Trust Center
AgentCorp runs autonomous agents on your behalf, so the bar for security and control has to be high. This page lays out — plainly and honestly — how your data is protected, how tenants are isolated, where humans stay in the loop, and exactly where we are on the road to formal certification.
How a request actually flows
AgentCorp is a small number of purpose-built services with clear trust boundaries between them. Here is the path a single request takes, front to back.
1 — Browser → Clerk
A signed-in user hits the Next.js web app. Clerk verifies the session and mints a short-lived, signed JWT that carries the user's identity and their active organization.
2 — Web → API gateway
The browser calls our FastAPI gateway with that JWT as a bearer token. The gateway validates the signature against Clerk's JWKS, resolves the caller's org, and rejects anything unauthenticated at the edge.
3 — Gateway → agents
Authorized requests are dispatched to the Python agent runtime (Alex and the other agents). Agents plan work and call tools, but every database read and write is stamped with the caller's organization.
4 — Agents → Supabase
Persistent data — tasks, documents, knowledge, the flight log — lives in Supabase Postgres and storage. Row-level security enforces that a query can only touch rows belonging to the caller's org.
5 — Agents → model providers
For reasoning, agents call Anthropic (Claude) as the primary model and xAI (Grok) for the marketing agent. Only the context needed for the task is sent, over TLS, and providers are contractually barred from training on it.
6 — Billing & async work
A separate billing service meters credit usage and talks to Stripe for subscriptions and invoicing. Scheduled cron jobs run recurring and background work on the same org-scoped rules as live requests.
Authentication, authorization & posture
Access is verified at every boundary, privileges are scoped to a role, and the services that touch your data are not exposed to the public internet.
Authentication
Identity is handled by Clerk. Sessions are exchanged for short-lived, signed JWTs (RS256) that our services verify against Clerk's published JWKS on every request. No long-lived API tokens sit in the browser, and expired or tampered tokens are rejected at the gateway.
Authorization
Every user belongs to an organization with a role — owner, admin, or member. Sensitive operations (billing changes, member management, destructive admin actions) are gated by role-based access control, checked server-side rather than hidden in the UI.
Network posture
Only the web app and API gateway are exposed publicly. Internal services — the agent runtime, billing worker, and cron — are bound to loopback / the private network and are not reachable from the internet. Requests cross trust boundaries only through authenticated interfaces.
Secrets management
Credentials for the database, model providers, Stripe, and messaging live in the platform's encrypted secret store and are injected as environment variables at runtime. Secrets are never committed to source control and are never rendered into the application or client bundle.
Encrypted in transit and at rest
In transit
All traffic between your browser, our services, and every sub-processor is encrypted with TLS 1.2 or higher. Plaintext HTTP is not used for application data.
At rest
The Postgres database and file storage encrypt data at rest at the storage layer, so backups and disks are protected without any action on your part.
No plaintext secrets
Provider keys and credentials live in an encrypted secret store and are injected at runtime. No secret is written into the app tier, logs, or the client bundle.
Your organization is a hard boundary
AgentCorp is multi-tenant, but tenancy is enforced in the database, not just the application. Every row of your data is stamped with your organization, and Postgres row-level security makes it impossible for a query to return another organization's rows.
Row-level security
Tables holding tenant data are protected by Postgres row-level security policies keyed to the organization. Even a bug in application code cannot read across organizations, because the database itself refuses to return rows outside the caller's org.
Agents are org-scoped
Agents operate strictly within the calling user's organization. Their tools inherit the same org-scoped credentials as the request, so an agent can only read and write your own data — never another customer's.
Worked example: “Alex, email this client”
- You ask Alex to email a client. The browser sends the request with your Clerk-issued JWT.
- The gateway verifies the token and resolves your organization from it — Alex never picks the org, the verified token does.
- Alex reads the client’s details from your knowledge base. Row-level security guarantees those rows belong to your org.
- Alex drafts the email, then stops at a human approval gate showing the real recipient and the full message body.
- Only after you approve does the send go out. The action — actor, org, recipient, timestamp — is written to the append-only flight log.
