Account Security | Wonderful Documentation

Wonderful is built on a fine-grained, relationship-based access control model that ensures users can only see and interact with the content they're authorized to access — at both the workspace and space level.

Authentication

Email + Password — with minimum complexity requirements
Google OAuth — single sign-in for Google Workspace users; no separate password needed

Session Management

Sessions are secured with HTTP-only cookies
Session tokens rotate on sensitive operations
Inactive sessions expire automatically

Two-Factor Authentication (2FA)

Enable 2FA in Account Settings → Security → Two-Factor Authentication. Once enabled, a second factor is required at every sign-in.

Recommended: Enable 2FA for all Workspace Admins. It's particularly important for accounts that have access to connected ad accounts (Meta), which could be used to run unauthorized ads if compromised.

Authorization Model

Wonderful uses ReBAC (Relationship-Based Access Control) — your access to any resource is determined by your relationship to it (workspace member, space admin, space viewer) rather than a simple role list.

How It Works

Access is evaluated in a cascade:

Are you a Workspace Admin? → full access to everything
Are you a member of the space that owns this content? → access based on your space role
Is this content shared via a public link? → access based on the link's privacy level (View or Review)
None of the above → no access

This means:

A Space Viewer on Client A cannot see Client B's content at all — even if they know the URL
A Space Member on Client A cannot change space settings
Workspace Admins bypass space-level restrictions for administrative purposes

Row Level Security (RLS)

All database tables have Postgres Row Level Security enabled. Even if a request bypassed the application layer, the database enforces workspace-level isolation. A user can only query rows belonging to workspaces they're members of.

Data Security

Encryption

In transit: All data is encrypted with TLS 1.2+ (HTTPS enforced)
At rest: Database is encrypted at rest via Supabase (PostgreSQL)
File storage: Assets are stored in encrypted cloud storage

OAuth Token Security

Integration tokens (for Meta, Google Drive, Figma, Frame.io) are stored in Supabase Vault — a secrets management system separate from the main database. The database only stores vault reference IDs, never the actual token values. Even with direct database access, token values cannot be read.

API Security

All API endpoints require authentication. The GraphQL API enforces permission checks at the resolver level — every query and mutation verifies the requesting user's access to the relevant workspace and space.

Best Practices

For Workspace Admins:

Enable 2FA on your account
Review the member list quarterly — remove people who've left the organization
Audit space memberships after client relationships end
Keep Workspace Admin status limited to people who genuinely need it

For all users:

Use a strong, unique password for your Wonderful account
Don't share your login credentials with colleagues — invite them as separate users
Log out when using shared or public computers

For agencies:

Use Private spaces for client work — never Workspace-wide
Remove client contacts from spaces promptly when a project ends
Don't use test or demo data in production workspaces

Frequently Asked Questions

Can a space member see content from other spaces they're not a member of?

No. Space membership strictly controls access. A Workspace Member (who isn't an Admin) has zero access to any space they're not explicitly added to.

What happens to data when a user is removed from the workspace?

Their account is deactivated. All content they created (tasks, assets, comments) remains in the workspace — ownership doesn't transfer but content isn't deleted.

Where is my data stored?

Wonderful runs on Supabase infrastructure (PostgreSQL database) and cloud object storage, hosted in the US. Contact support@usewonderful.com for specific data residency questions.

Are there audit logs?

Yes. Task-level activity is logged (who did what and when) and accessible on each task's Activity tab. Workspace-level changes (member additions, integrations) are logged for Workspace Admins.

Can I export my data?

Yes. Contact support@usewonderful.com to request a data export.

Is Wonderful SOC 2 compliant?

We are working toward SOC 2 Type II certification. Contact support@usewonderful.com for our current security documentation.