Security & trust

Built to clear procurement, InfoSec, and legal.

IIVY runs a project's real phone, text, and email correspondence, so trust isn't a feature — it's the architecture. Data is siloed per project and private per principal from the first contact; every action is disclosed, logged, and governed by the guardrails you set; and the record is append-only and evidence-linked, so it can be trusted precisely because it can't be quietly rewritten.

The controls

How access actually works on a shared job.

Large orgs assign and revoke access constantly — subs roll on, consultants roll off, a trade needs one folder and nothing else. IIVY is built for exactly that, with fail-closed gates enforced in the database, not the prompt.

Isolation
Per-project siloing
Each project is its own silo. Nothing crosses from one job to another — no shared index, no cross-tenant retrieval, no leakage between clients.
Privacy
Per-principal, fail-closed
Each person sees only what they're granted. Visibility is enforced by fail-closed database gates on files, threads, and chats — deny by default, allow by grant.
Access control
Granular grants, clean revoke
Multi-tier sharing with per-member grants and per-member usage and billing. Invite someone to exactly what they need; revoke it cleanly the moment they roll off, and their access cascades closed.
Identity
Canonical, per person
One identity per human across every channel, so a grant, a block, or a revocation applies everywhere that person reaches the project — not per-address whack-a-mole.
Autonomy, on your terms

Full autonomy — that still can't run away.

IIVY runs the job on its own. What you control is the leash: what it can send, to whom, and when — enforced by which capabilities are switched on, not by asking the model to behave.

Your call
Fully autonomous, or draft-first
Run IIVY autonomous end-to-end, or require one-tap approval on anything it sends — set it per category, per project. You decide; it obeys.
Disclosed
Never impersonates a person
Every call, text, and email is disclosed as IIVY on first contact. No hidden automation, no pretending to be your PM.
Kill switch
Off means off, server-side
One switch stops new work, purges the queue, and is re-checked at send time — effective immediately, in the database.
Governed
Bounded by your rules
Every send respects your caps, quiet hours, and allowlists — so autonomous never means unbounded.
The record

Append-only, evidence-linked, claims-grade.

The journal has no edit path. Every entry — event, evidence, decision, outcome — is written as it happens and linked by citation to the exact document or message that proves it. A correction is a new, marked entry; the original stays visible. That's what makes it defensible.

Correspondence, done right

Consent, opt-out, and quiet hours are part of the design.

IIVY runs on the channels the job already uses, and it respects the rules that govern them.

Scoped addresses & numbers
One inbox per project
Every project gets its own email address; users get provisioned local SMS and voice numbers. Correspondence is scoped to the job, not lost in a shared inbox.
Consent & opt-out
Captured and honored
Text consent is captured at invite and every conversation is opt-out aware (STOP), aligned to A2P 10DLC, CASL, and TCPA obligations.
Quiet hours
No 3am texts
Outbound texts respect project-local quiet hours; out-of-window messages queue for morning. One 3am text torches trust once.
Loop protection
No runaway sends
Per-thread and per-project send caps, plus agent-aware headers, prevent mail loops and reply-all storms — even unattended, overnight.
Straight answers

Where formal compliance stands.

The architecture above is how the system is built today. Formal certifications and enterprise controls (SOC 2, SSO/SAML, a signed DPA, and data-residency options) are on our roadmap — the enterprise brief lays out exactly what's in place now and what's in flight. We'd rather tell you the truth than show you a badge we haven't earned.

For the committee

Get the enterprise brief.

A security and rollout one-pager for procurement, InfoSec, and legal — the current controls, the roadmap, and how a scoped pilot starts and stays reversible.