Security best practices for your team

10-point security checklist for owners and admins: 2FA everywhere, rotate API keys, least privilege, audit log reviews, offboarding rigor.

Written By Salvatore Sinigaglia

Last updated About 5 hours ago

10-point security checklist for owners and admins: 2FA everywhere, rotate API keys, least privilege, audit log reviews, offboarding rigor.

Security best practices for your team

A 10-point checklist for owners and admins. Each item is small on its own; together they reduce account-takeover risk, limit blast radius of mistakes, and keep your audit story clean. Reviewed quarterly, this is your security baseline.

Who is this for

Workspace owners, admins, and anyone responsible for IT or security oversight at a Wevion-using team. If you're a one-person shop, focus on items 1, 2, 7; the rest matter as you grow.

The 10-point checklist

1. Enable 2FA for every admin+ role

Why: a stolen password should never be enough to access billing or sensitive controls.

How: at minimum, owner, admin, and super_admin roles should have 2FA enabled. See team-111. Make it a written policy and verify in the audit log (filter by 2fa.enable).

For enterprise plans, you can centralize authentication and 2FA through your identity provider via SSO (SAML / OIDC), available on request as a dedicated configuration with Sales.

2. Rotate API keys every 90 days

Why: long-lived keys are a single point of failure. Rotation limits compromise blast radius.

How: set a calendar reminder. For each key:

  1. Create replacement with the same role + integration
  2. Deploy to your services
  3. Confirm it works (audit log last_used)
  4. Revoke the old

See team-112 for full rotation procedure.

3. Use least-privilege roles

Why: a viewer can't accidentally pause a campaign; a mediabuyer can't drop the subscription.

How: start new members at viewer or the minimum role for their job. Promote only when an action they need is blocked. Review role assignments monthly via the audit log.

Avoid the "everyone is admin" anti-pattern — it makes every account a potential breach vector.

4. Review the audit log monthly

Why: detection requires looking. Many breaches go unnoticed for weeks.

How: 30 minutes a month, scan the audit log filtered by:

  • member.role-change (unexpected promotions?)
  • admin.impersonate.start (anyone impersonating without business reason?)
  • member.remove / member.status-change (unexpected offboarding?)
  • team.transfer-ownership (unexpected ownership changes?)

Export annually for compliance trail. See team-113.

5. Remove inactive members within 90 days

Why: dormant accounts are attack surface. They accumulate compromise risk and waste seats.

How: filter People page by Last login > 90 days ago. For each:

  • Check with their manager — still needed?
  • If no: remove from workspace (team-107)
  • If unclear: deactivate temporarily

6. Don't share login credentials — invite them

Why: shared logins break audit (everyone shows as one user), block 2FA, and make offboarding impossible.

How: every person gets their own invite (free, just consumes a seat). If you're hitting seat limits, buy extra slots — cheaper than a security incident.

7. Centralize offboarding

Why: when an employee leaves, you must promptly remove their access from every SaaS — Wevion included.

How: remove the member from Settings → Team → People as part of offboarding. Enterprise plans can centralize deprovisioning through their identity provider via SSO/SCIM, available on request as a dedicated configuration with Sales.

8. Monitor active sessions and revoke unknown ones

Why: if a session appears from a country you've never visited, that's a signal.

How: each user can review at Settings → Personal → Security → Active sessions. Revoke unfamiliar ones. Admins can do the same per-user via People page detail drawer.

If you see a session you don't recognize, also:

  1. Immediately change your password
  2. Disable + re-enable 2FA (regenerates backup codes)
  3. Review audit log for unauthorized actions during the suspected session
  4. Notify your team

9. Set strong Workspace Defaults

Why: misconfigured defaults (wrong timezone, wrong currency, wrong language) cause confusion that masks security signals. Hard to spot "something unusual" if everyone sees different times.

How: set Workspace Defaults once during onboarding. Review when team composition changes.

10. Two-person review for sensitive operations

Why: ownership transfers, account deletion, billing changes can be exploited if a single account is compromised.