Autonomy with a human in the loop
Agents do real work, but the actions that leave your organization or change money stay under human control, and untrusted content is never allowed to act as instructions.
Human approval gates
Outbound and sensitive actions — sending an email, messaging a customer, making a payment change — pause for human approval. The approval card shows the real recipient and the actual message body before anything leaves your organization, so a person always confirms the final content.
Prompt-injection framing
Content an agent pulls in — a document, a webpage, an inbound email — is treated as untrusted data, not as instructions. It is framed and separated from the agent's operating instructions so that text hidden inside a file cannot silently redirect the agent's behavior.
No training on your data
We do not use your organizational data to train models, and our model providers are contractually prohibited from training on your prompts and outputs. Any use of your data to improve the product requires explicit, written opt-in.
Model providers
Reasoning runs on Anthropic's Claude as the primary provider, with xAI's Grok used for the marketing agent. Both are US-based sub-processors listed below and are engaged under data-processing terms.
Where we are — honestly
AgentCorp is not certified today, and we will not claim otherwise. Here is what is genuinely in place now, what we are actively building toward, and what is further out. We only move an item to the left column once it is real.
Now — in place today
- Postgres row-level security isolating every tenant
- Encryption in transit (TLS 1.2+) and at rest
- Append-only audit log of sensitive agent actions
- Data Processing Agreement (DPA) available on request
- Full sub-processor transparency and 14-day change notice
- Responsible-disclosure channel for security researchers
Next — actively working on
- SOC 2 Type I readiness assessment
- SSO / SAML for enterprise identity providers
- Independent third-party penetration test
- Formalized access-review and vendor-review cadence
Later — on the roadmap
- SOC 2 Type II report
- Regional data-residency options beyond US
- Tamper-evident, hash-chained audit trail
- Customer-configurable data-retention windows
“Now” items are live in production. “Next” and “Later” are planned targets with no guaranteed date, and are not representations that a control or certification exists yet.
Reliability & graceful degradation
We design for the fact that dependencies fail. The goal is that a transient upstream problem never becomes your problem.
Health checks
The web app, API gateway, and background workers expose health endpoints that the hosting platform probes continuously, so an unhealthy instance is detected and replaced rather than left serving traffic.
Retries with backoff
Calls to model providers and other sub-processors retry transient failures with exponential backoff, so a brief upstream blip does not surface as a failed task.
Graceful degradation
When a non-critical dependency is unavailable, the platform degrades that capability rather than failing the whole request — for example, falling back to curated defaults instead of breaking a page.
Status page
A public status page is planned for general availability at status.agentcorp.work, so you can see incident history and current health at a glance.
We do not publish an uptime percentage or SLA on this page; contracted availability commitments, where offered, are set out in your order form.
Disaster recovery & backups
Your data is backed up automatically and can be restored to a point in time. The recovery numbers below are current targets.
Automated backups
The primary Postgres database is backed up automatically by our managed database provider (Supabase), with no manual step required to protect your data.
Point-in-time recovery
Point-in-time recovery lets us restore the database to a specific moment before an incident, rather than only to the last nightly snapshot.
Retention
Backups are retained on a rolling window. Data deleted from primary storage may persist in backups for a bounded period (up to 60 days) before aging out, consistent with our Privacy Policy.
Recovery targets
We target a Recovery Point Objective (RPO) of ≤ 24 hours and a Recovery Time Objective (RTO) of ≤ 4 hours. These are current internal targets, not a contractual SLA.
What happens when something goes wrong
Incidents are inevitable at some point; what matters is a fast, honest, and repeatable response.
Severity levels
Incidents are triaged into severity levels based on customer impact and data exposure, which sets the response urgency, who is paged, and how we communicate.
On-call & escalation
Alerts from monitoring route to an on-call owner with a defined escalation path, so a serious issue reaches a human quickly rather than sitting in a dashboard.
Customer notification
For a personal-data breach affecting your organization, we commit to notifying you without undue delay and no later than 72 hours after becoming aware, as set out in our DPA.
