Security Overview

AgentWorks runs on modern cloud infrastructure with network isolation, hardened images, and automated patching cadences appropriate to our threat model. Production environments are separated from development and staging. We apply least-privilege networking between services and monitor for anomalous access patterns.

Third-party infrastructure providers maintain their own certifications (e.g. SOC-style reports). Enterprise customers may request the latest security documentation under NDA as part of procurement.

Data in transit is protected using TLS 1.2+ between clients and our APIs, and between internal components where applicable. Certificates are managed and rotated according to industry practice.

Data at rest is encrypted using provider-managed keys by default; customer-managed keys or additional controls may be available on enterprise agreements. Backups and snapshots inherit the same encryption posture as primary storage tiers.

Access to production systems and customer data is restricted through:

• Role-based access with periodic review and automatic deprovisioning when employment ends.
• Multi-factor authentication for administrative and engineering access to critical consoles.
• Logging of privileged actions and separation of duties for changes that affect customer tenants.
• Customer-side controls - workspace roles, SSO where configured, and API keys scoped to least privilege.

Employees access customer data only when needed for support, and only with tooling that records purpose and scope consistent with our policies and your agreements.

We align our security and privacy program with widely recognized frameworks including GDPR for personal data processing in the EU/EEA and the EU AI Act for transparency, logging, and human oversight capabilities offered by the product. References to ISO or SOC reports describe typical industry attestations our vendors or our own program may hold - ask sales for the current attestation package; this page is a summary, not a certificate.

Compliance is a shared responsibility: you configure agents, data sources, approvals, and disclosures to match your regulatory context. Our features are designed to support - not replace - your legal, security, and risk assessments.

We maintain an incident response plan covering detection, containment, eradication, recovery, and post-incident review. Security events are triaged by severity; confirmed breaches affecting personal data are handled in line with GDPR notification timelines where we act as processor or controller as applicable.

Customers with active agreements may receive summaries of material incidents affecting the Services when contractually required. We test backups and recovery procedures on a recurring basis.

To report a vulnerability or suspected security issue, email [email protected]. Please include reproduction steps, impact assessment if known, and your preferred disclosure timeline. We appreciate coordinated disclosure and will work with you to validate and remediate valid findings.

For non-security inquiries, use our general contact page.