Best practices for secure configuration of Intric
This article describes how to configure the Intric platform to achieve the highest possible level of security and GDPR compliance. The recommendations focus on settings that administrators manage directly in the system.
1. Configure security classification of models
Section titled “1. Configure security classification of models”Security classification is the most important component for protecting your organisation’s information and steering regulatory compliance. It is a powerful tool that lets users with the Owner permission control which types of AI models are used in different Spaces, based on how sensitive the information is.
We often compare a security class to “a room with walls and a ceiling”. As an administrator, you build the walls and ceiling (the rules). Inside the room, your colleagues (Creators) can work with full creative freedom and build assistants, confident that they can never use models or methods outside the predefined security boundaries.
Settings for model governance
Section titled “Settings for model governance”- Classify assistants: Mark assistants that handle sensitive data with a higher security level.
- Classify models: Define which models are approved for different types of data (for example, only EU-based models may be used for “High security”).
- Default models: Set a safe default model (for example, Mistral EU) for Spaces that contain personal data, to prevent unintentional transfer of data to global models.
For more information on how to configure these boundaries, see our support article on security classification.
2. Structure Spaces and Collections
Section titled “2. Structure Spaces and Collections”In Intric, Spaces are the primary boundary for permissions and data separation. Because processes, team structures, and ways of working differ between organisations, there is no one-size-fits-all for how they should be organised—but a thoughtful structure creates clarity and makes collaboration easier.
Strategies for structuring Spaces
Section titled “Strategies for structuring Spaces”Here are three established strategies that can be used on their own or combined as needed:
- Team- and department-based structure: Each Space corresponds to a specific department or unit (for example, social services). It suits bounded workgroups where members receive roles based on their daily tasks.
- Project- or initiative-based structure: Each Space corresponds to a specific project. This allows team members from different departments to collaborate on an initiative without needing access to the entire organisation’s data.
- Function-based structure: Spaces are created based on functional needs—for example, a shared knowledge base for policies. This suits situations where several workgroups need access to the same knowledge source but have different roles otherwise.
Design for data security
Section titled “Design for data security”- Private Spaces: Use for sensitive information (HR, management, legal). Documents in a private Space are invisible to everyone except those explicitly invited.
- Separation by sensitivity: Create separate Spaces for data with different protection needs rather than following the org chart strictly. This enables specific disposal rules for sensitive data.
Read more in our article below.
3. Apply permission control (RBAC)
Section titled “3. Apply permission control (RBAC)”Intric’s role-based access control (RBAC) should be configured according to the principle of least privilege.
Managing roles in the platform
Section titled “Managing roles in the platform”- User (default): Should be assigned to the majority of people. Can only search and chat with available data.
- Creator: For users who need to build their own assistants or upload documents in specific Spaces.
- Owner: Limit to 2–5 system administrators. Has full control over settings and user management.
Group synchronisation
Section titled “Group synchronisation”Connect Intric Spaces to your existing groups (for example via Azure AD / Entra ID). By managing membership through groups instead of individual users, you reduce the risk of leftover permissions when staff change.
4. Implement automated deletion (retention)
Section titled “4. Implement automated deletion (retention)”Under Settings > Data Retention in the admin panel, as well as in the settings for each Assistant, you control how long data is kept in the platform.
Configuring retention policies
Section titled “Configuring retention policies”- Automatic deletion of conversations: You can set conversation data to be deleted automatically after a defined period (for example 7, 30, 365 days, or a custom number of days). This reduces the risk of unnecessary data exposure and supports GDPR compliance. When deletion runs, messages, metadata, and linked files are removed permanently.
- Managing documents: Use integrations (for example SharePoint) where possible to avoid data duplication and ensure the source system’s disposal rules are followed automatically. If documents are uploaded manually, there should be established routines for ongoing disposal so information is removed when the purpose has been fulfilled.
For detailed instructions on how to configure these policies, see our support article on data retention.
5. Audit log
Section titled “5. Audit log”For organisations that handle sensitive information, traceability and control are essential. Intric’s audit log gives administrators a full history of events in the platform to support requirements under the GDPR and the EU AI Act.
For a detailed, up-to-date overview of exactly which events are logged (such as management of assistants, files, users, and security settings), please see our support article on audit logs.
Why is the audit log important?
Section titled “Why is the audit log important?”The purpose of logging is to create a transparent environment where every administrative action and important user interaction leaves a trace. This is critical for several reasons:
- Regulatory compliance: Helps ensure the organisation meets legal requirements for traceability and documentation.
- Security reviews: Enables thorough analysis and incident investigation when security events are suspected.
- Insight and control: Gives administrators tools to verify that the organisation’s guidelines for AI use are followed.
- Troubleshooting: Makes it easier to identify misconfiguration by showing who made changes and when.
Need to export logs for an external audit? Contact your local administrator or Intric Support for help with data export.
Centralised resource management via Resources
Section titled “Centralised resource management via Resources”The Resources tab in the administrator view gives a centralised overview of all assistants and Spaces on the platform, and lets you follow up who created which Spaces and which security classifications they have. This gives you, as an administrator, a simple tool to work with user compliance and to ensure no information falls outside central control.
1. Assistants overview
Section titled “1. Assistants overview”In the overview, administrators can see all assistants regardless of creator or visibility settings. This helps you track which models are used and ensure correct security classification. For each assistant, the following is shown:
- Name and Creator (who created or manages the assistant)
- Model (for example GPT-4, Claude)
- Security classification
2. Spaces overview
Section titled “2. Spaces overview”The Spaces section provides full insight into your organisation’s collaboration areas and their membership. Here administrators can monitor:
- Name and Security classification
- Members (who has access to the Space)
By reviewing the Resources tab regularly, you can monitor access controls and identify collaboration patterns in the organisation. For more information on how to manage resources, see our support article on Resources.