How: Wevion doesn't enforce this technically. Make it a team policy:

  • Major plan changes require manager + finance sign-off
  • Ownership transfer announced in team chat before initiation
  • Account deletion requests reviewed by two admins

For Enterprise: ask your CSM about approval workflows in the roadmap.

Quarterly review template

Run this every 90 days (or monthly for higher-risk teams):

CheckToolPass if
All admins+ have 2FAAudit log filter 2fa.enable per userEvery admin+ user has an enable entry
API keys rotatedAPI Keys page sort by created dateNo key older than 90 days
Inactive members offboardedPeople page (Active tab, include inactive)Reviewed / justified
Audit log shows no surprisesAudit log monthly scanAll entries explainable
Pending invites resolvedSettings → Team → InvitesNo pending > 7 days
Stripe payment method currentSettings → Team → BillingNo expired card warning

Incident response basics

If you suspect a compromise:

  1. Disable the suspected user account immediately (team-107)
  2. Revoke all their API keys (Remove flow has the checkbox)
  3. Revoke all their active sessions (People page detail drawer)
  4. Audit log review for that user's last 30 days
  5. Notify affected workspaces' owners + super_admin
  6. Reset their password forcibly (admin can trigger password reset email)
  7. Reset their 2FA forcibly (contact support if no admin can do it)
  8. Document the incident in your internal IR record

For more guidance: support@wevion.ai with subject "Security incident".

What Wevion does for you

You provide the discipline; Wevion provides the controls:

  • ✅ Encryption at rest (PostgreSQL TDE)
  • ✅ Encryption in transit (TLS 1.2+)
  • ✅ Stripe PCI DSS Level 1 for payment data
  • ✅ Audit log retention per plan
  • ✅ Rate limiting on API + login
  • ✅ Session expiry (auth tokens 7 days, configurable)
  • ✅ Backup + DR plans tested quarterly
  • ✅ SOC 2 (Enterprise contracts)

What Wevion cannot do for you

  • Force you to enable 2FA (we recommend, you decide)
  • Detect compromised passwords (we don't have your password — it's hashed)
  • Stop someone with valid credentials + 2FA from doing something
  • Replace the audit log review you should do

Common questions

  • "How often should I rotate the workspace owner's password?": every 90 days for highest-privilege accounts. Use a password manager to generate strong unique passwords.
  • "Should we require 2FA company-wide or only for admins?": company-wide for high-risk environments (finance, agencies with client data). Admins-only for low-risk in-house teams.
  • "What logs does Wevion give for IR (incident response)?": audit log + login history + active sessions. For deeper forensics (DB-level changes), Enterprise contracts can include custom log access.
  • "Can we run a penetration test on our Wevion workspace?": Enterprise can negotiate pentest provisions. Don't pentest production unannounced — coordinate with your CSM.

FAQ

How often should I rotate my Wevion API keys?

Rotate API keys every 90 days. Long-lived keys are a single point of failure, so Wevion's security checklist recommends creating a replacement key with the same role and integration, deploying it, confirming it works via the audit log's last_used, then revoking the old one. Set a calendar reminder to stay on schedule.

Which roles should have two-factor authentication enabled?

At minimum, enable 2FA for owner, admin, and super_admin roles in Wevion. A stolen password should never be enough to reach billing or sensitive controls. Make it a written policy and verify adoption in the audit log by filtering for 2fa.enable. On enterprise plans you can also enforce 2FA through your identity provider via SSO, available on request as a dedicated configuration with Sales.

What security controls does Wevion provide out of the box?

Wevion provides encryption at rest (PostgreSQL TDE), encryption in transit (TLS 1.2+), Stripe PCI DSS Level 1 for payment data, audit log retention per plan, rate limiting on API and login, session expiry, tested backup and DR plans, and SOC 2 for Enterprise contracts. You provide the discipline; Wevion provides the controls.

What should I do if I suspect an account is compromised?

Immediately disable the suspected user account, revoke all their API keys and active sessions, then review their last 30 days in the audit log. Wevion's incident-response steps also include notifying affected workspace owners, forcibly resetting the user's password and 2FA, and documenting the incident. For guidance, email support@wevion.ai with subject "Security incident".