Security Policy
Last updated: July 2026 — how we protect your data and isolate every tenant.
1. Overview
Security is foundational to a platform that lets AI agents act on your business. This page summarizes the technical and organizational measures we use to protect customer data. It is written for customers and prospective customers evaluating AgentCorp and complements the more detailed commitments in our Data Processing Agreement.
2. Encryption
Data is encrypted in transit using TLS 1.2 or higher for all connections between your browser, our platform, and the services we integrate with. Data at rest — including your database records and uploaded files — is encrypted using strong, industry-standard algorithms managed by our infrastructure providers. Secrets and credentials are stored in dedicated secret management rather than in application code.
3. Tenant Isolation
AgentCorp is multi-tenant, and each organization's data is isolated at the database level using row-level security (RLS). Every query is scoped to the requesting organization so that one tenant cannot read or write another tenant's agents, documents, tasks, or knowledge base. Isolation is enforced by the database, not merely by application logic, providing defense in depth.
4. Authentication
User authentication is handled by Clerk, a specialized identity provider. Sessions are backed by short-lived, signed JWTs rather than long-lived credentials, which limits the window of exposure if a token is intercepted. We support modern authentication practices and delegate password storage and credential handling to our identity provider rather than managing them ourselves.
5. Least-Privilege Access
Access to production systems is restricted to personnel who need it, granted on a least-privilege basis, and reviewed periodically. Agents themselves operate under scoped permissions and only the integrations your organization has explicitly connected. Internal access to customer data is limited to what is necessary to resolve a support issue or security incident and is subject to internal controls.
6. Audit Logging
Security-relevant events — authentication, sensitive agent actions, approvals, and administrative changes — are logged. These logs support investigation, accountability, and, where applicable, your own compliance needs. Approval gates for high-impact agent actions create an auditable record of who authorized what.
7. Secure Development
We follow a secure software development lifecycle. Changes are peer-reviewed before release, and we use automated dependency scanning to identify known-vulnerable packages so they can be patched promptly. We aim to keep dependencies current and to remediate high-severity findings on a priority basis.
8. Vulnerability Management
We monitor for vulnerabilities across our dependencies and infrastructure and triage them by severity and exploitability. Critical issues are prioritized for rapid remediation. We welcome external reports of potential vulnerabilities through our responsible disclosure process and treat good-faith researchers as partners in keeping the platform safe.
9. Human Approval for Sensitive Actions
Beyond conventional access controls, AgentCorp adds a product-level safeguard: sensitive agent actions require explicit human approval before they execute. This reduces the blast radius of a compromised account or a mistaken instruction, because consequential actions do not happen without a person in the loop.
10. Infrastructure and Hosting
Our application is hosted on managed cloud infrastructure with data primarily processed in United States (us-east). We rely on established providers for compute, database, and storage, each engaged under agreements that require appropriate security measures. A current list of these sub-processors is published at /legal/subprocessors.
11. Backups and Resilience
We maintain regular backups to protect against data loss and to support recovery. Backups are retained for a limited period and are subject to the same access controls and encryption as primary data. We design for graceful degradation so that a failure in one component does not cascade across the platform.
12. Incident Response
We maintain an incident response process for detecting, containing, investigating, and remediating security incidents. In the event of a personal-data breach affecting your data, we will notify affected customers without undue delay and, where we act as your processor, in line with the timelines in our Data Processing Agreement. Post-incident, we conduct reviews to prevent recurrence.
13. Compliance Roadmap
We build to widely recognized security standards and are pursuing formal attestations as part of our roadmap. We do not currently claim to hold SOC 2 or ISO 27001 certification, and we will only represent such certifications once they are independently completed. We are happy to discuss our current posture and roadmap with enterprise customers under NDA.
14. Reporting a Security Issue
If you discover a potential vulnerability or security concern, please report it through our responsible disclosure process at /legal/responsible-disclosure. We investigate credible reports promptly and coordinate remediation with reporters.
To report a security issue, see our responsible disclosure policy or email security@agentcorp.work.