Skip to main content

How integration permissions and security work

Learn how security works when connecting to external applications within elvex

Updated yesterday

Understanding how elvex handles integration permissions and security is crucial for safely connecting your external systems. This guide explains the permission hierarchy, data handling practices, and security considerations for integrations.

The permission system

elvex uses a two-tier permission system that ensures proper access control and security:

Company admin level

Company administrators control which integrations their users can access and connect to.

What company admins control:

  • Enabling or disabling integrations for all users in their company

  • Managing company-level integration connections (where supported)

  • Configuring integration scope and permissions for their organization

  • Viewing which users have connected to various integrations

User level

Individual users control their personal connections to integrations that have been enabled by their company admin.

What users control:

  • Connecting their personal accounts to available integrations

  • Configuring the scope of permissions for their connections

  • Enabling specific actions for their assistants

  • Disconnecting their personal integrations

Personal vs company-level connections

elvex supports two types of integration connections, each with different security implications:

Personal connections

Most integrations work through personal connections where each user connects their individual account.

How personal connections work:

  • Each user authenticates with their own credentials

  • Users only see data they have permission to access in the external system

  • Connections are completely isolated between users

  • No user can access another user's connected data

Security benefits:

  • Maintains individual privacy boundaries

  • Respects existing permissions in external systems

  • Provides clear audit trails for individual actions

  • Reduces risk of unauthorized data access

Company-level connections

Some integrations can be set up at the company level using shared credentials or service accounts.

How company-level connections work:

  • Company admin sets up the connection using shared credentials

  • All users can access the same integration instance

  • Data access still depends on individual user permissions within elvex

  • Users must still enable the integration for their specific assistants

πŸ” Important security note:
Even with company-level connections, each user must set up their own connection to use the integration. The company-level setup only makes the integration available - it doesn't automatically grant access to all users.

Permission inheritance and scoping

How permissions work

When you connect an integration, elvex inherits your existing permissions from that system:

Example with Salesforce:

  • If you can only view certain accounts in Salesforce, elvex can only access those same accounts

  • If you don't have permission to delete records, elvex cannot delete records on your behalf

  • Your Salesforce admin's permission settings apply to elvex's access

Configuring integration scope

During the connection process, you can configure which permissions elvex receives:

OAuth permission selection:

  • External services (like Gmail) show permission requests during connection

  • You can accept or deny specific permission scopes

  • You can modify these permissions later through integration settings

Scope management:

  • You can adjust integration scope after connection through

  • Reducing scope limits what elvex can do with that integration

  • Expanding scope may require re-authentication with the external service

Security best practices

For individual users

  • Principle of least privilege: Only grant the minimum permissions needed for your use case

  • Regular review: Periodically review your connected integrations and their permissions

  • Scope limitation: Configure integration scope to match your actual needs

  • Monitor usage: Check your conversation history to see how your integrations are being used

For company administrators

  • Enable selectively: Only enable integrations that your organization actually needs

  • Security alignment: Ensure enabled integrations align with your company's security policies

  • User communication: Inform users when you enable or disable integrations

  • Regular audits: Periodically review which integrations are enabled and how they're being used

For all users

  • Secure external accounts: Ensure your external service accounts use strong authentication

  • Monitor external services: Check your external service activity logs for elvex usage

  • Report issues: Contact support if you notice unexpected integration behavior

  • Keep credentials current: Update passwords and authentication tokens as needed

Authentication and security standards

Authentication methods

elvex uses industry-standard OAuth 2.0 for integration authentication:

  • OAuth 2.0: Secure, token-based authentication without sharing passwords

  • Encrypted storage: Connection credentials are encrypted and securely stored

  • Token management: Authentication tokens are automatically managed and refreshed

Security certifications

  • SOC 2 certified: elvex meets SOC 2 security standards for data protection

  • Encrypted connections: All integration communications use secure, encrypted channels

  • Third-party security: Integration API calls are handled by Paragon, which manages rate limiting and security

Understanding these security principles helps you make informed decisions about which integrations to connect and how to configure them safely for your specific needs.

Did this answer your question?