Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.vortexiq.ai/llms.txt

Use this file to discover all available pages before exploring further.

The workspace admin surface is where the person responsible for your Vortex IQ AI OS workspace looks after the people, the roles they hold, the records of what they did, and the security posture of the whole tenant. Most controls live inside Settings → Account. A smaller set — the audit log, SSO configuration, ownership transfer — live in adjacent surfaces or require a support request for the most sensitive changes.
Only users with the Admin role can access the admin panel, invite or remove teammates, change roles, view the full audit log, connect or disconnect data sources, manage subscriptions, or configure SSO. The Member role covers day-to-day operational access but not workspace configuration. If you do not see these controls, ask an Admin to adjust your role.

Admin panel overview

The admin surface is not a separate screen — it is the Account tab in Settings, visible to every user but with admin-only sections shown only to Admins.
TaskWhere it lives
Invite a team member, assign role, remove accessSettings → Account → Team Members
Review your own profile and timezoneSettings → Account → Your Profile
Inspect organisation name and typeSettings → Account → Organisation
Audit log of every workspace changeSettings → Account → Activity (admin-only view)
Configure Google SSOSettings → Account → Sign-in methods
Transfer ownershipTransfer ownership link at the bottom of Settings → Account (support-assisted)
Apply security best practiceAcross Account, Connected Sources, and your IT policies

Inviting users

1

Open Team Members

Sign in, click Settings in the left sidebar, stay on the Account tab, and scroll to the Team Members section.
2

Fill in the invite row

At the top of the Team Members panel you see three fields: Name (optional — the invitee can fill this in when they accept), Email address, and Role. Member is the safe default; pick Admin only if this person needs to manage other team members, billing, or workspace settings.
3

Click Invite

The invitee receives an email titled You have been invited to a Vortex IQ workspace. The email includes the workspace name, the role assigned, a Join workspace button carrying a magic-link token, and a note that the link expires after 24 hours.
4

Confirm the invitation was accepted

The new row appears in the table immediately with status Invited. The status flips to Active once the invitee clicks the link and signs in.
The members table shows every user in the workspace with their name, email, role, status, join date, and a set of action icons. Status has three values: Active (signed in at least once and currently allowed), Invited (invitation sent but not yet accepted), Suspended (access revoked without deleting the account). Resending an expired invitation: click the Copy invite icon on the row to fetch a fresh link and paste it to the invitee over Slack or any other channel. Alternatively, click the edit pencil and choose Resend invitation email to re-send the magic link to the original email address. Suspending a user without removing them: click the edit pencil, toggle Account active to off, and save. The status flips to Suspended. The user cannot sign in, but their audit-log history and any agents or reports they configured remain intact. Re-enable the toggle to restore access. Removing a user: click the Remove (trash) icon, confirm in the modal. The user’s session is invalidated immediately and their row disappears from the table. Their authored agents, monitors, profiles, and reports remain in the workspace. Audit-log entries attributed to them are preserved. If you remove someone in error, invite them again with the same email — their old artefacts are still linked to that address.
You cannot remove the last admin in a workspace. If you are the only Admin, promote another teammate to Admin first. The original master account that created the workspace can only be reassigned via the transfer-ownership flow, not removed through the Team Members table.

Roles and permissions

Every member of your workspace holds exactly one role at a time, assigned when invited and changeable at any time from the Team Members table.

Built-in roles

RolePurposeTypical user
AdminFull access including configuration, billing, and team managementWorkspace owner, head of ecommerce, agency principal, IT lead
MemberDay-to-day operational access — no configuration or billing rightsAnalysts, paid-media operators, merchandisers, customer-service leads

What each role can do

CapabilityAdminMember
Invite, suspend, remove team membersYesNo
Change rolesYesNo
View organisation detailsYesYes
Update organisation detailsYesNo
View and change billing / subscriptionYesNo
Connect or disconnect data sourcesYesNo (view only)
Create and edit ProfilesYesNo (view and use only)
Configure brand voice and AI guardrailsYesNo
Activate, configure, stop AI agentsYesNo (view only)
Approve or decline agent recommendationsYesNo
Use Ask ViqYesYes
View Nerve Centre dashboardsYesYes
Generate and export Vortex Mind reportsYesView only
Use Vortex AppsYesYes (view and use)
View audit logYesNo
Configure SSOYesNo

