Security

Certifications and Compliance

• SOC 2 Type II — current report available under NDA, request at security@agentkit.dev

• GDPR compliant

• CCPA compliant

• ISO 27001 — in progress

• HIPAA-eligible architecture available on Enterprise

Infrastructure

Agentkit runs on AWS and Google Cloud across multiple regions. Production environments are isolated from staging and development. We don't run customer workloads on shared infrastructure with our internal services.

Customer data is segregated by workspace. Workspace IDs are enforced at every layer of the stack, from the API edge to the database.

Encryption

• In transit. TLS 1.2 or higher for all network traffic. HSTS enforced on web properties.

• At rest. AES-256 for all persistent storage. Keys rotated on a regular schedule.

• Secrets. Stored in a hardware-backed secret manager. Application code never sees raw credentials.

Access Control

• Single sign-on (SSO) with SAML on Enterprise plans

• Role-based access control inside the dashboard (Owner, Admin, Developer, Viewer)

• Multi-factor authentication enforced for all employees with production access

• Production access is logged, reviewed quarterly, and revoked on role change

Employees can only access customer data with a documented support ticket and explicit customer consent, or under a specific legal obligation.

Network Security

• Production VPCs with strict ingress and egress rules

• WAF in front of public endpoints

• Rate limiting and abuse detection at the API edge

• DDoS protection via cloud provider services

Application Security

• Static analysis on every pull request

• Dependency scanning with automated patches

• Annual penetration test by a third-party firm; report summary available on request

• Bug bounty program at bounty@agentkit.dev

Vulnerability Management

We monitor CVE feeds for our dependencies and patch critical issues within 24 hours, high within 7 days, and medium within 30 days. Patches go through staging before production.

Incident Response

If we detect a security incident, our on-call team is paged immediately. We follow a documented runbook covering containment, eradication, recovery, and notification.

If customer data is affected, we'll notify impacted customers within 72 hours of confirmation, with details on what happened, what data was involved, and what we're doing about it.

Business Continuity

• Daily backups with point-in-time recovery

• Geographic redundancy across regions

• Documented disaster recovery plan, tested annually

• RTO: 4 hours. RPO: 1 hour.

Employee Security

• Background checks for all employees with production access

• Mandatory security training on hire and annually

• Hardware-encrypted laptops with mobile device management

• Onboarding and offboarding checklists with access provisioning and revocation

Customer Data Isolation

We don't use Customer Data to train models. Each workspace is logically isolated, with row-level enforcement on every query. Enterprise customers can opt into single-tenant deployments or bring-your-own-cloud.

Subprocessors

A current list is at agentkit.dev/subprocessors. We notify customers of new subprocessors with 30 days' advance notice, giving you time to object before the change takes effect.

Reporting a Vulnerability

Email security@agentkit.dev with details. PGP key at agentkit.dev/pgp. We commit to:

• Acknowledging your report within 48 hours

• Updating you weekly until resolution

• Recognizing you in our security hall of fame if you wish

• Not pursuing legal action against good-faith research

Questions

security@agentkit.dev for security questions, vulnerability reports, or to request our latest SOC 2 report or pen test summary.