Security
What actually protects your work.
This page lists the controls that exist in the product today — no badges, no aspirations. If your review needs something you don’t see here, ask us directly and we’ll give you a straight answer.
Isolation
- Org-isolated by design
- Every agent, connection, knowledge store, and sandbox is scoped to your organization. There is no cross-tenant access path at any layer.
- Sandboxes are disposable machines
- Each agent works in its own container with its own filesystem. File operations are restricted to the workspace; destructive system operations are blocked.
- Network guards on web access
- When an agent reads a URL, every redirect hop is resolved and validated against private, loopback, and internal address ranges before a byte is fetched — the standard server-side request forgery paths are closed by design.
- Your hardware stays yours
- With a self-hosted sandbox, the agent's shell, files, and repositories live on a machine you own. The runner dials out on port 443 — no inbound ports — and one click in the console revokes the credential and drops the tunnel.
Credentials
- Encrypted at rest
- OAuth tokens and connection credentials are encrypted with AES-256-GCM before they are stored. Encryption keys never live alongside the data.
- Short-lived, scoped tokens
- Agents receive temporary tokens scoped to the task at hand, issued just-in-time and revoked after completion. Agents never see your long-lived refresh tokens.
- Per-agent × per-API permissions
- Permissions are granted at the API-method level, not the tool level: an agent can be allowed to post to Slack and denied the ability to delete. Nothing outside the grant is callable.
- The smallest possible tool surface
- An agent carries only the integrations, knowledge, and skills you gave it — least privilege applied to the agent itself. What an agent was never given, it cannot call, leak, or be tricked into using.
Oversight
- Every action lands in the audit log
- Every tool call, permission grant, connection change, and admin action is written to an audit trail your admins can review.
- Six ways a run stops for a human
- Mid-run, an agent can ask for free text, a choice, a dropdown selection, a file upload, an approval, or sign-off on a risk-tagged plan. The run pauses and resumes with full state.
- Full run observability
- The live plan, model reasoning, and every tool call stream into the run timeline as they happen — inspectable during the run and after it.
- Loops keep a human seat
- Agents that continue work on schedules and events obey the same approval rules as interactive runs — the per-agent autonomy dial rides every pass, and you can step into any run live. The industry's verdict on agent loops is that they still need humans in them; we agree — we built the seat.
- Bounded loops
- Every run carries hard time and model-call budgets; near the budget, a run checkpoints its state cleanly instead of overrunning. Credits are transparent and metered per action — 1 credit = $0.001, forever — so recurring agent work can never outspend the caps you can see.
Sessions & access
- Single domain-wide session
- Sign-in is verified against Firebase and exchanged for a short-lived signed session token, validated by every service on every request.
- Role-based access
- Owner, admin, member, customer, and guest roles gate who can configure agents, grant permissions, and read run history.
- Encrypted in transit
- All traffic between your browser, our services, and connected tools runs over TLS.
Certifications
We are a small team in private beta and do not hold a compliance certification today. The controls above are the substance of what a certification audits; if your procurement process needs specific documentation, contact us and we’ll work through it with you.
Security questions or disclosures: support@auteryn.ai·Security docs