01Where we are today
AgentPrizm is an early-stage product. We don't hold formal certifications yet, and we're not going to claim ones we don't have. What we do have is a small, hardened deployment that's built on the same controls a SOC 2 auditor would look for: TLS everywhere, encrypted secrets, strict access, audit logging, daily backups, and a security review on every change.
If your procurement requires a specific certification we don't carry yet, tell us. Self-hosting is on the roadmap for teams that need to keep customer data inside their own VPC.
02Data handling
- In transit: all traffic is HTTPS-only via Let's Encrypt with TLS 1.2+; HSTS with preload.
- At rest: sensitive fields (OAuth tokens, integration credentials) are encrypted with AES-256 using a key held only on the application host. The database itself sits behind authenticated localhost binding — never exposed to the public internet.
- Backups: the database is backed up nightly, with a 30-day retention window.
- Logs: request logs avoid sensitive payload contents and are rotated automatically.
- No model training on your data. The recall pipeline uses pre-trained, frozen embedding models — your memories are never used to train ours or anyone else's.
03Infrastructure hardening
- SSH is key-only (no passwords), root login disabled, with rate-limited connection attempts.
- Firewall (UFW) denies all inbound traffic except SSH, HTTP, and HTTPS.
- Fail2Ban actively blocks brute-force attempts on SSH and HTTP rate limits.
- Application processes run as a non-root user under a process supervisor.
- Automatic OS security updates are enabled.
- A daily integrity audit checks SSH/firewall/web/database configs against a baseline.
04Access controls
- API keys are scoped to a single workspace and can be revoked at any time.
- Production access by AgentPrizm operators is gated by SSH keys held on a single workstation. There is no shared admin password.
- Every administrative action against your data is recorded.
SSO and SCIM are on the roadmap for teams that need them. Talk to us if it's a procurement blocker.
05Responsible disclosure
If you find a security issue, please email [email protected] with reproduction steps and the impact you observed. We'll acknowledge within two business days.
We don't pursue legal action against good-faith researchers who report responsibly — give us a reasonable window to fix the issue before public disclosure.
06Subprocessors
The third-party services that touch customer data:
| Processor | Purpose |
|---|---|
| Hostinger | VPS hosting (US data center) |
| Cloudflare | DNS and edge proxy |
| Stripe | Subscription billing |
| OAuth sign-in (only the email address you sign in with) | |
| OpenAI | Embeddings and AI classification |
| Resend | Transactional email |
We'll tell customers in advance when we change this list.
07Compliance
We don't currently hold SOC 2, HIPAA BAA, ISO 27001, or FedRAMP certifications. We don't recommend AgentPrizm for workloads that strictly require any of them — not yet. If you have a specific compliance need and want to talk about a path, reach out.
Found a security issue? Email [email protected].