Security
Security and auditability by design.
Everything runs in your cloud with least-privilege IAM, segregated environments, and structured logging. Agents stay inside approved datasets and actions.
Deployment model
- Customer cloud only (AWS/GCP/Azure).
- Serverless or small containers; no external control plane.
- Secrets in your KMS/SM; no shared vaults.
- Outbound access locked to required endpoints.
Controls
- Least-privilege IAM roles per workflow.
- Environment segregation (dev/test/prod) with isolated storage.
- Encryption in transit and at rest using cloud-native defaults.
- Structured logging with correlation IDs and retention policy.
- Optional VPC isolation, private subnets, and egress controls.
Data handling
- Data stays in your tenancy; no shared processing.
- Evidence outputs stored in controlled buckets with access logs.
- PII minimisation: only required fields processed.
- Redaction patterns available for agent observations.
Guardrails for agents
- Approved tools/action list checked into repo.
- Dataset scopes and access policies enforced by IAM.
- Step-by-step logging with transcripts stored in your cloud.
- Rate limits and budget controls.
- Optional human-in-loop for sensitive steps.
Audit & evidence
- Runbooks with control descriptions and owners.
- Evidence bundles for key workflows (inputs, outputs, checks).
- Change log and deployment records.
- Incident playbooks and contact paths.
Reliability
- Health checks, retries with backoff, and dead-letter queues.
- Idempotent job design to avoid duplicates.
- Monitoring hooks for Slack/Teams/email.
- Versioned templates and rollback procedures.
Review support
- Security review pack covering data flows and IAM.
- Dependency list and CVE posture per deployment.
- Pen-test friendly architecture (minimal surface).
- Joint walkthrough with your security/IT owners.
Need a security-ready automation?
We’ll scope controls, data flows, and evidence handling up front so approvals move faster.