Security & compliance

Encryption at rest & in transit

All data encrypted with AES-256 at rest and TLS 1.3 in transit. Database connections use SSL. S3 storage uses server-side encryption.

Role-based access control

Granular RBAC across owner / admin / member / viewer roles. SSO / SAML support is on the Enterprise plan roadmap. MFA available on every account.

Multi-tenant isolation

Tenant isolation enforced at the database level via Postgres row-level security (RLS). No cross-tenant data access is possible — even on errors.

Audit logging

Every agent run, login, data access, and configuration change is logged with timestamp, user, and IP. Audit logs retained per the per-network policy.

API key management

Scoped API keys with automatic rotation reminders and instant revocation. Keys are hashed at rest and never stored in plaintext.

Infrastructure security

AWS-native deployment with VPC isolation, private subnets for the database tier, and security-group ingress controls. No public database access.

Security, availability, and confidentiality trust-service criteria. Audit completion targeted for Q3 2026.

EU data-processing agreements available. Data export and deletion on request. Privacy-by-design architecture.

Primary infrastructure in AWS US-East-1 (Virginia). Enterprise customers can request specific regional deployment.

Regular third-party penetration testing. Responsible-disclosure program for security researchers.