Isolation is the architecture.
No badges, no acronym wall — the five mechanisms that keep agencies, their clients, and their agents inside their own walls.
Isolation, enforced twice.
At the database and on every request — row-level security and role-gated routes. Agencies and their clients never see each other’s data.
Host-isolated by design.
Branding and sessions follow the hostname. A login on one partner’s portal can never cross to another.
An encrypted vault.
Encrypted at rest with AES-256-GCM, decrypted server-side only, retrieved by scope. Keys are never returned to the browser.
Eleven roles, audited.
Each teammate gets exactly what their job needs. One-click “view as client” for support is fully audited, like everything else.
Agents under the same law.
Andus acts through platform roles, never Slack channels. No publish, spend, or credentials without confirmation — every request logged, including denials.
SOC 2 is in progress.
Ask us where we are today — we’ll share our current status and roadmap.
| Time | Actor | Mode | Action | Scope | Result |
|---|---|---|---|---|---|
| 09:41 | Jordan | Retrieve | meta.insights.pull | client/horizon-med-spa | OK |
| 09:42 | Jordan | Act | tasks.create · confirmed | client/horizon-med-spa | OK |
| 11:05 | Priya | Report | meetings.summary | client/cedar-dental | OK |
| 13:18 | Cole | Act | campaigns.publish | client/summit-hvac | DENIED · role lacks publish |
| 16:30 | system | Monitor | integrations.health | org/apex-digital | OK |