Data Protection in the Age of AI Read more

AI that works for you, on your terms

Full control over what your AI agents can access, create, and send. Every action auditable. Every permission configurable. Every byte encrypted.

Tenant Isolation

Your Data, Completely Separated

Every organisation's data is completely isolated. Your contacts, emails, notes, and CRM records are never mixed with another team's data. This isn't just a setting. It's enforced at the deepest level of the database, on every single request.

SELECT * FROM contactsWHERE org_id = 'acme'

AAcme Corp

👤

Contacts847

📧

Emails2,103

📝

Notes394

🏢

Companies126

NNovaflux

👤

Contacts312

📧

Emails891

📝

Notes157

🏢

Companies48

Query-level isolation enforced4 rows returned

Encryption

Encrypted at Every Step

Your data is encrypted whenever it moves between systems and whenever it's stored. Files are encrypted using industry-standard cloud security, with each encryption tied to your specific account. Email credentials are encrypted separately before they ever touch the database.

Encryption Layers

In Transit

TLS 1.3 HSTS preloadSecure cookies

At Rest. FilesAWS KMS

context: user=bastiaan org=acme env=prod

CredentialsFernet

smtp_pass:gAAAAA...Bk3xQ==

Permission Matrix

You Decide What Your Agent Can Do

Set exactly what your AI agent is allowed to do, for every type of data and every action. Allow it to run freely, require your approval first, or block it entirely. No blanket access. You're always in control.

Configure Permission

Email Send · Create

Allow

Agent can execute without approval

Require Approval

Action pauses until admin reviews

Deny

Agent cannot perform this action

12 rules configured

4 allow 6 approval 2 deny

Approval Flow

Nothing Happens Without Your Say-So

When an agent action needs approval, it pauses and waits. Your team sees exactly what the agent wants to do, including full email previews, before anything is sent or changed. Approve or reject with a note. Requests that nobody reviews expire automatically after 14 days.

Approval Lifecycle

Requested

Send outreach email to Eva Lindström

Outreach email

10:23 AM · Agent Klaus

Pending Review

14d auto-expiry

To: eva.lindstrom@novaflux.io

Subject: Following up on our conversation

Hi Eva, I wanted to follow up on...

Approved

by Bastiaan · “Looks good, send it.”

Ready to send

10:31 AM

Executed

Email sent successfully

10:31 AM

API Security

API Keys Built for Security

Every API key is split into two parts: a visible identifier and a secret that's immediately encrypted beyond recovery. The original secret is never stored. Only a secure fingerprint is kept. Even if someone accessed our database, they couldn't recover your keys.

API Key ArchitectureSplit-credential design

dlft_pub_a3xK9m

•••••••••••••••

Prefix. Stored for identification

Secret. Hashed, never persisted

on creation

secret

hash + salt

argon2id

stored

$argon2id$v=19...

Constant-time comparison on every verification

Email Filtering

Only Trusted Senders Reach Your Agent

Your agent only processes emails from senders you've explicitly approved. Everyone else is filtered out before the agent ever sees them. Email credentials are stored encrypted and are never visible through the API.

Inbound Filtering

3 approved senders

Eva Lindström10:23 AM

Re: Partnership proposal for Q3

Allowed

Marco Bellini10:18 AM

Updated pricing sheet attached

Allowed

newsletter@spam.co10:15 AM

🔥 Limited time offer!

Filtered

Sanne de Wit9:47 AM

Intro: Peakstack x datalyft

Allowed

unknown@cold.net9:30 AM

Quick question about your API

Filtered

3 delivered to agent · 2 filtered

Access Control

Clear Roles, Clear Boundaries

Every user has a role: admin, developer, or user. Only admins can manage agent permissions, approve actions, or change organisation settings. These boundaries are enforced everywhere, not just in the interface, but in the backend too.

Role-Based Access

AdminFull access

Agent permissionsApproval queueOrg settingsFull CRMAPI keys

Developer

API keysWebhooksAgent configCRM workspace

User

CRM workspaceAnalyticsOwn contacts

Infrastructure

Locked Down at the Infrastructure Level

We enforce strict browser security policies that prevent clickjacking, data sniffing, and other common web attacks. External access is restricted to our own domains. These protections are always on, no exceptions.

Security Audit

All passing

X-Frame-Options

DENY

Strict-Transport-Security

max-age=31536000; includeSubDomains; preload

X-Content-Type-Options

nosniff

Referrer-Policy

strict-origin-when-cross-origin

Permissions-Policy

camera=(), microphone=(), geolocation=()

Access-Control-Allow-Origin

*.datalyft.io

Production: *.datalyft.io6/6 headers enforced

How datalyft protects your data

Your data is completely separated from other organisations
All connections encrypted with strict transport security
Files encrypted with dedicated cloud keys tied to your account
Stored credentials encrypted with a separate encryption layer
API secrets irreversibly encrypted, never stored in plain text
Per-resource, per-action control over what your agent can do
Agent actions pause for your approval, with 14-day auto-expiry
Three user roles (admin / developer / user) with enforced boundaries
Only approved email senders reach your agent
Full audit trail: who did what, when, and what happened

Get early access

Join founders and sales teams who let AI fill their pipeline.

No credit card required
Human approval before AI acts
Built and hosted in Europe

Early access

Be among the first to use an AI-powered CRM.

Founding Users Benefit

Get access to the private beta, direct input into our roadmap and custom integrations.