Security Best Practices
This guide covers security best practices for individuals and organizations using Blast Office.
Permissions Configuration
Filesystem Access
- Keep filesystem access disabled by default — enable it only when needed
- When granting access, restrict it to specific directories rather than the entire filesystem
- Review filesystem permissions regularly
Internet Access
- Consider restricting internet access for users who work with sensitive data
- Use domain allowlists to limit which sites the AI can access
Tool Access
- Review which AI tools are enabled and disable any that aren't needed
- Custom scripting, while sandboxed, should be disabled if not required by your workflow
Logging
Individual Users
- Logging is off by default for individual users
- Consider enabling local logging for personal record-keeping
Organizations
- Logging is on by default for organizations — review this setting
- Server-side logging can be enabled for compliance and auditing
- Ensure logging policies align with your data retention requirements
Content Safety
Blast Office includes built-in content safety filters:
- Flagged conversations are handled according to content safety policies
- Organizations can configure content safety settings to match their requirements
- Review flagged content regularly to ensure the system is working correctly
Script Sandbox Security
Scripts run in a sandboxed environment with restricted permissions, ensuring they cannot access resources beyond what is explicitly allowed.
Credential Storage
- Blast Office stores credentials securely using the system keyring
- Tokens and authentication data are encrypted at rest
- Never share your authentication tokens or API keys
Enterprise Recommendations
- Use strict enforcement mode for sensitive environments
- Enable SSO through your identity provider for centralized authentication
- Set up directory sync for automatic user provisioning and deprovisioning
- Review audit logs regularly
- Configure server-side logging for compliance requirements