Identity and Access Architecture (WorkOS)
Why BondingAI uses WorkOS for authentication and authorization while keeping business data in customer cloud.
Executive Summary
BondingAI uses WorkOS exclusively for authentication and authorization.
The key architecture principle is strict separation between:
- Identity traffic (authentication claims and access tokens)
- Business data (chats, documents, embeddings, analytics, domain data)
Business data remains in the customer-controlled cloud environment.
Data Boundary: Identity vs Business Data
Authentication Flow
Data Classification
| Data Category | Examples | Storage Location | Leaves Customer Cloud |
|---|---|---|---|
| Chat Content | Messages, AI responses, conversation history | Customer PostgreSQL | No |
| Documents | Uploaded files, PDFs, knowledge base | Customer Azure Blob | No |
| Embeddings | Vector representations, RAG data | Customer PGVector | No |
| Analytics | Usage metrics, KPIs, dashboards | Customer PostgreSQL | No |
| Company Data | Organizations, domains, configurations | Customer PostgreSQL | No |
| User Identity | Email, name, org membership | WorkOS | Yes (auth only) |
| SSO Config | SAML/OIDC provider settings | WorkOS | Yes (auth only) |
| Access Tokens | Session and authorization tokens | WorkOS | Yes (auth only) |
WorkOS Security and Compliance Posture
| Certification | Status | Description |
|---|---|---|
| SOC 2 Type 2 | Certified | Audited controls for security, availability, confidentiality |
| GDPR | Compliant | EU data protection compliance |
| CCPA | Compliant | California privacy compliance |
| HIPAA | BAA Available | Business Associate Agreement available |
| PCI DSS | Certified | Payment security standard compliance |
Operational security practices include encrypted transport, encrypted storage, third-party testing, and compliance documentation.
Why This Architecture Decision
This approach reduces time-to-value while preserving enterprise controls.
| Decision Dimension | With WorkOS | Without WorkOS |
|---|---|---|
| Implementation speed | Faster rollout | Longer custom build cycle |
| Admin experience | Built-in enterprise admin flows | Custom admin portal required |
| Directory sync | Built-in support | Additional build/licensing effort |
| Ongoing maintenance | Managed capability | Customer-owned auth lifecycle |
| Fine-grained authorization | Native WorkOS FGA path | Must build and operate |
Risk Perspective
External authentication traffic is acceptable because only identity claims and tokens are exchanged, not business payloads.
- Identity is validated through secure authentication channels.
- Business operations execute in customer-controlled data systems.
- Governance, monitoring, and policy controls remain enforced in platform workflows.
Summary
BondingAI keeps the security boundary clear:
- Who the user is → handled by WorkOS
- What the user does and accesses → executed against customer-controlled platform data
This preserves data sovereignty while maintaining enterprise-grade authentication and authorization capabilities.