Security best practices for your team

Last updated: May 19, 2026

Security best practices for your team

A 10-point checklist for owners and admins. Each item is small on its own; together they reduce account-takeover risk, limit blast radius of mistakes, and keep your audit story clean. Reviewed quarterly, this is your security baseline.

Who is this for

Workspace owners, admins, and anyone responsible for IT or security oversight at a Wevion-using team. If you're a one-person shop, focus on items 1, 2, 7; the rest matter as you grow.

The 10-point checklist

1. Enable 2FA for every admin+ role

Why: a stolen password should never be enough to access billing or sensitive controls.

How: at minimum, owner, admin, super_admin, and finance roles should have 2FA enabled. See team-111. Make it a written policy and verify in the audit log (filter by action: 2fa_enable).

For Enterprise: enforce via your SSO IdP (Okta, Azure AD).

2. Rotate API keys every 90 days

Why: long-lived keys are a single point of failure. Rotation limits compromise blast radius.

How: set a calendar reminder. For each key:

  1. Create replacement with the same role + integration

  2. Deploy to your services

  3. Confirm it works (audit log last_used)

  4. Revoke the old

See team-112 for full rotation procedure.

3. Use least-privilege roles

Why: a viewer can't accidentally pause a campaign; a mediabuyer can't drop the subscription.

How: start new members at viewer or the minimum role for their job. Promote only when an action they need is blocked. Review role assignments monthly via the audit log.

Avoid the "everyone is admin" anti-pattern — it makes every account a potential breach vector.

4. Review the audit log monthly

Why: detection requires looking. Many breaches go unnoticed for weeks.

How: 30 minutes a month, scan the audit log filtered by:

  • Action: role_change (unexpected promotions?)

  • Action: api_key_create (any new keys you didn't know about?)

  • Action: impersonate (anyone impersonating without business reason?)

  • Action: integration_disconnect (unexpected disconnections?)

Export annually for compliance trail. See team-113.

5. Remove inactive members within 90 days

Why: dormant accounts are attack surface. They accumulate compromise risk and waste seats.

How: filter People page by Last login > 90 days ago. For each:

  • Check with their manager — still needed?

  • If no: remove from workspace (team-107)

  • If unclear: deactivate temporarily

6. Don't share login credentials — invite them

Why: shared logins break audit (everyone shows as one user), block 2FA, and make offboarding impossible.

How: every person gets their own invite (free, just consumes a seat). If you're hitting seat limits, buy extra slots — cheaper than a security incident.

7. Use SSO if Enterprise

Why: centralized identity = instant offboarding when an employee leaves the company. Without SSO, you must remember to manually remove from every SaaS — Wevion included.

How: Enterprise plans support SAML and OIDC. Talk to your CSM to set up. See acc-114 enterprise plans.

8. Monitor active sessions and revoke unknown ones

Why: if a session appears from a country you've never visited, that's a signal.

How: each user can review at Settings → Personal → Security → Active sessions. Revoke unfamiliar ones. Admins can do the same per-user via People page detail drawer.

If you see a session you don't recognize, also:

  1. Immediately change your password

  2. Disable + re-enable 2FA (regenerates backup codes)

  3. Review audit log for unauthorized actions during the suspected session

  4. Notify your team

9. Set strong Workspace Defaults

Why: misconfigured defaults (wrong timezone, wrong currency, wrong language) cause confusion that masks security signals. Hard to spot "something unusual" if everyone sees different times.

How: set Workspace Defaults once during onboarding. Review when team composition changes.

10. Two-person review for sensitive operations

Why: ownership transfers, account deletion, billing changes can be exploited if a single account is compromised.

How: Wevion doesn't enforce this technically. Make it a team policy:

  • Major plan changes require manager + finance sign-off

  • Ownership transfer announced in team chat before initiation

  • Account deletion requests reviewed by two admins

For Enterprise: ask your CSM about approval workflows in the roadmap.

Quarterly review template

Run this every 90 days (or monthly for higher-risk teams):

Check

Tool

Pass if

All admins+ have 2FA

Audit log filter action: 2fa_enable per user

Every admin+ user has an enable entry

API keys rotated

API Keys page sort by created date

No key older than 90 days

Inactive members removed

People page filter last_login > 90d

Empty list (or all justified)

Audit log shows no surprises

Audit log monthly scan

All entries explainable

Pending invites resolved

Settings → Team → Invites

No pending > 14 days

Stripe payment method current

Settings → Team → Billing

No expired card warning

SSO group sync (if Enterprise)

Your IdP admin console

All Wevion users in expected IdP groups

Incident response basics

If you suspect a compromise:

  1. Disable the suspected user account immediately (team-107)

  2. Revoke all their API keys (Remove flow has the checkbox)

  3. Revoke all their active sessions (People page detail drawer)

  4. Audit log review for that user's last 30 days

  5. Notify affected workspaces' owners + super_admin

  6. Reset their password forcibly (admin can trigger password reset email)

  7. Reset their 2FA forcibly (contact support if no admin can do it)

  8. Document the incident in your internal IR record

For more guidance: support@wevion.ai with subject "Security incident".

What Wevion does for you

You provide the discipline; Wevion provides the controls:

  • Encryption at rest (PostgreSQL TDE)

  • Encryption in transit (TLS 1.2+)

  • Stripe PCI DSS Level 1 for payment data

  • Audit log retention per plan

  • Rate limiting on API + login

  • Session expiry (auth tokens 7 days, configurable)

  • Backup + DR plans tested quarterly

  • SOC 2 (Enterprise contracts)

What Wevion cannot do for you

  • Force you to enable 2FA (we recommend, you decide)

  • Detect compromised passwords (we don't have your password — it's hashed)

  • Stop someone with valid credentials + 2FA from doing something

  • Replace the audit log review you should do

Common questions

  • "How often should I rotate the workspace owner's password?": every 90 days for highest-privilege accounts. Use a password manager to generate strong unique passwords.

  • "Should we require 2FA company-wide or only for admins?": company-wide for high-risk environments (finance, agencies with client data). Admins-only for low-risk in-house teams.

  • "What logs does Wevion give for IR (incident response)?": audit log + login history + active sessions. For deeper forensics (DB-level changes), Enterprise contracts can include custom log access.

  • "Can we run a penetration test on our Wevion workspace?": Enterprise can negotiate pentest provisions. Don't pentest production unannounced — coordinate with your CSM.

Related