Appearance
Security Controls v2.6
Last updated: March 25, 2026
Authentication
AI4Love uses a two-layer authentication model:
- Identity verification — Clerk (SOC 2 Type II) verifies the user's email via passwordless code flow.
- Session token — After identity verification, the backend issues an AI4Love JWT (24-hour expiry). This token governs all subsequent API access.
Access is invite-only. The user's email must exist in the organization's Airtable base or the Admin Accounts table before they can sign in.
MCP Access Model
The MCP (Model Context Protocol) server lets AI assistants query supporter data conversationally. All MCP queries are read-only and scoped to organization-level access controls.
- Per-user access keys: Each staff member receives a unique key stored in their Airtable account record. The key field is restricted using Airtable's field-level permissions so staff cannot view each other's keys.
- Timing-safe validation: Keys are compared using constant-time algorithms to prevent timing attacks.
- No persistent session: Every request is independently authenticated. Revoking a key takes effect on the next request.
- Organization isolation: Each request resolves to a specific org, which maps to a dedicated Airtable base. Users in Org A cannot access Org B's data.
- Read-only: All 19 MCP tools are strictly read-only. No creates, modifies, or deletes.
Query Safeguards
| Control | Limit |
|---|---|
| Per-minute rate limit | 60 requests per key |
| Response size cap | 100 records per response |
| Daily retrieval cap | 5,000 records per key per 24-hour rolling window |
| Anomaly detection | High-frequency sequential lookups and exhaustive field requests are flagged in audit logs |
OAuth Connection Model
AI4Love connects to external platforms through Nango, an enterprise OAuth gateway.
| Platform | Auth Method | Scopes / Access |
|---|---|---|
| Blackbaud RE NXT | OAuth 2.0 (refresh token) | SKY API read access — constituents, gifts, actions, events |
| Mailchimp | API Key | Read access to member lists, campaigns, activity |
| Environics | OAuth 2.0 (client credentials) | Postal-code-level enrichment (PRIZM, WealthScapes) |
Your organization initiates each connection. AI4Love never connects without explicit staff authorization. All connections can be revoked instantly from the Integrations dashboard.
AI4Love Internal Access Controls
Access to your organization's data by AI4Love personnel is governed by the principle of least privilege.
- No standing access: AI4Love staff do not have persistent access to your Airtable base. Access is granted only when required for support, debugging, or onboarding — and only with your knowledge.
- Role-based access: Internal access is restricted to authorized personnel. Infrastructure credentials are scoped by function (e.g., deployment credentials cannot access Airtable data).
- Time-bound: Support access is granted for the duration of the issue and revoked upon resolution.
- Logged: All administrative actions (deployments, credential rotations, configuration changes) are logged in Vercel and Doppler audit trails.
Rate Limiting
| Scope | Limit |
|---|---|
| Global | 200 requests/minute |
| Auth routes | 10 requests/minute |
| API routes | 60 requests/minute |
| MCP per key | 60 requests/minute |
| MCP daily cap | 5,000 records/key/24h |
Audit Logging
| What Is Logged | Where | Retention |
|---|---|---|
| MCP queries (user key, timestamp, tool invoked, org ID) | Vercel function logs; SIEM (if configured) | 1 hour (Vercel Pro); 30–90 days (SIEM) |
| Integration sync events (platform, record counts, errors) | Vercel function logs; SIEM (if configured) | 1 hour (Vercel Pro); 30–90 days (SIEM) |
| OAuth connection/disconnection events | Nango audit log | Per Nango retention policy |
| Credential access and rotation | Doppler audit trail | 90 days |
| Deployment and configuration changes | Vercel deployment log | Indefinite |
Audit logs are available to your organization on request. AI4Love does not log supporter PII in any log stream.
For partners requiring forensic-grade log retention, AI4Love supports real-time log streaming to an external SIEM (e.g., Datadog, Logtail) with configurable retention of 30–90 days. This is a standard option in high-compliance onboarding.