Team & security
Client-safe workspaces with a paper trail
Four roles with server-enforced, read-only client viewers, per-project access grants, single-use email invites that confirm before they join, TOTP two-factor auth, a tenant-visible audit log, and self-serve GDPR export and delete.
Roles & client viewers
Read-only means enforced, not hidden
Owner, admin, member, and client viewer — the read-only seat an agency hands a client for a live view of their reports. Write access is derived from role on the server, so a viewer who reaches an edit action is stopped everywhere, not just in the UI.
The same fence binds us: an operator in support view holds no membership in your workspace, so member, invite, role, and scope controls are read-only for them too — and every support view-as session lands in your audit log.
Illustrative — write access is derived from role on the server, not hidden buttons.
Invites & per-project access
Single-use invites, scoped to the projects you choose
Invites are single-use links that expire after seven days, optionally emailed for you — with a “sent” confirmation only after the email provider actually accepts the message. Opening a link shows a confirmation naming the workspace, role, and account; nothing happens until the person confirms, and seat caps are re-checked at acceptance so invites can never over-fill a plan.
Members and client viewers can be scoped to chosen projects— and MentionFlow refuses to mint a “scoped admin”, because a boundary an admin could lift on themselves isn't a boundary.
Join Northwind Agency?
as Client viewer · scoped to Acme
signed in as [email protected]
Illustrative — opening a link never enrolls anyone; joining takes an explicit click.
Audit log
Every access-relevant change, on the record — visible to you
The audit log lives in your workspace settings, not in a support queue you have to ask about. One deliberate guarantee: an invite acceptance is recorded atomically with the membership it grants, so a new member can never join unaudited.
| Recorded | Events |
|---|---|
| Membership | role changes, project-scope changes, removals |
| Invites | created, emailed, accepted (atomic with the grant), revoked |
| Credentials | API keys created/revoked, password resets, email verifications |
| Egress | data exports, scheduled-report changes, Cloudflare Worker connect/disconnect |
| Operator access | support view-as sessions — visible to you, not just to us |
| Destructive | brand archive/restore/delete, workspace deletion, billing changes |
Account security
Two-factor auth that can't lock you out
TOTP two-factor authentication with one-time backup codes, on every plan. Enrollment is verify-first — 2FA does not switch on until a code from your authenticator actually verifies — and both enabling and disabling require your password.
Actions that move workspace data out — creating an API key, enabling a report schedule, setting a notification webhook — additionally require a verified email address for accounts created on or after 2026-07-11.
Backup codes shown once at enrollment — each works a single time.
Illustrative — TOTP with one-time backup codes; enrollment verifies before it turns on.
GDPR self-serve
Your data leaves with you — no ticket required
Exportdownloads everything the workspace owns as one zip — full answer texts, mentions, citations, metrics, prompts, members, the audit log — with a manifest stating the generation date and exactly what is and isn't included.
Deleteis owner-only and typed-confirm: any active subscription is cancelled with Stripe first — if that can't be confirmed, nothing is deleted — then every project, answer, metric, member, key, and the audit trail itself is erased in one atomic cascade.
Illustrative — one zip with a manifest stating exactly what is and isn't included.
Frequently asked questions
What roles does MentionFlow support?+
Four: owner (everything, including billing and granting ownership), admin (members, API keys, billing), member (full read and write on workspace data), and client viewer (read-only). Write access is derived from the role on the server — hiding a button is never the only thing standing between a viewer and a change.
Can I give a client access to just their own project?+
Yes. Members and client viewers can be scoped to specific projects, either on the invite or later. Owners and admins always have workspace-wide access — MentionFlow deliberately refuses to create a "scoped admin", because access gates run on role and a scoped admin could simply un-scope themselves. The boundary is real, not cosmetic.
How do invites work?+
Every invite is a single-use link that expires after seven days, granting a role you choose (never owner). Opening the link shows a confirmation screen naming the workspace, the role, and the signed-in account — nothing happens until the person explicitly confirms. Seat caps are re-checked at acceptance, so a burst of invites can never over-fill the plan, and every acceptance is written to the audit log atomically with the membership it grants.
Is there an audit log?+
Yes, visible to the workspace: role and project-scope changes, removals, invites created/emailed/accepted/revoked, API keys created and revoked, scheduled-report changes, password resets and email verifications, billing events, Google Search Console connect/disconnect, support view-as sessions, Cloudflare Worker connect/disconnect, data exports, brand archive/restore/delete, and workspace deletion.
Does MentionFlow support two-factor authentication?+
Yes — TOTP two-factor authentication with one-time backup codes, on every plan. Enrollment is verify-first: 2FA does not switch on until you enter a valid code from your authenticator, so a misconfigured app can't lock you out. Enabling and disabling both require your password.
Can I export or delete all my data (GDPR)?+
Both are self-serve. Export downloads everything the workspace owns as one zip — answers, mentions, citations, metrics, prompts, members, the audit log — with a manifest stating exactly what is and isn't included. Delete is owner-only with typed confirmation: any active subscription is cancelled with Stripe first, then everything is erased in one atomic cascade.
The mechanics are documented in Workspace and members, Two-factor authentication and API keys. Client-safe workspaces pair with client reporting and the API & MCP platform.
Run client work without handing over the keys
Roles, scoped access, and an audit trail your clients can see too.
Start your free trial