Post-incident review
Significant incidents get a written post-incident review focused on root cause and durable fixes rather than blame, with follow-up actions tracked to completion.
An append-only flight log
Sensitive agent actions are recorded so there is always an answer to who did what, in which organization, and when.
Append-only agent flight log
When an agent takes a sensitive action — sending a message, making a change on your behalf — we write an entry capturing the actor, the organization, the action, and a timestamp. Entries are append-only: the record of what happened is added to, not rewritten.
Tamper-evidence (planned)
Hash-chaining each log entry to the previous one — so any after-the-fact edit is detectable — is on the roadmap and is not claimed as live today. It is listed under “Later” in the compliance roadmap above.
Who we rely on
AgentCorp uses a short list of vetted providers to deliver the service. Each is engaged under data-processing terms and is listed here for full transparency. We give 14 days' notice before adding a new sub-processor that will handle personal data.
| Sub-processor | Purpose | Location | Personal data |
|---|---|---|---|
| Clerk | Authentication & user identity | United States | Yes |
| Supabase | Primary database & file storage | United States | Yes |
| Railway | Application hosting & compute | United States | Yes |
| Stripe | Payments, subscriptions & invoicing | United States | Yes |
| Anthropic | Primary AI model processing (Claude) | United States | Yes |
| xAI (Grok) | Secondary AI model processing (marketing agent) | United States | Yes |
| Twilio | WhatsApp / SMS messaging channel | United States | Yes |
| Customer.io | Lifecycle & transactional email | United States | Yes |
| Intercom | In-product customer support messaging | United States | Yes |
| PostHog | Product analytics (consent-gated) | United States | Yes |
| Sentry | Error & performance monitoring | United States | No |
| Arize | AI output observability & evaluation | United States | No |
See the full sub-processor page for the maintained list and change history.
Security questions, answered
Security
Where is my data stored?+
In the United States (us-east). The primary database and file storage are hosted with Supabase, and application compute runs on Railway — both US-based. If you are outside the US, your data may be transferred to and processed in the US, as described in our Privacy Policy.
Do you train on my data?+
No. We do not use your organizational data to train models, and our model providers are contractually prohibited from training on your prompts and outputs. Any product improvement that would use your data requires explicit, written opt-in.
How are tenants isolated?+
At the database level, using Postgres row-level security. Every row is stamped with an organization, and RLS policies stop a query from returning rows outside the caller’s org — so isolation does not depend on application code being bug-free.
Can agents act without my approval?+
Not for sensitive or outbound actions. Sending an email, messaging a customer, or changing billing pauses at a human approval gate that shows the real recipient and message body before anything is sent. You confirm the final action.
Do you support SSO?+
Not yet. SSO / SAML for enterprise identity providers is on our near-term roadmap (the “Next” column above). Today, authentication is handled by Clerk. If SSO is a requirement for you, email security@agentcorp.work and tell us your provider.
How do I report a vulnerability?+
Email security@agentcorp.work with details and reproduction steps. We welcome good-faith research; see our responsible-disclosure policy for scope and safe-harbor terms.
Your data & account
Who can see my data internally?+
Access is limited to staff who need it to resolve a support issue or security incident, subject to internal access controls and logging. We do not browse customer data, and we do not sell it.
What happens to my data if I cancel?+
When you close your account we delete primary data within 30 days. De-identified, aggregated analytics may be retained longer, and residual copies may persist in backups for up to 60 days before aging out. You can also request deletion or export at privacy@agentcorp.work.
Which AI models do you use?+
Anthropic’s Claude is the primary reasoning model, and xAI’s Grok powers the marketing agent. Both are listed as sub-processors above and are engaged under data-processing terms that bar training on your data.
Is my payment info safe?+
Yes. Payments are handled by Stripe. Card data goes directly to Stripe and is never stored in AgentCorp’s systems — we keep only non-sensitive references needed to manage your subscription.
Digging deeper?
The policies below go into the contractual detail behind everything on this page. For anything security-related, our team reads security@agentcorp.work.
Last updated: July 2026. AgentCorp is not certified under SOC 2 or an equivalent framework at this time; see the compliance roadmap above.