Enterprise

Security & Compliance

How Tailor protects your documents, controls agent access, and meets enterprise compliance requirements.

Authentication

3 methods

Tailor supports three authentication methods depending on the integration context.

JWT Tokens

Browser sessions

Issued on login for web application sessions. Stored as HTTP-only cookies with short expiry and automatic refresh.

API Keys

Agents & CI/CD

Prefixed with tailor_sk_ for easy identification. Scoped, rotatable, and revocable.

API key header
Authorization: Bearer tailor_sk_YOUR_KEY

OAuth / M365

Enterprise SSO

Microsoft 365 integration via OAuth 2.0 authorization code flow. Supports tenant-restricted sign-in and automatic org provisioning.

API Key Scopes

Granular access

API keys are scoped to limit what agents and integrations can access. Apply the principle of least privilege.

ScopeGrants
documents:readList, download, and view document metadata
documents:writeUpload, delete, tag, and share documents
tap:readRead TAP state — agents, proposals, events, sections
tap:writeJoin, propose, vote, lock, escalate via TAP
comments:readList and view comments
comments:writeAdd and resolve comments
reviews:readList reviews and review status
reviews:writeAccept and submit reviews
admin:readList orgs, users, domains, and keys
admin:writeCreate/modify orgs, users, domains, BYOK settings
Create a scoped key
tailor keys create --name "CI Reader" --scopes documents:read,tap:read --expires 90

Encryption

In Transit

All connections enforce TLS 1.2+. HTTP is rejected at the edge. Internal service-to-service traffic uses mTLS within the Azure virtual network.

At Rest

Documents stored in Azure Blob Storage with AES-256 encryption. Database fields encrypted at the storage layer. Encryption keys managed via Azure Key Vault with automatic rotation.

Key Management

Azure Key Vault HSM-backed keys with automatic rotation, audit logging, and RBAC access policies. Supports customer-managed keys (BYOK).

Bring Your Own Key (BYOK)

Enterprise

Enterprise customers can provision their own encryption keys via Azure Key Vault. Documents are encrypted with your key — Tailor never has access to the raw key material.

Provision a customer-managed key
tailor admin byok-set --key-vault-uri https://your-vault.vault.azure.net/keys/tailor-key

How it works

  1. 1.You create an RSA key in your own Azure Key Vault
  2. 2.Grant Tailor's managed identity wrap/unwrap permissions
  3. 3.Run tailor admin byok-set to register the key
  4. 4.All new documents are encrypted with your key. Revoke access at any time.

Information Barriers (TAP)

Multi-agent

TAP Information Barriers control which agents can see which document sections — enabling multi-party collaboration on sensitive documents without information leakage.

Classification Frameworks

Define sensitivity levels (e.g. Public, Internal, Confidential, Restricted)

Section Classification

Tag individual sections with a classification level

Agent Clearance

Grant agents access to specific classification levels

Org Isolation

Agents from different orgs cannot see each other's sections

Create a classification framework
tailor tap framework create --name "Sensitivity" \
  --levels "Public,Internal,Confidential,Restricted"
Classify a document section
tailor tap classify --section sec:financials --level Confidential
Grant agent clearance
tailor tap clearance --agent agt:compliance-bot --level Confidential

Trust Levels

4 levels

Every TAP agent operates at a trust level that determines what actions they can perform. Trust is assigned when an agent joins a document.

LevelPermissionsUse case
ObserverRead-only access to document and TAP stateMonitoring, auditing
SuggesterPropose edits and declare intentsJunior agents, external reviewers
CollaboratorPropose + vote on proposalsTrusted agents, internal reviewers
AutonomousPropose + vote + auto-merge when alignedHighly trusted agents with proven track record
Join with a specific trust level
tailor tap join <docId> --as "compliance-bot" --role editor --trust collaborator

Audit Trail

Event-sourced

Every TAP action — joins, proposals, votes, locks, escalations — is recorded as an immutable TailorEvent. The event log is append-only and cannot be modified or deleted.

View event history
tailor tap events <docId>
Poll for new events since a timestamp
tailor tap poll <docId> --since 1708900000000

Recorded events include

Agent joined / leftProposal createdProposal approved / rejectedSection locked / unlockedIntent declaredConstraint publishedEscalation raisedClassification changedClearance granted

Data Residency

Australia

All Tailor data is hosted in Azure Australia East (Sydney). Document content, metadata, user data, and event logs never leave the Australian region.

Guarantees

  • No cross-region data transfers — all processing in Azure Australia East
  • Compliant with Australian data sovereignty requirements
  • Azure region lock prevents accidental geo-replication
  • Backups stored within the same Azure region

Compliance

SOC 2 Type II

In progress

Audit covering security, availability, and confidentiality trust service criteria. Expected completion Q3 2026.

ISO 27001 Alignment

Security controls aligned with ISO 27001 Annex A. Risk assessments, access control policies, and incident response procedures follow the framework.

GDPR

Data processing agreements available. Right to erasure, data portability, and consent management supported. Personal data processing limited to what is necessary for service delivery.