Security
Last updated: June 1, 2026
Security is foundational to AgentAGI. We implement industry-standard practices to protect your data, infrastructure, and AI operations. This page outlines our security posture, controls, and practices.
Infrastructure Security
Cloud Infrastructure
Our entire infrastructure runs on Amazon Web Services (AWS), a SOC 1/2/3-compliant cloud provider. We leverage AWS's physical security controls, including 24/7 monitoring, multi-factor access controls, and redundant power and network connectivity across multiple availability zones.
Network Security
- All services run in private subnets within a Virtual Private Cloud (VPC) with strict security group rules.
- Inbound traffic is limited to necessary ports and IP ranges through load balancers and API gateways.
- Network Access Control Lists (NACLs) provide an additional layer of subnet-level security.
- Web Application Firewall (WAF) protects against common web exploits and DDoS attacks.
- Intrusion detection and prevention systems monitor for suspicious activity.
Data Center Security
AWS data centers feature layered physical security controls, including biometric authentication, 24/7 video surveillance, and strict access logging. No AgentAGI staff have physical access to AWS data centers.
Data Encryption
Encryption at Rest
- All customer data is encrypted at rest using AES-256 encryption.
- Database volumes, backups, and storage buckets are encrypted with AWS Key Management Service (KMS) managed keys.
- Encryption keys are rotated automatically according to AWS best practices.
Encryption in Transit
- All communications with our API and web interface use TLS 1.2 or TLS 1.3.
- Inter-service communication within our infrastructure uses mutual TLS (mTLS) where supported.
- API endpoints enforce HTTPS with HSTS headers.
- We maintain an A+ SSL/TLS rating on all public endpoints.
Access Control
Employee Access
- Access to production systems is granted on a least-privilege basis and requires multi-factor authentication.
- All access is logged, monitored, and regularly audited.
- Employee access is reviewed quarterly and revoked immediately upon role change or departure.
- We use single sign-on (SSO) with hardware-backed MFA for all internal systems.
Customer Access
- Account access is protected by email-password authentication with bcrypt password hashing.
- Session tokens are cryptographically signed and have configurable expiration.
- API access is controlled through scoped API keys with granular permissions.
- Role-based access control (RBAC) allows you to manage team member permissions.
Application Security
Secure Development Lifecycle
- All code changes are reviewed through mandatory peer code reviews.
- Automated security scanning is integrated into our CI/CD pipeline, including dependency scanning, SAST (Static Application Security Testing), and container image scanning.
- We conduct regular penetration testing by independent third-party security firms.
- A vulnerability disclosure program welcomes responsible security research.
Authentication & Authorization
- Passwords are hashed using bcrypt with a cost factor of 12 or higher.
- JSON Web Tokens (JWT) are used for session management with automatic expiration and refresh.
- Granular permission controls determine what agents and users can access and modify.
- All authentication attempts are logged and rate-limited to prevent brute-force attacks.
AI Agent Security
- Agent prompts and configurations are validated against injection patterns.
- Agents operate within defined budget and permission boundaries that cannot be self-modified.
- Agent actions are logged with full traceability, including tool calls, API requests, and decision reasoning.
- Governance workflows require human approval for high-risk actions such as agent hiring and budget changes.
LLM Provider Security
When you connect third-party LLM providers (e.g., Anthropic, OpenAI), data sent for inference is governed by their security practices. We recommend reviewing their security documentation:
- Anthropic: Enterprise-grade security with SOC 2 certification, data encryption, and no training on API data.
- OpenAI: SOC 2 compliant, data encryption at rest and in transit, API data not used for training.
- Other providers: Security posture varies — check individual provider documentation.
We never send your data to unauthorized LLM providers. You control which providers your agents use.
Compliance & Certifications
- SOC 2 Type II: We maintain SOC 2 Type II certification for security, availability, and confidentiality. Reports are available under NDA.
- GDPR: We comply with the General Data Protection Regulation for users in the European Economic Area. See our Privacy Policy for details.
- CCPA: We comply with the California Consumer Privacy Act for California residents.
- Data Processing Agreement (DPA): Available upon request for enterprise customers.
Incident Response
We have a documented incident response plan that includes:
- Detection: Automated monitoring, alerting, and log analysis to identify potential incidents.
- Containment: Immediate isolation of affected systems to prevent further impact.
- Investigation: Root cause analysis by our security team.
- Remediation: Implementation of fixes and preventive measures.
- Notification: Affected customers are notified within 72 hours of confirmed security incidents involving their data.
Data Backup & Disaster Recovery
- Database backups are performed automatically and encrypted before storage.
- Backups are replicated across multiple AWS availability zones.
- We maintain a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 1 hour for critical systems.
- Disaster recovery drills are conducted quarterly.
Vulnerability Disclosure
We welcome responsible security research. If you discover a security vulnerability, please report it privately to security@agentagi.dev. We commit to:
- Acknowledging receipt within 24 hours.
- Providing an initial assessment within 72 hours.
- Working diligently to remediate validated vulnerabilities.
- Not pursuing legal action against researchers who follow responsible disclosure practices.
Contact Our Security Team
For security-related inquiries, vulnerability reports, or to request our SOC 2 report, contact us at security@agentagi.dev. For critical security incidents, use our PGP-encrypted channel — our public key fingerprint is available upon request.