Security at Agent X
We treat security as a first-order product requirement, not an afterthought.
Programme
- ISO 27001 controls implemented; certification audit underway
- SOC 2 Type II audit window scheduled
- GDPR + UK Data Protection Act 2018 + CCPA aligned
- Annual third-party penetration test, quarterly internal assessments
Architecture
- Tenant isolation — Row-Level Security on every table, validated by automated cross-tenant attack suite gated in CI
- Authentication — bcrypt-hashed passwords, MFA enforced for admin roles, session lifecycle audited
- Audit log — tamper-evident SHA-256 hash chain, 7-year retention, regulator-friendly export
- Encryption — TLS 1.3 in transit, AES-256 at rest
- Headers — strict Content-Security-Policy, HSTS preload, COOP/COEP isolation
- Edge protection — rate limiting, WAF rules, CSP violation reporting
Operations
- 24/7 alerting on security signals and SLA breaches
- Documented incident-response runbook with severity classifications
- Tested business-continuity and disaster-recovery plans
- Vendor security reviews before any sub-processor engagement
- Background checks on personnel with production access
Responsible disclosure
Email security@agent-x.example with PGP-encrypted reports. We acknowledge within 2 business days and aim to remediate critical issues within 14 days. We do not pursue legal action against good-faith researchers.
For more detail, request our security questionnaire (CAIQ + SIG Lite) at trust@agent-x.example.