Security Best Practices

December 28, 2024   Security   security   best-practices

This guide covers security best practices for individuals and organizations using Blast Office.

Permissions Configuration

Filesystem Access

  • Keep filesystem access disabled by default — enable it only when needed
  • When granting access, restrict it to specific directories rather than the entire filesystem
  • Review filesystem permissions regularly

Internet Access

  • Consider restricting internet access for users who work with sensitive data
  • Use domain allowlists to limit which sites the AI can access

Tool Access

  • Review which AI tools are enabled and disable any that aren’t needed
  • Lua scripting, while sandboxed, should be disabled if not required by your workflow

Logging

Individual Users

  • Logging is off by default for individual users
  • Consider enabling local logging for personal record-keeping

Organizations

  • Logging is on by default for organizations — review this setting
  • Server-side logging can be enabled for compliance and auditing
  • Ensure logging policies align with your data retention requirements

Content Safety

Blast Office includes built-in content safety filters:

  • Flagged conversations are handled according to content safety policies
  • Organizations can configure content safety settings to match their requirements
  • Review flagged content regularly to ensure the system is working correctly

Lua Sandbox Security

The Lua scripting environment is sandboxed with:

  • 10MB memory limit — prevents memory exhaustion attacks
  • No process spawning — scripts cannot execute external programs
  • Limited API access — only safe functions are available

Credential Storage

  • Blast Office stores credentials securely using the system keyring
  • Tokens and authentication data are encrypted at rest
  • Never share your authentication tokens or API keys

Enterprise Recommendations

  • Use strict enforcement mode for sensitive environments
  • Enable SSO through your identity provider for centralized authentication
  • Set up directory sync for automatic user provisioning and deprovisioning
  • Review audit logs regularly
  • Configure server-side logging for compliance requirements
← Downloading Your User Data
Organization Management →