FAQ

Where is my data hosted?

Two cloud services, both managed:

PostgreSQL + edge functions: Supabase
Proxy service: Azure Container Apps

Credentials are encrypted at rest using envelope encryption — a data-encryption key per credential, with the master key held in Azure Key Vault. Region pinning is on the roadmap for Enterprise customers; today, hosting region is set by AgentValet rather than per-customer.

Who can see my platform credentials?

Nobody. Credentials are decrypted in-memory inside the proxy only at the moment a call is being made, then thrown away. They are never written to logs, included in API responses, or returned to your agents.

The agent gets the result of the platform call — not the key that authorised it. If the agent’s private key leaks, the leaker gets to send requests as that agent. They don’t get your Stripe key, your Gmail OAuth token, or your Slack secret.

Can I self-host AgentValet?

Self-hosting the full AgentValet stack is on the roadmap, not shipped yet. The components are built on portable primitives (Supabase, container-friendly proxy services, a React dashboard) and the deployment templates exist internally, but a polished self-host distribution isn’t published.

If you have a regulatory or contractual need to self-host, get in touch — we’re prioritising self-host based on which customers actually need it.

What happens to my agents if I cancel?

Your data is preserved. Cancelling drops you to the Free plan at the end of the billing cycle. Agents and platforms over the Free-plan limits get suspended (not deleted) and come back online if you re-subscribe.

The 30-day money-back guarantee is different: it issues a full refund and closes your account, with no path back into the same account.

Can I export my audit log?

Audit export is a Team plan and above feature. Below that, you can read and filter your audit log in the dashboard but not download it.

The export endpoint itself is currently being built — the plan flag is in place, the download UI lands shortly.

Honest answer:

GDPR: The architecture is privacy-by-default — forensics fields are off unless an Enterprise customer explicitly opts in, consent decisions are themselves audited, data is encrypted at rest. We don’t currently hold a third-party GDPR attestation.
SOC 2: The audit log is append-only, immutable, with optional forensics fields. The scheme is designed for SOC 2 evidence. We are not yet SOC 2 certified.
ISO 27001, HIPAA, PCI-DSS: Not certified. The system is built with compatible primitives but we don’t represent ourselves as certified for any of these.

If certification status is a blocker for you, talk to us — it’s on the path, and customer demand shapes priority.

What happens if AgentValet itself is down?

Your agents fail closed. They cannot reach the platforms they normally call through AgentValet, because that’s the whole point of the architecture — there is no backdoor, no cached credential they hold themselves, no fallback path.

This is the cost of governed access. The benefit is that there’s also no leaked-key path; the failure mode is “agent can’t do anything” rather than “agent does something we can’t see.”

Our status page is at status.agentvalet.ai once you need it.

How long do agent JWTs last?

Fifteen minutes per call. Each request is its own freshly-signed JWT, so a leaked token has a short life.

It can, technically — you can copy the private key file. But every call signed with that key produces audit rows attributed to the original agent ID. The clone shows up in your audit log as the original agent, doing things the original didn’t. Anomaly detection (Team plan and above) flags this kind of behaviour.

How do I report a security issue?

security@agentvalet.ai. If you’ve found a vulnerability, please give us a chance to fix it before disclosing.

How do I report a bug or request a feature?

Either through the in-app feedback form, or hello@agentvalet.ai. Feature requests that show up multiple times move up the queue.

FAQ