Deny-by-Default Roles & Permissions
Every person, workspace, object, and action is private unless access is explicitly granted. Private founder knowledge remains inaccessible to all other roles.
Deny by default: New users receive no Vault access until a role and explicit workspace permissions are assigned.
Role Matrix
Current preview of role-level access. Item-level restrictions may be stricter.
| Role | Shared Vault | For Later | Story | Business | Concerns | Admin | Finance |
|---|---|---|---|---|---|---|---|
| Founder | Full | Private | Full | Full | Full | Full | Full |
| Creative Executive | Assigned | None | Full | Limited | Assigned | None | Limited |
| Visual Lead | Assigned | None | Visual | Limited | Assigned | None | None |
| Operations | Assigned | None | Read | Full | Assigned | Limited | Full |
| External Reviewer | None | None | Explicit only | Explicit only | None | None | None |
Security Policies
Recent Permission Changes
External counsel access expired
Ingmar granted Finance routing access
Melany granted Relic visual workspace
Invite Team Member
The invitation grants no access until the recipient verifies identity and the role is approved.
