Security

• Task chat (Motionode chat)
• Per-task wireframes (Excalidraw-based)
• Per-task video calls (Dyte-based)

• Network controls (firewalling and restricted access to services)
• Encrypted storage for persistent data and backups
• Environment separation between production and non-production systems
• Operational monitoring for availability and suspicious patterns
• Backups designed to support restoration in case of failure

Hosting provider: DigitalOcean (U.S. regions by default). If you need a specific data region requirement, contact us.

• Authenticated access for all user actions that touch workspace data
• Role-based permissions at the org/project level (owner/admin/member/guest)
• Least-privilege access patterns: users only see and act on data they're permitted to access
• Session protections including expiration and secure cookie/token handling

• Org/project scoping is enforced in the application layer
• Data access is restricted by tenant boundaries in queries and APIs
• Permissions are validated server-side (not only in the UI)

• In transit: TLS for browser↔API and service↔service communication
• At rest: encryption for stored workspace data, backups, and sensitive configuration
• Secrets protection: sensitive values are handled as secrets, not plaintext configuration

• Encrypted at rest before storage
• Not intentionally logged (logs are designed to avoid secrets and payload leakage)
• Used only when needed to perform the requested action (export, sync, generate)
• Scope recommendations: we recommend using least-privilege tokens wherever possible

If you prefer not to store any credentials in Motionode, you can use features that support Bring Your Own Key or limit integrations to exports.

The platform's core scheduling and delivery modeling is deterministic. AI is used where it helps (e.g., clarifying missing details, generating plan-aware outputs).

Motionode supports using your own API keys for OpenAI and Anthropic (Claude). When BYO is enabled:

• Requests are made using your credentials
• Motionode sends only the minimum data required for the feature
• Motionode does not use customer data to train public models

• Video calls are powered by Dyte (when you start a call)
• Wireframes are powered by Excalidraw-based tooling (when you open a wireframe)

Motionode stores the references and metadata required to attach these to tasks. The underlying media/collaboration data is handled by the respective provider during usage.

• Rate limits on APIs and sensitive endpoints
• Monitoring for unusual request patterns
• Protective controls designed to throttle suspicious traffic while allowing normal usage

• Operational logging is used to maintain reliability and troubleshoot issues
• Sensitive fields are avoided in logs by design
• Security events are triaged and investigated; we take prompt action to contain impact

If we become aware of a material security incident affecting customer data, we will notify impacted customers with available details and recommended actions.

• Workspace data is retained to provide the service
• Customers can request deletion of their workspace data
• We honor deletion requests consistent with legal, security, and operational requirements

For requests, contact: security@motionode.com