sandbox, and never written to logs or returned to the Actium UI. The vault is backed by GCP Secret Manager. Business and Enterprise tenants can supply customer-managed encryption keys.

Skill execution boundaries

Every integration Actium can invoke (HubSpot, Salesforce, Jira, Slack, Gmail, and the rest) runs as a named CloudSwarm skill. Skills are sandboxed: they run with only the credential they declared, cannot read other skills' runtime state, and cannot make network calls to hosts not in the workspace allow-list. Actium cannot extend the skill sandbox; it can only invoke skills that already exist in the catalog.

Per-assistant audit trail

Every scheduled assistant run produces an immutable audit record: timestamp, assistant ID, skills invoked, credential names used (not values), outcome status, and an Ed25519-signed receipt from the CloudSwarm trust layer. Audit records are append-only and exportable. They cannot be deleted by workspace members; deletion requires a formal data-erasure request to Actium

Multi-tenant isolation

Each Actium workspace is isolated at the credential, policy, and audit-log layers. No workspace can read another workspace's data. Actium's CRM and Tasks surfaces are partitioned per-workspace and share no state across tenant boundaries.

Authentication

Actium uses Clerk for identity on the managed plan (clerk.actium.app). Supported login methods: email + password, magic link, and Google OAuth. Sessions are short-lived JWTs validated at every API boundary. Enterprise tenants can use SAML with their existing IdP (Okta, Azure AD, Google Workspace).

Data in transit and at rest

All data in transit between Actium clients and the API is encrypted with TLS 1.3. Database records, credential vault contents, and audit logs are encrypted at rest using AES-256. Encryption keys are managed in GCP KMS and rotated annually.

Vulnerability disclosure

Security reports go to [email protected]. We acknowledge critical reports within one business day and triage within three. In-scope: vault isolation breaks, authentication bypasses, multi-tenant boundary violations, audit-log tampering, skill sandbox escapes. Out-of-scope: denial-of-service against the marketing site, social engineering. Eligible reports receive acknowledgment under our coordinated-disclosure program.