Building a Compliance-First AI Platform

Giving AI agents access to your business systems raises legitimate questions about security, privacy, and compliance. We take these seriously.

Encryption everywhere

All data in transit uses TLS. All credentials (OAuth tokens, API keys) are encrypted at rest using Fernet symmetric encryption. Passwords are hashed with bcrypt. Session tokens are stored as secure, HTTP-only cookies.

We never store raw credentials in logs, error messages, or analytics events. Our API never returns stored credentials — not even to authenticated users.

Audit trails

Every action taken by an agent is logged with:

• What was done
• Why the agent proposed it
• Who approved it (or whether it was auto-approved)
• The exact timestamp
• The outcome (success, failure, partial)

These logs are immutable and retained for 24 months. They're designed to satisfy audit requirements for SOC 2, GDPR, and similar frameworks.

Rate limiting and abuse prevention

All API endpoints are rate-limited with tiered limits based on operation type. Authentication endpoints are limited to 5 requests per minute per IP to prevent brute force attacks. Agent actions are throttled to prevent runaway execution.

The Compliance agent

We built a dedicated Compliance agent that monitors all other agents' actions for policy violations. It checks proposed actions against your configured rules before they enter the approval queue. If an action would violate a compliance policy — say, sending marketing emails to a region where you don't have consent — the Compliance agent blocks it before you ever see it.

This isn't a replacement for legal review. It's a safety net that catches the obvious issues automatically, so your compliance team can focus on the nuanced ones.