Custom roles

If your team needs an access tier between Admin and Member, an Admin can define a custom role with a precise permission set. Custom roles are built from the same module.action permission catalogue that drives the built-ins. Common patterns:
For stakeholders, board members, or external auditors who need to see what is happening but must not change anything.Permissions granted: nerve_centre.view, vortex_mind.view, vortex_mind.export, ask_viq.use, agents.view, audit_log.view
For senior analysts who run the day-to-day operations of the AI OS but must not manage the team, billing, or organisation-wide settings.Permissions granted: all Member permissions plus agents.activate, agents.deactivate, agent_approval.approve, agent_approval.decline, monitors.create, monitors.update, monitors.silencePermissions excluded: team.*, billing.*, roles.*, organization.update, brand_ai.*
For an integrations specialist who lives on the Sources tab.Permissions granted: all Member permissions plus connector_manager.create, connector_manager.update, connector_manager.delete, audit_log.viewPermissions excluded: team.*, billing.*, agents.activate, roles.*
For the finance team who need to view and pay invoices but must never see analytics data.Permissions granted: organization.view, billing.view, billing.update, audit_log.view (filtered to billing actions)Permissions excluded: everything else
To create a custom role: sign in as Admin, open Settings → Account, find the Roles section (visible to Admins only), click Create role, name it, tick the permissions from the catalogue (grouped by module), and click Save. The role becomes available immediately when inviting or editing a member. Every role change — including the initial invitation — is recorded in the audit log with the actor’s identity, the previous role, the new role, and a precise timestamp.

Audit log

The audit log is the searchable, tamper-evident record of every meaningful action taken in your workspace. It lives at Settings → Account → Activity (Admins only). Rows are listed newest first with filters across the top and an Export CSV button on the right.

What is recorded

CategoryExamples
Team and accessMember invited, invite accepted, role changed, member suspended, member removed
ConfigurationOrganisation name updated, brand voice profile created or edited, guardrail term added or removed
Connected sourcesConnector connected, connector edited, connector disconnected, OAuth token refreshed
AgentsAgent activated, agent deactivated, agent configuration changed
Agent approvalsRecommendation approved, recommendation declined, approval timed out
Billing and subscriptionPlan upgraded or downgraded, payment method changed
Single sign-onSSO enabled, domain restriction applied, SSO disabled
The audit log is always-on with no off switch and no per-event opt-out. No user — including Admins — can edit or delete a log entry.

Reading a log row

Each row shows: Date / Time (in your workspace timezone), Actor (the team member who initiated the action), Action (verb — Invite, Update, Delete, Activate, Approve, etc.), Resource type, Resource (specific item by name), Description (human-readable summary, including previous and new values for configuration changes), and Tags (contextual labels). Click any row to expand the full detail panel with the complete diff.

Filtering and exporting

Filter the log by Action, Resource type, Tags, Actor, date range, or resource name. Filters are additive. Any filter combination can be saved and named for re-use. Click Export CSV to download the currently filtered rows — each row carries a stable event_id you can cite in incident reports or compliance evidence.

Common audit-log workflows

“Who removed this connector?” — filter by Resource type = Connector and Action = Delete, set the date range. “Quarterly access review” — filter by Resource type = Member and Action = Update or Delete, set the date range to the quarter, export the CSV. “Who changed the brand voice last week?” — filter by Tags = Brand & AI and set the date range to the past week. Each row shows previous and new values in the description.

SSO configuration

Single sign-on lets your team sign in to Vortex IQ using the identity provider you already use at work, without managing a separate password.
1

Confirm Google SSO is on

Sign in as Admin, open Settings → Account, scroll to Sign-in methods, and confirm the Google SSO toggle is enabled. If your team signed up via Continue with Google, SSO is on by default.
2

Apply domain restriction

Domain restriction is the single highest-impact SSO control. With it on, only people whose Google identity matches an approved domain can sign in.
  1. Click Edit on the Google SSO row in Sign-in methods.
  2. Add one or more Allowed domains (use the apex domain — yourbrand.com — not subdomains).
  3. Save.
From this point, Vortex IQ rejects any sign-in attempt where the email domain is not on the allow list.
3

Optionally disable email and password sign-in

If your security policy requires every teammate to sign in via SSO only, toggle Allow email and password to off in Sign-in methods. After this change, new invites can only be accepted via Google, and existing members who used email and password are prompted to bind their Google identity on their next session.
For agencies, domain restriction needs more thought: client contacts may be on different domains. Configure the allow list with both the agency domain and each client domain as needed. For contractors on Gmail addresses, either issue them a Workspace identity on your domain or add gmail.com to the allow list.
Enterprise SSO (SAML / OIDC): larger organisations can set up a direct SAML or OIDC connection with Okta, Azure AD, OneLogin, Auth0, or another provider. Contact Vortex IQ support to start the setup. Enterprise SSO supports just-in-time (JIT) user provisioning — the first time a teammate signs in via the IdP, their Vortex IQ account is created automatically with a default role you specify. Every SSO-related event is captured in the audit log: SSO toggled on or off, domain allow list updated, email and password sign-in toggled, enterprise SSO connection added or removed. Offboarding with SSO: when a teammate leaves, disable their identity in Google Workspace (or your IdP) first, then remove them from the Vortex IQ workspace from Settings → Account → Team Members. Do both — disabling the IdP identity stops new sign-ins but does not immediately invalidate an active Vortex IQ session.

