Security & Governance
Squad is built for high-stakes environments where AI actions require oversight, traceability, and strict access controls. Security is layered throughout the platform.
Authentication
Squad integrates with your organisation’s identity provider via standard protocols.
- Protocol: OAuth2/OIDC (industry standard)
- SSO: SAML and OIDC integration with your existing identity provider
- Token format: JWT with configurable expiry
- Scope: All API endpoints require authentication unless explicitly whitelisted (health checks, OAuth config)
Authorisation
Fine-grained role-based access control is enforced at two levels:
API-Level Permissions
| Permission | Grants Access To |
|---|---|
EXECUTE_WORKFLOW | Execute workflow templates |
MANAGE_QUERIES | Approve, reject, amend queries |
VIEW_HISTORY | Access session and review history |
ADMIN | Full system access |
Tool-Level Access
| Role | Access |
|---|---|
| Administrator | All tools including write operations |
| Standard user | Read-only tools only |
AI Safety Controls
Security Review
Deterministic (not LLM-based) security checks are applied to every generated query. Dangerous operations are blocked regardless of user role. This enforcement is consistent and cannot be bypassed.
Risk-Aware Routing
Queries can carry a risk level. High-risk queries without a strong match to a proven, approved template are automatically declined: they never reach the execution stage.
Dynamic Tool Validation
When the system generates new tools, the code undergoes static analysis with restricted imports and execution constraints before being persisted.
Data Protection
Data at Rest
All data stores are protected with authentication. Encryption at rest is configured per your deployment model and compliance requirements.
Data in Transit
TLS encryption is applied to all external-facing connections. Internal service communication is isolated within the platform’s network boundary.
Audit Trail
Every interaction with the platform is fully traceable:
- Correlation ID: Unique identifier per execution, flows through all logs and events
- Structured logging: Session, user, and event type metadata
- Persistent records: Every interaction is recorded for compliance and investigation
- Real-time events: Include correlation IDs for client-side trace reconstruction
The audit trail is immutable: events are append-only with no deletion mechanism.
Compliance
Squad’s security controls are designed to support compliance with common regulatory frameworks. During onboarding, our team works with you to configure the platform to meet your specific compliance requirements.
For questions about specific compliance certifications or security assessments, contact our team.
Responsible Disclosure
If you discover a security vulnerability, please report it responsibly:
- Email: security@squadai.uk
- Do not open public issues for security vulnerabilities
Next Steps
- Guardrails & Safety: AI-specific safety controls in depth
- Human-in-the-Loop: manual oversight workflows
- API Reference: authentication and authorisation details