Security by design, governance by default.
Sunbeat keeps public intake separated from operational systems and treats sensitive actions as controlled workflow steps.
Submitters interact with the intake surface only — not Airtable, Drive or any internal service. Form structure and routing stay server-side.
- No Airtable credentials exposed to the browser
- No Drive tokens in client code
- Routing and schema validation run server-side
API keys, integration tokens and service credentials never reach client code. All integrations run through server-side services with least-privilege access.
- Credentials scoped to least privilege
- Tokens never sent to the browser
- Integration calls proxied through server routes
AI can suggest, validate and draft operational context. It cannot approve requests, publish changes or execute irreversible actions without explicit human confirmation.
- AI suggests — humans confirm
- No autonomous publishing
- No autonomous approval
Workspaces, workflow settings, branding and field mappings are treated as tenant configuration boundaries. Each operation's context is scoped to their workspace.
- Workspace-scoped settings
- Branding and mappings isolated per tenant
- No cross-workspace data leakage by design
No inflated security claims.
We do not claim certifications or guarantees that are not documented. If your organization needs a specific requirement, we review it explicitly during setup.
- No SOC 2 certification claim
- No HIPAA certification claim
- No autonomous AI approval
- No autonomous publishing
Review security for your operation.
We can walk through how Sunbeat handles data, access and integrations for your specific setup.