Security

Safe agent access for churn feedback

The goal is to give agents enough churn context to suggest better product work without turning them into unreviewed operators over customer data, Stripe, or production systems.

Read-only by default

Agent Access is for insight and planning. Agents should not mutate Stripe, email customers, or change your product through ChurnWin v1 tools.

Hashed API keys

Agent keys should be shown once, stored hashed, revocable, and scoped to the products/accounts the agent is allowed to inspect.

Redacted public examples

Public docs and prompts use synthetic examples. Tenant data stays behind auth and should be minimized before it enters an agent context.

Human-reviewed actions

Let agents propose product fixes and issues. Keep customer communication, billing changes, and production deploys behind explicit human review.

Recommended agent policy

You may read ChurnWin churn themes and feedback.
You may draft product issues and retention experiments.
You may not email customers, change Stripe, modify billing, or deploy production without explicit approval.
Redact personal data before quoting feedback in tickets.

Data boundaries

Prefer aggregated themes and MRR ranges over raw customer-level rows.
Use account scopes when a team connects multiple Stripe products.
Keep API keys out of prompts, issue bodies, screenshots, and logs.
Revoke keys that are pasted into chat tools, tickets, or CI output.
Quote feedback in tickets only after removing emails, names, IDs, and secrets.

Build the loop safely

Start with read-only MCP/API access, then let agents draft human-reviewed product work.

View examples