01Where we are today
AgentPrizm is an early-stage product. We don't hold formal certifications yet, and we're not going to claim ones we don't have. What we do have is a small, hardened deployment that's built on the same controls a SOC 2 auditor would look for: TLS everywhere, encrypted secrets, strict access, audit logging, daily backups, and a security review on every change.
If your procurement requires a specific certification we don't carry yet, tell us. For teams with strict data-handling needs, we offer custom retention, residency, and contractual terms on our hosted service — reach out and we'll work through your requirements.
02Data handling
- In transit: all traffic is HTTPS-only via Let's Encrypt with TLS 1.2+; HSTS with preload.
- Per-field encryption: sensitive fields (OAuth tokens, integration credentials) are encrypted with AES-256 using a key held only on the application host. The database itself sits behind authenticated localhost binding — never exposed to the public internet.
- API keys: API keys are never stored in plaintext. We store only a SHA-256 hash plus a short prefix, so a key cannot be recovered from our systems — keep your copy safe, because we can't show it to you again.
- Tenant isolation: every memory, key, and connection is scoped to its workspace, and queries are filtered by workspace so one customer's data is not returned to another.
- Audit trails: administrative and forget actions against your data are recorded.
- Backups: the database is backed up nightly, with a 30-day retention window.
- Logs: request logs avoid sensitive payload contents and are rotated automatically.
- No model training on your data. The recall pipeline uses pre-trained, frozen embedding models — your memories are never used to train ours or anyone else's.
We work hard to protect your data, but no method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your own credentials and API keys safe and for maintaining your own backups of important data.
The security measures described here are further governed by our Terms of Service, including the Warranty Disclaimer and Limitation of Liability sections, which set out the full scope of our obligations and the limits on our liability; this page does not create any warranty or guarantee beyond those sections.
03Infrastructure hardening
- SSH is key-only (no passwords), root login disabled, with rate-limited connection attempts.
- Firewall (UFW) denies all inbound traffic except SSH, HTTP, and HTTPS.
- Fail2Ban actively blocks brute-force attempts on SSH and HTTP rate limits.
- Application processes run as a non-root user under a process supervisor.
- Automatic OS security updates are enabled.
- A daily integrity audit checks SSH/firewall/web/database configs against a baseline.
04Access controls
- API keys are scoped to a single workspace and can be revoked at any time.
- Production access by AgentPrizm operators is gated by SSH keys held on a single workstation. There is no shared admin password.
- Every administrative action against your data is recorded.
SSO and SCIM are on the roadmap for teams that need them. Talk to us if it's a procurement blocker.
05Responsible disclosure
If you find a security issue, please email [email protected] with reproduction steps and the impact you observed. We'll acknowledge within two business days.
We don't pursue legal action against good-faith researchers who report responsibly — give us a reasonable window to fix the issue before public disclosure.
06Subprocessors
The third-party services that touch customer data:
| Processor | Purpose |
|---|---|
| Hostinger | VPS hosting (US data center) |
| Cloudflare | DNS and edge proxy |
| Stripe | Subscription billing |
| OAuth sign-in, and (only if you connect it) Google Drive content sync | |
| OpenAI | Embeddings and AI classification |
| Resend | Transactional email |
| Notion | Content-source connector (only if you connect it) |
| Dropbox | Content-source connector (only if you connect it) |
We'll tell customers in advance when we change this list.
07Compliance
We don't currently hold SOC 2, HIPAA BAA, ISO 27001, or FedRAMP certifications, and we don't claim to. We don't recommend AgentPrizm for workloads that strictly require any of them. If you have a specific compliance need and want to talk about a path, reach out.
Do not submit protected health information (PHI) or other regulated health data. AgentPrizm is not HIPAA-compliant and does not offer a Business Associate Agreement. The Service must not be used to store or process PHI.
Found a security issue? Email [email protected].