Encryption by default.
Role-based access.
Full audit trail. Nothing to configure.
Most automation platforms treat security as a premium feature. InTouch ships it in every edition and turns it on at install time. Secrets are encrypted before they hit disk. Every REST call carries a session token. Every job execution is logged with inputs and outputs. RBAC, LDAP, and CyberArk activate on Department and Enterprise. The buyer's security review finds the answers where the buyer expects them: already implemented, already on, already documented.
Secrets Are Encrypted Before They Hit Disk
AES-256-GCM for Secrets
Every credential's JSON payload — API keys, OAuth tokens, database passwords, SSH private keys — is encrypted with AES-256-GCM before being written to the database. The master key is pinned at server startup and never transits the wire.
bcrypt for Passwords
Publisher passwords (the human login credentials) are hashed with bcrypt. Work factor tuned for 2026 hardware. No plaintext anywhere in the process memory after authentication completes.
TLS via Reverse Proxy
The server listens on plain HTTP at port 2200 by default. For production exposure, front it with nginx, Caddy, or a cloud load balancer to terminate TLS — or reach it over a Tailscale mesh where the transport is already encrypted. A built-in TLS listener is on the roadmap; today's recommended pattern is proxy-terminated TLS, the same model most enterprise Jetty deployments use.
One Credential Vault. Every Ingest Path.
InTouch ingests data through every shape that exists: HTTP webhooks pushed by a SaaS API, scheduled REST polls against systems without webhooks, SQL queries against your databases, file-arrival triggers on local or remote drives, FTP/SFTP fetches, S3 events. Outbound delivery covers eight channels (Email, Slack, Discord, Telegram, SMS, WhatsApp, Teams, LINE). All of them reference credentials by name from the same AES-256 vault. The Zendesk API token, the Salesforce OAuth refresh, the JDBC URL for the data warehouse, the Slack bot token, the SFTP key — every secret lives in one governed place. Tool authors never see the value. Job authors never see the value. The runtime injects it only when the tool actually executes.
Which means — and this is the architectural property worth noticing — adding a new data source is a credential entry, not a security review. When the business signs a deal that uses Freshdesk instead of Zendesk for support tickets, you don't open an integration project. You drop a Freshdesk credential into the vault, change the connection reference in the existing job, done. Same triage logic, same audit trail, same RBAC, different ingest endpoint. Multiply that by the next 30 systems your business will touch.
Every Call Is Authenticated
Session Tokens
Authentication mints a sessionId-magicNumber pair. Every subsequent REST call must carry it. Sessions track activity; idle sessions expire. Root admin can force-terminate any active session via /server/terminate-session.
Login Gate
/server/disable-logins closes the door globally during incident response or maintenance. Existing sessions stay valid; new logins are rejected until /server/enable-logins. Useful when the boring fix is "no new sessions until we patch."
LDAP / Active Directory (Dept, Enterprise)
Bind against your existing directory. Publisher accounts map to LDAP users. Group membership syncs on login. No separate password store for the organization to forget about.
CyberArk Integration (Enterprise)
Credentials can be resolved from CyberArk at runtime instead of stored inline. InTouch holds the CyberArk lookup metadata; the vault holds the secret. Rotation is a CyberArk operation, not an InTouch re-deploy.
Role-Based Access Control, Done Right
Department and Enterprise editions unlock the full access-control model. Personal and Team keep it simple (all users are admins within the tenant) — no accidental lockouts for small teams.
Objects Have Owners
Every job, schedule, trigger, credential, skill, alert, runtime env, and subscriber has an owner and a group. Rights inherit through the group hierarchy unless explicitly overridden at the object level.
Per-Role Rights
Rights are read / update / execute / delete / admin, set per role against each object type. A user's effective rights come from their publisher rights, their group memberships, and the object's own rights matrix — evaluated on every request.
Project Isolation
On Department and Enterprise, jobs live in projects, projects live in jobsets. Cross-project visibility is a rights question, not a filesystem question. One server, many walled gardens, one audit log.
Every Action, Logged. Every Question, Answerable.
Job and Tool Logs
Every job execution writes a record with start time, end time, publisher, inputs, outputs, exit code, and tool-specific detail. Every tool inside the job writes its own record. Nothing fires anonymously.
Schedule / Trigger Fires
Every schedule fire and every trigger event is logged with the matched rule and the resulting job or skill invocation. The question "who ran the payroll export on the 15th?" has a first-page answer.
AI Calls
AI tool invocations across all 9 providers (Anthropic, OpenAI, Google Gemini, Mistral, Groq, DeepSeek, xAI, Hugging Face, Ollama) log the provider, the model, the input token count, the output token count, and the response. Budget tracking is a query, not a screenshot of the vendor's dashboard.
Session / Auth Events
Logins, logouts, forced-terminations, and login-gate toggles all write audit events. LDAP bind failures are captured. The security review wants these to exist, and they do.
The Boring Things That Stop Incidents
Collision Locks
Two schedule fires of the same job, overlapping? The second one waits or skips based on the job's collision rule. Prevents corrupted state from concurrent runs — the failure mode that every team rediscovers the hard way.
AI Safety Preamble
Every AI call prepends a safety preamble — prompt injection resistance, refusal guidance, output-format expectations. You can override it per tool when you need bare-metal prompts, but the default is "don't let a user message rewrite your assistant."
Never Log Secrets
Credential payloads are redacted in all logs — tool logs, audit logs, debug logs. The vault never leaks through the log file, no matter how verbose the operator makes things.
Security by Edition
| Capability | Personal | Team | Department | Enterprise |
|---|---|---|---|---|
| AES-256 credential vault | ✓ | ✓ | ✓ | ✓ |
| bcrypt password hashing | ✓ | ✓ | ✓ | ✓ |
| Session tokens + login gate | ✓ | ✓ | ✓ | ✓ |
| Full audit trail | ✓ | ✓ | ✓ | ✓ |
| Multi-user | — | ✓ | ✓ | ✓ |
| RBAC with per-object rights | — | — | ✓ | ✓ |
| LDAP / Active Directory | — | — | ✓ | ✓ |
| CyberArk integration | — | — | ✓ | ✓ |
| Project / jobset isolation | — | — | ✓ | ✓ |
Security That Passes the Review
Walk into your next enterprise security review with answers, not apologies.