Twill is built with enterprise security requirements in mind. Your code and credentials stay protected at every step.Documentation Index
Fetch the complete documentation index at: https://docs.twill.ai/llms.txt
Use this file to discover all available pages before exploring further.
Code Execution Isolation
Agent code runs in isolated cloud dev environments, completely separate from Twill’s infrastructure:- Per-workspace isolation: Each workspace gets its own dev environment. One workspace’s code, repos, and secrets are never reachable from another’s.
- Per-task forks: Every task runs in an isolated fork, so changes made by the agent can’t leak into your base environment or into other tasks.
- Resource limits: CPU, memory, and disk quotas prevent runaway processes.
Read-Only by Default
Twill agents operate with minimal permissions:- GitHub read-only: Agents cannot push directly to your repositories
- PR-based workflow: All changes go through pull requests for human review
- No direct deploys: Twill never deploys code without your approval
Data Encryption
Your sensitive data is protected at rest and in transit:- AES-256-GCM encryption: Environment secrets are encrypted before storage
- HTTPS everywhere: All API communication uses TLS
- Short-lived tokens: GitHub access tokens are cached briefly and refreshed automatically
Webhook Verification
All incoming webhooks are cryptographically verified:- HMAC-SHA256 signatures: GitHub, Linear, and Slack webhooks use signed payloads
- Timing-safe comparison: Prevents timing attacks on signature verification
- Replay protection: Slack webhooks reject requests older than 5 minutes
Workspace Isolation
Multi-tenant architecture ensures strict boundaries:- Role-based access: Owner, Admin, and Member roles with appropriate permissions
- Credential scoping: Each workspace’s secrets are isolated from others
- OAuth state validation: CSRF protection on all authorization flows
No Model Training
Your code and prompts are never used to train AI models. Twill processes your data only to complete tasks you request.Best Practices
Environment Variables
- Use Twill’s secret storage: Add sensitive values through the workspace environment settings rather than committing them to your repository
- Use dev credentials only: Create separate API keys for development—never give agents access to production credentials
- Rotate credentials regularly: Update API keys and tokens periodically
- Scope permissions narrowly: Give third-party API keys only the permissions they need
Branch Protection
Enable GitHub branch protection on your main branches:- Require pull request reviews: Ensure human review before merging agent PRs
- Require status checks: Block merges until CI passes
- Restrict direct pushes: Prevent bypassing the PR workflow
Third-Party Services
Twill integrates with trusted infrastructure providers:- Modal / Daytona: Sandbox execution environments
- GitHub / Linear / Slack: Issue tracking and communication
- Stripe: Payment processing (PCI compliant)