Skip to documentation content

Documentation

Security

Two-factor authentication (2FA)

  • Required for all users before app access
  • Required for sensitive actions: email change, password change, org deletion
  • Trusted devices — skip the 2FA prompt on devices you mark as trusted

Session security

  • Idle sign-out — signed-in users are automatically signed out after inactivity, with a countdown warning and a "Stay signed in" option
  • Idle sign-out is suspended while you are facilitating a live exercise, so a running tabletop is never interrupted

Room security

  • Exercises require room code + password (8+ chars)
  • Password shared separately from join link

Participant data

  • Participants don't create accounts
  • Identity stored as display name + browser session
  • Optional data protection mode per exercise Plus Pro — session data, responses, and the report are purged after the org retention window (default 48 hours, configurable in Organization settings); such runs show a Temporary badge in the facilitator view

Email

Transactional email via Resend: invites, verification, password reset, billing notifications.