Skip to main content
Security

What actually protects your work.

This page lists the controls that exist in the product today — no badges, no aspirations. If your review needs something you don’t see here, ask us directly and we’ll give you a straight answer.

Isolation

Org-isolated by design
Every agent, connection, knowledge store, and sandbox is scoped to your organization. There is no cross-tenant access path at any layer.
Sandboxes are disposable machines
Each agent works in its own container with its own filesystem. File operations are restricted to the workspace; destructive system operations are blocked.
Network guards on web access
When an agent reads a URL, every redirect hop is resolved and validated against private, loopback, and internal address ranges before a byte is fetched — the standard server-side request forgery paths are closed by design.
Your hardware stays yours
With a self-hosted sandbox, the agent's shell, files, and repositories live on a machine you own. The runner dials out on port 443 — no inbound ports — and one click in the console revokes the credential and drops the tunnel.

Credentials

Encrypted at rest
OAuth tokens and connection credentials are encrypted with AES-256-GCM before they are stored. Encryption keys never live alongside the data.
Short-lived, scoped tokens
Agents receive temporary tokens scoped to the task at hand, issued just-in-time and revoked after completion. Agents never see your long-lived refresh tokens.
Per-agent × per-API permissions
Permissions are granted at the API-method level, not the tool level: an agent can be allowed to post to Slack and denied the ability to delete. Nothing outside the grant is callable.
The smallest possible tool surface
An agent carries only the integrations, knowledge, and skills you gave it — least privilege applied to the agent itself. What an agent was never given, it cannot call, leak, or be tricked into using.

Oversight

Every action lands in the audit log
Every tool call, permission grant, connection change, and admin action is written to an audit trail your admins can review.
Six ways a run stops for a human
Mid-run, an agent can ask for free text, a choice, a dropdown selection, a file upload, an approval, or sign-off on a risk-tagged plan. The run pauses and resumes with full state.
Full run observability
The live plan, model reasoning, and every tool call stream into the run timeline as they happen — inspectable during the run and after it.
Loops keep a human seat
Agents that continue work on schedules and events obey the same approval rules as interactive runs — the per-agent autonomy dial rides every pass, and you can step into any run live. The industry's verdict on agent loops is that they still need humans in them; we agree — we built the seat.
Bounded loops
Every run carries hard time and model-call budgets; near the budget, a run checkpoints its state cleanly instead of overrunning. Credits are transparent and metered per action — 1 credit = $0.001, forever — so recurring agent work can never outspend the caps you can see.

Sessions & access

Single domain-wide session
Sign-in is verified against Firebase and exchanged for a short-lived signed session token, validated by every service on every request.
Role-based access
Owner, admin, member, customer, and guest roles gate who can configure agents, grant permissions, and read run history.
Encrypted in transit
All traffic between your browser, our services, and connected tools runs over TLS.

Certifications

We are a small team in private beta and do not hold a compliance certification today. The controls above are the substance of what a certification audits; if your procurement process needs specific documentation, contact us and we’ll work through it with you.

Security questions or disclosures: support@auteryn.ai·Security docs

We use cookies to enhance your experience and analyze site traffic. Learn more