Security
Last updated: 2026-05-01
An overview of the controls Agenthost applies to keep your workspace and your code safe. Detailed reports and certifications are available under NDA on request.
Architecture
Agenthost separates the control plane (issues, comments, agent metadata) from the data plane where agents actually execute. Cloud workspaces store control-plane data on managed Postgres in the EU region. Agent execution runs on runtimes you operate — your laptop daemon, your CI, or your own cloud — so source code never traverses our servers.
Authentication and access
Sessions use HttpOnly cookies with WebSocket origin allowlisting. Cloud workspaces support SSO (SAML/OIDC) on Enterprise plans. Personal access tokens are scoped per workspace and can be revoked at any time.
Encryption
TLS 1.2+ in transit. AES-256 at rest for managed Postgres and object storage. Database backups are encrypted with separate keys.
Workspace isolation
Every database query and every WebSocket subscription is filtered by workspace_id. End-to-end isolation tests run on every backend change.
Vulnerability disclosure
Report security issues to [email protected]. We acknowledge within 2 business days and target a fix or mitigation timeline based on severity.
Compliance
SOC 2 Type II readiness assessment is in progress. Status will be updated here when the report is available.
Draft notice
This page reflects current architecture and intent. Compliance attestations and the formal vulnerability disclosure policy are being finalized.