Transfer ownership

Every workspace has one master account — the Admin who created the workspace at signup. This account is the legal and billing owner of record.
1

Prerequisites

Before initiating a transfer, confirm:
  • The new owner is already an active Admin in the workspace. Promote them first if not.
  • The new owner’s email is verified and current — billing receipts and security alerts will be attributed to that email.
  • You have read the audit log to know the current state of the workspace.
  • Your finance team has been notified if billing-payment details will change.
2

Initiate the transfer

Sign in as the current owner, open Settings → Account, scroll to the bottom, and click Transfer ownership. The transfer wizard asks you to pick the new owner from the list of current Admins, confirm their email, and acknowledge that the action is permanent and not reversible from the UI.
3

New owner accepts

Click Send transfer request. The new owner receives an email titled You have been nominated as the new owner of [workspace name]. They click Accept ownership, sign in if not already signed in, and complete the acceptance. Vortex IQ support is copied for higher-tier plans and may ask both parties to confirm by email.
4

Confirm in the audit log

Once accepted, the audit log records the change and both parties receive a confirmation email. If the new owner does not accept within 14 days, the request expires and you start over.
After transfer, the master account designation and billing primary contact move to the new owner’s email. Everything inside the workspace — agents, monitors, dashboards, profiles, brand voice, audit log, integrations — continues to work without interruption. The outgoing owner remains in the workspace as Admin until you also remove or demote them. If the outgoing owner has already left and cannot initiate the transfer, open a support ticket from a current Admin’s account. Vortex IQ support can verify ownership through documentation and complete the transfer after identity checks.

Security settings

Walk this checklist when you set up the workspace, then revisit it quarterly.
  • Google SSO is enabled for the workspace
  • Domain restriction is on with an allow list that matches your organisation
  • Email and password sign-in is disabled if your team is fully on Google Workspace
  • 2-step verification is enforced at the Google Workspace or upstream IdP level
  • Hardware security keys or passkeys are encouraged for Admins
  • If you use enterprise SSO (SAML or OIDC), it is connected and tested
  • Roles are assigned by responsibility, not seniority — Admin only for those who actually administer the workspace
  • At least two Admins for continuity if one is unavailable
  • Members hold the lowest role compatible with their job; custom roles fill gaps the built-ins do not cover
  • You review the team list on a known cadence (quarterly is reasonable)
  • Departing teammates are removed from the workspace within 24 hours of leaving the organisation
  • You have opened the audit log at least once and know how to filter it
  • You review configuration-change activity (Tags = Settings) monthly
  • You export the audit log to CSV at least once per quarter for your security or compliance lead
  • You forward the audit log into your SIEM, if you have one, alongside your IdP sign-in logs
  • Every connected source is owned by a known, active person
  • OAuth-issued connections are reviewed when the issuer’s role changes or they leave
  • API keys and credentials for credential-based connectors are rotated quarterly
  • Brand Voice Profiles reflect your written brand standards; reviewed every six months or after a brand refresh
  • Global AI Guardrails reflect your zero-tolerance vocabulary
  • Human-in-the-loop approval is on for every write-level agent action (platform-enforced and cannot be disabled)
  • Agent activations are visible in the audit log; review the activation list quarterly
  • The billing email is reachable by more than one person on your team (a finance shared inbox is a good choice)
  • The payment method is in date
  • You know which Admin is the master account and have a transfer-ownership plan for when they leave
Platform-enforced security: Vortex IQ ships encryption in transit (TLS 1.2 or higher), encryption at rest (AES-256 or stronger), logical tenant isolation (no agent or API call can read data from a workspace it does not belong to), read-only connectors by default, and a tamper-evident audit log. These are not configuration choices — they apply to every workspace automatically. For the full security and trust posture — including SOC 2 and ISO 27001 status, sub-processor list, and incident-response commitments — see the Trust Centre at vortexiq.ai/trust.