Agentuity is built for production AI agents handling real-world data. This page explains exactly how we protect yours — no vague promises, no marketing language.

We recognize that data control, ownership, locality and sovereignty is becoming even more vital in today's AI world. Our goal is to provide you with the tools and infrastructure to make it easy, safe and secure to control how your Agents and employees use your data with Agentuity so that you can ensure strong data guarantees.

Questions or concerns? Contact us at security@agentuity.com.

Data Privacy

We never train on your data. Customer data that flows through your agents and applications is never used to train Agentuity's models, improve our systems, or benefit any other customer. Your data is yours, period.

Ephemeral by default. When your agent processes a document — including PDFs, financial files, or any other payload — that data is handled in memory during execution and not persisted by Agentuity. Persistence is opt-in and always under your control via your agent code and your storage configuration.

AI Gateway. Our gateway acts as a smart proxy between your agents and upstream LLM or local model providers and provides high availability, routing, billing, security controls, compliance, and monitoring. The gateway doesn't retain, record, or modify your data that passes from your agent to the LLM.

Data Protection

Agentuity's software operates in FIPS 140-3 compliant mode.

Layer	Standard
Data in transit	TLS 1.2 / TLS 1.3
Data at rest	AES-256
Agent communication payloads	End-to-end encrypted
Customer secrets & environment variables	Encrypted in a dedicated vault, separate from all other data
API request integrity	ECDSA-SHA256 HTTP signatures

Secrets are encrypted at every layer. Each customer secret is encrypted at rest and in transit using customer- and project-specific rotatable encryption with AES-256 GCM. Secrets are only decrypted within the agent execution context. Secret values are hidden by default in the console but can be revealed by the customer when needed. Agentuity staff never have access to customer secrets.

All requests are signed for message integrity. Every API request is signed with an ECDSA HTTP signature (ECDSA-SHA256). The signature covers the request method, URI, timestamp, a unique nonce, and a SHA-256 digest of the request body — ensuring tamper-proof message integrity on every call.

Observability & Logging

Agentuity provides OpenTelemetry-based tracing and logging so you can debug and monitor your agents in production. This includes LLM span data: prompts, responses, token counts, latency, and cost.

What's captured by default: Full LLM prompt and response content, alongside metadata like token usage, latency, and model details. This is enabled by default because most developers need it to debug effectively.

For sensitive workloads, you have options:

Disable prompt logging — capture only metadata (token count, cost, latency, model); no prompt or response content is stored.
Redact sensitive fields — configure redaction rules to strip specific fields or patterns from traces before storage.
Enterprise log controls — enforce org-wide logging policies and restrict trace visibility within your team.

If your agents process confidential documents, financial data, or regulated content, we recommend disabling full prompt logging or using redaction rules. See our observability docs for setup instructions.

Platform telemetry (server health, API call rates, error rates, performance) is collected separately and does not include agent payload content.

Access Controls

Employee access is limited and audited. Only authorized Agentuity employees have limited, restrictive access to customer logs and session tracing solely to enable troubleshooting. All access is audited and recorded in a full audit log.

Your team's access is managed via role-based controls. You decide who can view traces, configure agents, manage secrets, and administer deployments. Secret values are hidden by default in the console and can only be revealed by authorized team members.

Deployment Models

Agentuity supports three deployment models with multi-cloud and multi-architecture flexibility. Your compliance and data sovereignty requirements determine which is right for you — and you can mix and match across models. For example, some Agents can run in the public cloud while others operate in a VPC or on-premises environment, providing maximum flexibility and control.

Public Cloud

Hosted on Google Cloud Platform (GCP). Shared-tenant architecture with logical isolation between customers. All encryption standards apply. Resources can be deployed into specific geographic regions for data compliance, and this is controlled by the customer on a per-project and per-resource level. Best for most production workloads.

Private Cloud (VPC)

Deployed into your own Virtual Private Cloud. The data plane is network-isolated; no cross-tenant data exposure. Control plane is managed by Agentuity. Deployment assets are encrypted using a FIPS 140-3 compliant KEM-DEM envelope encryption scheme with ECDH P-256 and AES-256-GCM — your assets are encrypted with your public key so they can only be decrypted with your private key inside your controlled environment. Agentuity also supports Trusted Platform Module (TPM) integration for hardware-backed key protection. Certain platform features like Databases, Storage, Caching, and more can be configured to use your managed private resources instead of Agentuity managed resources. Best for regulated industries and sensitive data workloads.

On-Premises

Runs entirely within your own infrastructure. Your data never leaves your environment and has no contact with Agentuity's shared infrastructure. As with VPC deployments, your deployment assets are encrypted using FIPS 140-3 compliant envelope encryption (ECDH P-256 + AES-256-GCM) so they can only be decrypted with your private key on your own machines. Trusted Platform Module (TPM) support is also available for hardware-backed key protection. As with VPC, certain platform features like Databases, Storage, Caching, and more can be configured to use your managed private resources instead of Agentuity managed resources. Best for maximum data sovereignty, air-gapped requirements, and strict compliance regimes.

Data Retention

Customers control the TTL (time-to-live) on certain stored data, including KV storage and object storage managed through your agents. Platform-level log and trace retention policies are being formalized — we will update this page when specific retention windows are published.

Compliance Roadmap

We are an early-stage company and do not yet hold formal certifications. We're committed to transparency about where we are and where we're going.

Standard	Status
SOC 2 Type I	In progress
GDPR	Aware and designing for compliance; formal certification not yet complete
HIPAA	Requires a VPC or on-premises environment in cooperation with your IT team
PCI	Requires a VPC or on-premises environment in cooperation with your IT team

We will update this page as certifications are completed. Enterprise customers with specific compliance requirements are encouraged to contact us to discuss their needs directly.

Responsible Disclosure

If you discover a security vulnerability in Agentuity's platform, SDK, or infrastructure, please report it to us at security@agentuity.com. We take all reports seriously and will respond promptly.

Please do not publicly disclose vulnerabilities before we've had a reasonable opportunity to investigate and address them. We appreciate the security community's help in keeping Agentuity safe for everyone.