Built for security-first organizations
Encryption, identity, residency, and tenancy were not bolted on. They were the first commits. Every customer environment is logically isolated, cryptographically segmented, and continuously instrumented.
- SAML 2.0 SSO with IdP-initiated and SP-initiated flows
- OIDC Authorization Code + PKCE
- SCIM 2.0 user + group provisioning
- 12-role RBAC with delegated administration
- API keys with scoped permissions + rotation
- AES-256 at rest, TLS 1.3 in transit
- CMEK / BYOK on AWS KMS, Azure Key Vault, GCP KMS
- Per-tenant data residency: US, EU, APAC, US-Gov
- PII + secrets redaction across 11 patterns at ingest
- Field-level encryption for prompts and outputs
- Tamper-evident audit log (Merkle-anchored)
- Forward to Splunk HEC, Sentinel, Datadog, generic webhook
- OpenTelemetry GenAI semantic conventions
- Real-time scope-violation + secrets-leak detection
- Drift and bias monitoring per agent version
Every customer is a tenant. Tenants are isolated at every layer: row-level security in Postgres, per-tenant feature flags, per-tenant retention, per-tenant encryption keys (with BYOK when required), and per-tenant audit streams. There is no shared "production" you can be promoted into by mistake.
Dependencies are continuously scanned. Critical CVEs trigger automatic deployment blocks. We run quarterly third-party penetration tests, red-team our own infrastructure, and operate a public coordinated disclosure program at /security/disclosure.
Up-to-date list of subprocessors is published at /security/subprocessors. Subscribe to get email when this list changes.
For regulated buyers, Agentics offers private-region deployments with BYOK keys, BYO log destination, BYO IdP, BYO redaction policies, and dedicated data planes. Contact security@agentics.you.