# For admins

_Last updated: July 8, 2026_

You own or administer a Waydock workspace. This guide is task-oriented: the org and roles model, per-member isolation and converting a personal org to a team, governing what agents can do, the outbound-email safety contract and kill switch, Mira governance, billing and the AI cost ledger, and the audit and revocation trail. For the underlying trust model see [Security](/security); for the ideas behind the product see [How Waydock works](/docs/concepts).

> **For agents:** this page is available as Markdown at [/docs/for-admins.md](/docs/for-admins.md). If you are an agent connecting to Waydock, prefer the [Quickstart](/docs/quickstart) and the [Tool reference](/docs/tools).

## Org and roles

- **Org is the tenant.** Every account starts as a personal org. Membership is many-to-many: a user can belong to more than one org.
- **Three roles:**
  - **OWNER:** full control, including deleting the org.
  - **ADMIN:** manage members, billing, seats, connection policy, and org data settings.
  - **MEMBER:** use the product and manage their own accounts, keys, and settings.
- **Per-member isolation is enforced at the database.** One member cannot read another member's mail, cards, tasks, transcripts, or Teams messages, even inside the same org. This is Postgres row-level security keyed on both organization and user, not application logic. It is the standard B2B posture, and it is a logical (not cryptographic) boundary: co-members share a per-org encryption key, so at-rest encryption isolates orgs, not members. See [Security](/security).

## Convert a personal org to a team

Converting a personal org to a team is a one-way, OWNER-gated action that reconciles seats. Once converted, you invite people in Settings under Organization, Members: invite by email, each invite carries a role and an expiry and can grant a seat on accept, and members accept through an invite link. Role changes, removals, and invites are all written to the org audit log.

## Govern what agents can do

Each member mints their own per-user scoped MCP keys (Settings, Account, MCP). As an admin, the controls you rely on:

- **Read-only by default.** New keys hold no write scopes. Write scopes require Pro, and are checked again at call time, so downgrading a plan disables write tools immediately rather than at the next key rotation.
- **Two presets keep the common cases safe.** "Read and email myself" (the free default) reads everything and can only email the member's own inboxes. "Full access" (Pro) reads and acts, but keeps sending to other people as a separate opt-in.
- **Sending to third parties is wildcard-proof.** `write:mail.send` (email anyone on the allowlist) and `write:teams.send` can never be bundled into a preset or satisfied by a broad grant; they must be granted as literal scope strings.
- **Per-key restrictions.** A key can carry a per-key tool denylist, IP-range restrictions, and an expiry.
- **Provenance gating.** An agent that reads an untrusted email or transcript loses its send and delete tools for that turn: structural protection against prompt-injection (EchoLeak-class) attacks.
- **Everything is logged and revocable.** Every agent call is scope-checked, entitlement-checked, and written to the audit log with the agent's name. Revoke a key and both the app and the agent stop at once.

## The outbound-email safety contract

Every outbound email, whether from a member's agent, from Mira, or from a cron, routes through one server-side chokepoint. It fails closed and enforces, in order:

- **Allowlist-only recipients.** Sends go only to addresses a member has listed. When the allowlist is off for a member, sending to your own inboxes still works, but third-party sends are gated.
- **New-recipient cooldown.** A brand-new recipient has a 60-second cooldown before the first send. This is not user-tunable, because a shorter cooldown is the risky direction.
- **Daily and per-recipient caps.** Defaults are 500 sends per day and 20 per recipient per day. Members can tune these, but only within hard ceilings of 2000 per day and 100 per recipient that a stolen session cannot raise.
- **Thread-only replies.** When a send targets a thread, recipients must already be participants of that thread.
- **The kill switch.** "Allow outbound sending" is checked at the moment of send and kills every path (agent, cron, automation) at once.
- **Sanitized HTML and scrubbing.** HTML is opt-in per recipient and sanitized (script, style, head, and inline handlers stripped); there is no cc, bcc, or attachment support from an agent. Invisible characters are scrubbed.

As an admin you can force allowlist enforcement on for every member, overriding individual opt-outs, under Settings, Organization, Data and Privacy. Full detail is on [Security](/security).

## Govern stored data

Under Settings, Organization, Data and Privacy (all step-up re-auth gated):

- **Email body storage:** off by default. When on, message bodies are stored encrypted at rest with a retention window enforced by a prune cron. Leave off to keep only metadata and snippets, with mail read live at query time.
- **Meeting transcript storage:** opt-in encrypted storage so transcripts survive a provider's retention window (for example, Pocket's free 30 days).
- **Teams message capture:** opt-in encrypted storage of Teams message bodies.

## Mira governance

Mira, the in-app assistant, is an org opt-in that you enable for the org. When enabled, data flows direct to the model provider, with no gateways. On Pro, buying the plan provisions Mira for the org and you grant per-member seats. Free orgs get a limited Mira: 3 turns a day (90 a month) on a small model. Manage it under Settings, Organization, Mira.

## Billing and the AI cost ledger

- **Billing.** Pro is billed per active member of the workspace, org-level, through Stripe, with a 14-day free trial and no card required to start. Only OWNER and ADMIN can start, change, or cancel a subscription and manage seats. Checkout, the Stripe customer portal, and seat management live under Settings, Billing. See [Pricing](/pricing) for current amounts.
- **What Pro unlocks for the org:** write scopes behind approval cards, 5-minute sync, a 365-day audit log with export, full Mira, AI summaries and drafts, and outbound webhooks.
- **AI cost ledger.** Every app-side LLM call (email classification, insights, briefs, nudges) is tracked per org and in aggregate, with a cost-by-feature view in the Finance tab. Dollar figures are superadmin-only; org admins see token and usage counts, not dollars.

## Audit and revocation

Waydock keeps several durable, queryable logs, all fed by the same paths the UI uses:

- **Org audit** (Settings, Organization, Audit): invites, role changes, removals, renames, convert-to-team.
- **Auth audit:** logins, OAuth connect and disconnect, MFA, key create and revoke.
- **MCP audit:** every agent tool call.
- **Outbound calls:** every third-party API call made on a member's behalf.

Because the UI and the agent endpoint share the audit log, revocation takes effect everywhere in the same moment. To handle a leaked key, rotate it (new secret, same scopes, old secret dies) or revoke it outright in Settings, Account, MCP; both are immediate across the app and the MCP endpoint.

## Related

- [Security](/security) for the full trust model
- [How Waydock works](/docs/concepts) for the core ideas
- [Authentication](/docs/authentication) for connecting agents and managing keys
- [Tool reference](/docs/tools) for read versus write scopes
- [Pricing](/pricing) for live numbers
