Two-factor authentication and session-length policy are on every workspace. Owners can enforce them under Settings, Security, Policy.

Two-factor.

• TOTP only at V1 (Google Authenticator, 1Password, Authy, Yubico Authenticator with TOTP).
• WebAuthn and hardware-key support are V2.
• Owner enforcement: optional, recommended, or required. We default to recommended for new workspaces.
• Recovery: backup codes generated at setup, regeneratable from Settings, Security, Two-factor.

Session length.

Session length is the maximum time between active use and forced re-auth. Default 14 days. Configurable from 8 hours up to 30 days. Sensitive actions (billing changes, role-permission edits, audit-log export) always force a fresh re-auth regardless of session length.

Forced sign-out is available on every active session from Settings, Security, Sessions. The screen lists each active session by device, browser, IP region, and last-seen time. Revoking a session takes effect inside 60 seconds. Workspace owners can revoke sessions on behalf of any teammate from the team management screen.

IP allowlists for the whole workspace are V2. At V1, anomalous-location sign-ins (a new country, a new device family) trigger an email confirmation step before the session is established. The notification lands on the user mailbox and, optionally, on the workspace audit channel in Slack.

What to do next: enforce two-factor as required on the workspace, then set a session length that matches your security posture.

• Terms
• Privacy
• Cookie policy
• Candidate rights
• DPA
• DSAR
• Sub-processors
• Model cards