Trust Center

Local-first security, by design

Trust is enforced by structure, not declared on a page. Every tenant is isolated, every action is audit-logged, every credential is owner-held, and no cloud round-trip is required to operate.

Security Model

Local-first

Apiaries runs on your hardware. Federation and cloud round-trips are explicit and opt-in.

Tenant isolation

Every record carries a tenant ID. Cross-tenant access requires explicit, audited grants.

Owner-held keys

Operators hold credentials. Escalation is policy-bound, not vendor-discretionary.

Data Boundaries

Tenant scope

Tenant data is structurally isolated at the storage and service layer. Joins across tenants require an explicit, audit-stamped escalation.

Backups

Encrypted backups go to operator-controlled targets — local NAS, external volume, or operator-managed object store. No vendor backup vault.

Memory hive

Agent context is tenant-scoped. Operators decide what's retrievable and what's off-limits, per role.

Audit Logs

Property	Detail
Append-only	Audit events are immutable. Rewriting requires explicit operator action and is itself audited.
Per-tenant	Every event is tagged with tenant, actor, scope, and outcome.
Replayable	Operators can replay an event window for incident review or compliance export.
Retention	Tenant-controlled retention. No vendor-imposed minimum or vendor-mandated deletion.

Secrets Policy

No hardcoded secrets in any service or module
Secrets stored in operator-controlled vault
Per-tenant credentials, scoped and revocable
No shared API keys across tenants
Rotation events emit audit log entries

Role-Based Access

Owner / manager / clerk / tech / admin
Per-tenant role assignments
Permissions enforced at the service layer
Role changes are audit events
Out-of-band escalation is policy-gated

Agent Permissions

Agent	Default scope	May escalate?	Audited
eBee	tenant onboarding, readiness, audit preview	via operator approval	yes
Hermes	routing tenant-scoped messages and events	no	yes
WAZ	operations, drift detection, health	via operator approval	yes
Zero	autonomous module work, ledger writes	via operator approval	yes
OpenClaw	model gateway, policy-routed inference	no	yes

Support Escalation Policy

Apiaries support engineers do not have standing access to tenant data. Access is requested per incident, granted by an operator, scoped to the smallest necessary surface, time-bounded, and audit-logged. eBee surfaces every access request to the owner before it is honored.

Per-incident, time-bounded access tokens
Operator approval required before any read
Every access event is audit-logged with engineer ID
Operators may revoke access at any time
Critical-plan customers receive named engineer assignments

Questions about how Apiaries handles your data?

eBee can walk through the security model and produce a tenant-scoped trust report for your operator or auditor.

Contact security Talk to eBee