Skip to main content
You’re evaluating gavAI for something that has to be right. This page is the index to the three things that determine whether it can be: how workspaces are isolated from each other, how tokens are scoped so a compromise stays small, and how we handle it when someone reports a vulnerability. By the end you’ll know which page to read for your specific concern and the four design principles each one rests on. If you’re a developer integrating, the scopes catalogue is the operational page — it lists every action verb and which endpoints they unlock. If you’re a security reviewer or compliance team, multi-tenant isolation is the architectural page — it names the boundaries and what enforces each one. If you’re a researcher, disclosure is the reference — in-scope buckets, response SLAs, where to send the report.

The four design principles

Each page in this section is one consequence of these four. They are stated here once so you can hold them in your head while you read the rest.

Pick the page you need

Reporting a vulnerability

If you find a security issue in the platform, the runtime, or the API, we want the report. The disclosure policy has the full process, the acknowledgment SLA, and the in-scope list. For urgent findings — anything involving cross-tenant access or credential exposure — skip the form and email security@gavai.io directly.